Referrer Spam Prediction: Heavy Downpour

In the meantime, as you may see by my automatic banlist, a massive Referrer Spam attack is ongoing (and apparently not just against my site), with dozens of distinct IP addresses trying to stuff my server logs with links to blue-pill Tonga subdomains: buy.to, get.to, dive.to, hey.to, drop.to, etc.

And I was only keeping track of the last 200 (I just added another zero to that figure).

Since most people don't have the faintest idea of the scale of the problem (most people aren't even aware that it exists), here follows a text snapshot of the automatic banlist, listing only IP addresses and reverse DNS records.

My heartfelt apologies to folk using RSS aggregators or mobile devices, but this is the best way to show how widespread the problem is...

IP              Hostname
60.228.205.70   CPE-60-228-205-70.qld.bigpond.net.au
81.218.210.174  bzq-218-210-174.red.bezeqint.net
213.226.152.22  nat2.raktas.net
71.57.17.237    c-71-57-17-237.hsd1.il.comcast.net
63.233.35.101   0-1pool35-101.nas33.houston4.tx.us.da.qwest.net
87.2.132.170    host170-132.pool872.interbusiness.it
68.238.113.115  pool-68-238-113-115.atl.dsl-w.verizon.net
83.170.50.70    host-83-170-50-70.customer.teleport-iabg.de
83.33.160.252   252.Red-83-33-160.dynamicIP.rima-tde.net
84.92.34.127    robert2.plus.com
70.190.228.3    ip70-190-228-3.ph.ph.cox.net
82.33.114.10    82-33-114-10.cable.ubr07.azte.blueyonder.co.uk
69.160.2.161    69-160-2-161.bflony.adelphia.net
69.174.227.80   69-174-227-80.atlaga.adelphia.net
83.18.89.75     axl75.internetdsl.tpnet.pl
194.165.107.187 194.165.107.187
172.187.9.231   ACBB09E7.ipt.aol.com
84.64.124.146   user-1170.wfd81b.dsl.pol.co.uk
81.198.203.83   81.198.203.83
68.81.172.78    pcp01335454pcs.fairmt01.pa.comcast.net
83.26.11.180    akh180.neoplus.adsl.tpnet.pl
62.64.75.222    geneng2-gw.sovam.net.ua
85.140.26.193   ppp85-140-26-193.pppoe.mtu-net.ru
212.18.56.100   cpe-212-18-56-100.dynamic.amis.net
211.30.255.83   c211-30-255-83.rivrw8.nsw.optusnet.com.au
81.177.16.20    ns2.majordomo.ru
216.16.83.66    viborgDHCP-66.216-16-83.iw.net
133.205.105.175 FLA1Aai175.fks.mesh.ad.jp
172.158.221.106 AC9EDD6A.ipt.aol.com
83.119.81.51    83.119.81.51
194.158.220.138 194.158.220.138
213.5.32.238    ppp32-238dynamic.athens.acn.gr
86.133.116.95   host86-133-116-95.range86-133.btcentralplus.com
211.223.170.139 211.223.170.139
81.218.204.140  bzq-218-204-140.red.bezeqint.net
213.191.102.162 213.191.102.162
172.212.164.70  ACD4A446.ipt.aol.com
219.38.204.31   YahooBB219038204031.bbtec.net
84.139.88.151   p548B5897.dip.t-dialin.net
85.140.53.184   ppp85-140-53-184.pppoe.mtu-net.ru
81.198.129.150  81.198.129.150
12.162.0.162    12.162.0.162
200.45.71.40    host40.200-45-71.telecom.net.ar
82.38.181.54    82-38-181-54.cable.ubr02.shef.blueyonder.co.uk
172.214.151.153 ACD69799.ipt.aol.com
216.253.3.108   216.253.3.108
213.66.174.126  213-66-174-126-o926.tbon.telia.com
203.92.47.66    203.92.47.66
172.178.192.37  ACB2C025.ipt.aol.com
67.87.246.124   ool-4357f67c.dyn.optonline.net
200.175.154.22  200.175.154.22.dialup.gvt.net.br
81.164.21.154   d51A4159A.access.telenet.be
172.212.244.245 ACD4F4F5.ipt.aol.com
220.139.61.188  220-139-61-188.dynamic.hinet.net
68.33.226.4     pcp04984596pcs.mtromd01.md.comcast.net
213.219.87.195  adsl10237.estpak.ee
84.158.118.2    p549E7602.dip.t-dialin.net
84.74.13.66     84-74-13-66.dclient.hispeed.ch
172.212.63.114  ACD43F72.ipt.aol.com
