[wp-hackers] SOS (Formerly 'Referrer Spam')

Roy Schestowitz r at schestowitz.com
Wed Oct 12 16:25:19 GMT 2005

_____/ On Wed 12 Oct 2005 13:25:20 BST, [Amit Gupta] wrote : \_____

> Roy Schestowitz <r at schestowitz.com> wrote:
> |  Getting back on topic, the scale of the attacks is beginning to
> become scary,
> |  not just worrying. As I said at the start, it continues to grow by
> the day
> |  (nearing 2 weeks now) and it's reaching the point where I get tens of
> |  thousands
> |  of page requests from a variety of UIP's. This still gets worse by
> the
> |  hour and
> |  I am running out of bandwidth (although I re-directed to reduce it),
> not to
> |  mention the speed penalty that the shared server is susceptible to.
> |
> |  These attacks can wind up costing hundreds of pounds, not to mention
> |  the time I
> |  spend/t trying to stop them. I have no root access to the Web server.
> Any
> |  suggestions? I would rather not tell the hosts and ignite some sort
> of
> |  reputation of a trouble-maker
> I think it would be wise to block the offending IPs for some time(using
> .htaccess). If they similar, then block their entire C class block. I
> had an
> attack of this kind sometime back & blocked 2-3 C class blocks that were
> the repeat offenders for sometime. this might loose out on some
> legitimate traffic but its worth it in my opinion.

The spammy traffic is getting violently high at the moment, so I am forced to
act upon it quickly. AWStats has been running for a long time (still does)
processing the logs of the past 3 hours. I have just downloaded today's log
(over 15 MB since midnight, but traffic peaking drastically this 
afternoon) and
my worst fear is a reality. The IP addresses of the offenders are so
well-distributed that you could barely ever isolate ham from spam using IP
blocks as a criterion. Blocks A-D vary a lot.

> also, if your host is not an idiot, they wouldn't label you as a trouble
> maker
> if you go to them with this problem. it would be wise as well to let
> them
> know of the problem, as they are better equipped to handle the situation
> than you are, as they too don't want someone sniping away at their
> server, possibly a DoS attack!! :)

I'll tell them immediately, thanks for the suggestion. I wish I had done that
when it all got started, but I was on vacation. I wonder what trick a host
could possibly pull off the sleeve. If they cannot filter successfully, the
site might have to go down. Spammers should be shot.


Roy S. Schestowitz      | Useless fact: Sharks are immune to cancer
http://Schestowitz.com  |    SuSE Linux    |     PGP-Key: 74572E8E
  5:15pm  up 48 days  5:29,  4 users,  load average: 0.16, 0.61, 0.59
      http://iuron.com - next generation of search paradigms

More information about the wp-hackers mailing list