__/ [John Bokma] on Thursday 13 October 2005 01:34 \__
> Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> wrote:
>> For the past week or two there has been a gradual increase in the
>> amount of referrer spam, hitting heavy pages specifically. I have
>> re-directed all such requests to 403.shtml,
> based on what? If you can do that, why not send them (using mod_rewrite a
> forbidden (-F)?
They used to fetch one opaque URL that hammered the database the most (about
1000 queries per pageview). I re-directed based on the URL requested, but
it was bound to become a cat-and-mouse game whereby the target URL changes
and becomes more diverse too. The URL finally changed a few hours ago,
which is bad news. I keep adding redirections at the moment. Without them,
I might look at gigbit per hour. The counties of shame which I can identify
are China, Russia, Singapore, South Korea and Mexico (sorry!) among others.
I asked my host for help last night (well, it still is nighttime).
>> but I currently get nearly
>> 10,000 page requests that are spam every day. I checked the logs for
>> IP addresses, but I can't filter by IP blocks. It's too diverse.
> Yup, like I said sometime ago, they use zombies for this work now.
Yes, your word on zombies was the first thing that sprung to my mind. They
get more and more of these each day.
>> you got any tricks up your sleeves? I know some tools that combat
>> this, but they need console access if not root access too.
> check the referer and -F if it's a known uri.
It's quite diverse as I said. It's only a matter of time until the spammers
find a workaround, in which case the work was all in vain. I can't figure
out why somebody would want to waste so much bandwidth attacking a site
like mine for weeks. There is no financial incentive for the spammers,
right? I dread the day of gigabit Ethernet in places like HK. Imagine
youself the same sort of attack on hosts in east Europe, for example, as
opposed to London. Having a high-bandwidth backbone is the only reason I
can still cope.
Roy S. Schestowitz
http://Schestowitz.com | SuSE Linux | PGP-Key: 74572E8E
1:40am up 48 days 13:54, 3 users, load average: 0.16, 0.44, 0.61
http://iuron.com - next generation of search paradigms