82.115.99.139   82.115.99.139
4.249.42.19     dialup-4.249.42.19.Dial1.Washington2.Level3.net
86.131.20.66    host86-131-20-66.range86-131.btcentralplus.com
210.214.11.199  dialpool-210-214-11-199.maa.sify.net
85.140.53.215   ppp85-140-53-215.pppoe.mtu-net.ru
69.50.184.34    69.50.184.34
68.111.231.221  ip68-111-231-221.sd.sd.cox.net
193.77.115.208  BSN-77-115-208.dial-up.dsl.siol.net
193.231.243.121 193.231.243.121
210.213.129.152 210.213.129.152.pldt.net
172.203.171.156 ACCBAB9C.ipt.aol.com
81.190.255.24   host-81-190-255-24.elk.mm.pl
69.234.190.97   adsl-69-234-190-97.dsl.irvnca.pacbell.net
172.188.146.26  ACBC921A.ipt.aol.com
217.175.170.69  170-69.us.ool.fr
201.29.222.32   201.29.222.32
195.135.201.74  dialup42-nas0.infocom.km.ua
220.139.42.200  220-139-42-200.dynamic.hinet.net
83.244.2.18     83.244.2.18
84.131.83.91    p5483535B.dip.t-dialin.net
71.1.240.76     fl-71-1-240-76.dhcp.sprint-hsd.net
83.132.225.252  a83-132-225-252.cpe.netcabo.pt
194.158.220.62  194.158.220.62
60.228.205.13   CPE-60-228-205-13.qld.bigpond.net.au
66.6.187.52     mdm187-52.arc182.smfrct1.dasdial.com
200.126.77.72   200-126-77-72.bk5-dsl.surnet.cl
209.33.113.70   209.33.113.70
82.35.145.161   82-35-145-161.cable.ubr04.enfi.blueyonder.co.uk
196.202.26.5    196.202.26.5
82.10.33.253    host82-10-33-253.not-set-yet.ntli.net
68.205.35.189   189.35.205.68.cfl.res.rr.com
172.178.31.226  ACB21FE2.ipt.aol.com
216.195.19.193  dhcp-0-c-f1-9d-8c-c.cpe.townisp.com
4.159.113.157   dialup-4.159.113.157.Dial1.Chicago1.Level3.net
69.172.76.213   levitwnpr-terayon2-69-172-76-213.miamfl.adelphia.net
172.144.183.186 AC90B7BA.ipt.aol.com
65.185.124.206  cpe-65-185-124-206.woh.res.rr.com
172.132.94.23   AC845E17.ipt.aol.com
24.90.104.180   cpe-24-90-104-180.nyc.res.rr.com
200.71.99.190   ppp-99-190.telesat.com.co
24.20.140.115   c-24-20-140-115.hsd1.or.comcast.net
213.130.10.195  195.pool-2.en.dn.ua
68.228.132.210  ip68-228-132-210.hr.hr.cox.net
220.124.38.119  220.124.38.119
80.130.254.168  p5082FEA8.dip.t-dialin.net
200.71.98.150   ppp-98-150.telesat.com.co
65.95.109.186   Toronto-HSE-ppp3700421.sympatico.ca
138.130.48.174  CPE-138-130-48-174.nsw.bigpond.net.au
172.195.63.109  ACC33F6D.ipt.aol.com
172.148.220.10  AC94DC0A.ipt.aol.com
69.236.195.21   adsl-69-236-195-21.dsl.pltn13.pacbell.net
200.122.46.247  200-122-46-247.dsl.prima.net.ar
172.197.171.70  ACC5AB46.ipt.aol.com
85.206.2.86     85.206.2.86
217.115.220.219 217.115.220.219
24.196.26.122   unknown.lds.al.charter.com
82.169.206.118  82-169-206-118-mx.xdsl.tiscali.nl
68.123.238.66   adsl-68-123-238-66.dsl.irvnca.pacbell.net
172.140.209.5   AC8CD105.ipt.aol.com
62.195.98.79    i98079.upc-i.chello.nl
69.169.45.243   69-169-45-243.anhmca.adelphia.net
82.81.31.39     bzq-82-81-31-39.red.bezeqint.net
67.174.97.211   c-67-174-97-211.hsd1.co.comcast.net
67.83.162.159   ool-4353a29f.dyn.optonline.net
172.147.247.235 AC93F7EB.ipt.aol.com
220.62.219.230  YahooBB220062219230.bbtec.net
220.124.38.93   220.124.38.93
65.175.139.41   d-65-175-139-41.metrocast.net
86.135.185.145  host86-135-185-145.range86-135.btcentralplus.com
62.221.44.3     ns.online.dn.ua
194.204.4.204   194.204.4.204
212.100.113.220 220.adsl13.freecom.net
24.231.63.66    24.231.63.66
82.171.55.74    dsl-82-171-55-74.undef.tiscali.nl
172.212.181.23  ACD4B517.ipt.aol.com
80.58.5.46      80-58-5-46.proxycache.rima-tde.net
172.135.161.250 AC87A1FA.ipt.aol.com
195.238.51.35   195-238-51-35.direcpceu.com
