« I swear it's ABSA fever out there! | Main | Here I am eating a salad, which, by the way, you could cover in bar-b-q sauce and it would still taste like the ground. »


So I ran across a new trick the other day. A slimy, disgusting trick, but it was new to me.

I co-own a server with a bunch of friends that it hosted out in Kansas somewhere. We all host our personal domains out there, a few web pages, and non-work related e-mail. Each of us take responsibility for different sub-systems on the server. I, for example, am responsible for the web server. To that end, I run a bunch of virtual servers in Apache, one for each web site. For each web site, I setup a “stats page” showing a bunch of interesting (and totally useless) stats for the site: how many hits, IP addresses of those who visit the site, by-hour breakdowns, etc. I used the freeware Webalizer for this stuff.

The other day, Kyle W., one of the other owners, sent me an e-mail asking why the hit count for his stats page alone was over 7000 for the first 2 weeks of July. Well that makes no sense whatsoever:

  1. Kyle runs a small web site and should probably have less than 7000 hits total for his entire site for the entire month
  2. Who on earth would look at the web stats page over 7000 times in 2 weeks?

So I went and had a look at the logs. It took me a few minutes to figure it out, but once I saw it, the pattern was obvious. Little known-fact: when you surf to a web page, your browser usually sends the page that you came from to the web server. That is, if you’re on page A, and you click on a link that takes you to page B, your web browser will automatically send A’s URL to B’s server. This is called the “HTTP referer” and it allows web site administrators to track your progress through their site, figure out what search engines have found their site, etc. This is not new — it has been in the web since the very beginning.

What I saw in the logs was that lots of random different IP addresses were hitting Kyle’s stats page every few seconds (each IP would hit Kyle’s page every 4-10 seconds) with a very specific refering URL — a porn site.

That’s right, a porn site.

So what was really happening was that lots of “zombied” machines (i.e., machines that have been taken over by a virus or a worm and used for nefarious things like this) were hitting Kyle’s page every few seconds with a referring site of a porn site. So they were convoluting the real intent behind the referring URL — they weren’t really listing the URL that they were coming from, they were simply always listing the porn site URL. Put another way, they were lying about the URL that they were coming from.

The reason why is a bit convoluted: by hitting the stats page, they were getting the referring page listed (and linked) on the stats page. That is, the stats page lists all referring URLs and how many times they were seen. This usually gives a web site administrator a good idea of where (and how often) people enter the site (e.g., from a particular search term in Google, etc.). So since our web stats page lists all referring URLs, by lying and insertting the referring URL of a porn site, they were getting us to [automatically] link to their porn site.

Additionally, Webalizer counts how many times a referring URL is seen and ranks them. So by hitting Kyle’s page with the porn referring URL 7000+ times, it was easily at the top of the referring URL stats — i.e., it was the most frequently seen referring URL.

Ok, well that’s all fine and good, but still — why go to all this trouble?

The answer lies in how search engines work. Search engines — like Google — rate the importance of a web site by how many other web sites link to it. So what was really happening here is that some porn site has figured out really creative ways to get other sites to link to it — they search out and find web stats pages. They then hit that site thousands of times and get their referring URL to show up (and make it highly ranked on that stats page). The thought is that Google (and others) will notice all these links and increase the importance of the porn site because it’s linked to by so many other sites.

Very, very slimy. I have decided to call this slime-vertising. It’s totally dishonest.

And I’m sure this tactic is a) not limited to this one porn site, and b) an entirely automated process. It was quite surprising how many machines were zombined into doing this (some of the “dozens” of machines that I mentioned above were actually in .mil!). Our stats pages have since moved into a password-protected area on the web site, so we won’t see this problem anymore, but to those of you who have publicly-viewable stats pages, beware! This could be happening to you.

Here’s another form of slime-vertising — one that has been around for quite a while: it’s not uncommon that I have to remove anonymous user postings to JeffJournal that simply contain a link to a porn site (undoubtedly put there by some automous bot who found my blog and noticed that they can put anonymous posts with web links in it).


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


This page contains a single entry from the blog posted on July 18, 2004 8:27 AM.

The previous post in this blog was I swear it's ABSA fever out there!.

The next post in this blog is Here I am eating a salad, which, by the way, you could cover in bar-b-q sauce and it would still taste like the ground..

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.34