24.100.72.205   CPE0004e2c228e4-CM023469903474.cpe.net.cable.rogers.com
172.158.180.232 AC9EB4E8.ipt.aol.com
85.117.54.66    85.117.54.66
217.72.90.142   vo142-90.dial-up.volja.net
172.142.165.143 AC8EA58F.ipt.aol.com
69.151.245.89   adsl-69-151-245-89.dsl.hstntx.swbell.net
202.156.6.54    202-156-6-54.cache.maxonline.com.sg
218.111.201.183 218.111.201.183
86.195.133.14   ANantes-256-1-6-14.w86-195.abo.wanadoo.fr
66.140.172.164  adsl-66-140-172-164.dsl.wchtks.swbell.net
172.186.27.193  ACBA1BC1.ipt.aol.com
213.227.199.147 199-147.dialup.alkar.net
213.161.27.212  cpe1-27-212.cable.triera.net
200.241.153.129 cordopecado.oops.com.br
61.33.145.40    61.33.145.40
219.8.135.17    YahooBB219008135017.bbtec.net
172.194.152.56  ACC29838.ipt.aol.com
172.134.224.168 AC86E0A8.ipt.aol.com
87.1.118.150    host150-118.pool871.interbusiness.it
172.201.221.116 ACC9DD74.ipt.aol.com
172.186.177.30  ACBAB11E.ipt.aol.com
219.38.146.49   YahooBB219038146049.bbtec.net
84.25.115.218   cp69785-a.landg1.lb.home.nl
72.24.44.228    44-228.72-24-cpe.cableone.net
222.120.74.124  222.120.74.124
70.118.74.191   191.74.118.70.cfl.res.rr.com
172.132.165.15  AC84A50F.ipt.aol.com
61.68.109.166   61.68.109.166
61.17.249.39    61.17.249.39.static.vsnl.net.in
61.214.91.105   p1105-ipad01kagawa.kagawa.ocn.ne.jp
172.212.37.225  ACD425E1.ipt.aol.com
80.9.200.44     Mix-Montpellier-114-2-44.w80-9.abo.wanadoo.fr
60.231.218.253  CPE-60-231-218-253.sa.bigpond.net.au
82.114.72.62    82.114.72.62
84.52.171.167   84.52.171.167
12.210.220.58   12-210-220-58.client.insightBB.com
83.109.41.39    ti122110a080-10535.bb.online.no
83.103.129.196  Home04347.cluj.astra.ro
62.61.132.51    62.61.132.51.generic-hostname.arrownet.dk
83.248.24.217   c83-248-24-217.bredband.comhem.se
200.88.5.149    200.88.5.149
87.1.9.149      host149-9.pool871.interbusiness.it
83.99.169.78    balticom-169-78.balticom.lv
68.48.158.159   pcp08020822pcs.dalect01.va.comcast.net
81.236.131.96   h96n4-m-rg-gr100.ias.bredband.telia.com
85.30.195.127   h127-n195.orexovo.net
12.181.13.59    12-181-13-59.dyn.mound.net
82.121.52.20    APlessis-Bouchard-151-1-6-20.w82-121.abo.wanadoo.fr
172.188.97.134  ACBC6186.ipt.aol.com
80.142.177.112  p508EB170.dip0.t-ipconnect.de
218.111.25.227  218.111.25.227
24.186.60.122   ool-18ba3c7a.dyn.optonline.net
162.40.160.198  h198.160.40.162.ip.alltel.net
217.196.171.49  dphab22.tnet.dp.ua
213.35.133.227  213-35-133-227-dsl.prn.estpak.ee
66.189.165.119  66-189-165-119.dhcp.trlk.ca.charter.com
24.186.157.254  ool-18ba9dfe.dyn.optonline.net
218.212.168.143 cm143.sigma168.maxonline.com.sg
172.166.103.199 ACA667C7.ipt.aol.com
219.64.179.235  219.64.179.235.del.dialup.vsnl.net.in
84.100.37.174   174.37.100-84.rev.gaoland.net
66.56.176.187   cpe-066-056-176-187.triad.res.rr.com

It's not just about sleazy software anymore - the likelyhood of this being done by people voluntarily running crapware is zero.

So if you need evidence that Windows trojans are being used to perform Referrer Spam attacks, look no further. And yes, all of the User-Agent strings are Windows-based (assuming the trojan in question is using the Windows HTTP libraries to issue requests, the data should be valid).

What really annoys me, though, is that it's getting worse - the sheer volume of traffic has already overtaken "normal" HTTP traffic to the site, and the JavaScript technique I implemented a while back seems to be under attack, too.