[SOLVED] Referrer Spam buttons-for-website.com

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
stephan-zrh
Forum User
Forum User
Posts: 71
Joined: Mon May 07, 2012 9:37 am
Location: Zurich

[SOLVED] Referrer Spam buttons-for-website.com

Unread post by stephan-zrh »

Hello,

Google Analytics is increasingly reporting hits from buttons-for-websites.com. It seems to be similar to semalt.com (referrer spam), which gets blocked by ASL rule 393766.

Can you add buttons-for-website.com so it gets blocked or can I do it myself?

Kind regards

-Stephan

EDIT: corrected referrer. It's called buttons-for-website.com (not buttons-for-websites.com)
Last edited by stephan-zrh on Thu Mar 26, 2015 3:02 am, edited 1 time in total.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Referrer Spam buttons-for-website.com

Unread post by mikeshinn »

Sure, can you send us the appropriate access logs and we'll get a rule out.
stephan-zrh
Forum User
Forum User
Posts: 71
Joined: Mon May 07, 2012 9:37 am
Location: Zurich

Re: Referrer Spam buttons-for-website.com

Unread post by stephan-zrh »

Thanks, here are some requests I found in access_log:

Code: Select all

177.101.127.50 - - [28/Feb/2015:12:02:40 +0100] "GET / HTTP/1.0" 301 448 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
177.101.127.50 - - [28/Feb/2015:12:02:41 +0100] "GET / HTTP/1.0" 200 20486 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
177.84.109.86 - - [02/Mar/2015:14:17:54 +0100] "GET / HTTP/1.0" 301 448 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
177.84.109.86 - - [02/Mar/2015:14:17:56 +0100] "GET / HTTP/1.0" 200 20495 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
108.198.19.92 - - [04/Mar/2015:00:56:00 +0100] "GET / HTTP/1.0" 301 448 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
108.198.19.92 - - [04/Mar/2015:00:56:01 +0100] "GET / HTTP/1.0" 200 20478 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
77.162.179.155 - - [04/Mar/2015:22:20:59 +0100] "GET / HTTP/1.0" 301 448 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
77.162.179.155 - - [04/Mar/2015:22:20:59 +0100] "GET / HTTP/1.0" 200 20491 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
Is this what you need or any more records?

Kind regards -Stephan
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Referrer Spam buttons-for-website.com

Unread post by mikeshinn »

For this kind of event, thats what we needed. Rule update for this went our last night.

If you run into any other cases, please let us know.

https://www.atomicorp.com/wiki/index.ph ... _Positives
stephan-zrh
Forum User
Forum User
Posts: 71
Joined: Mon May 07, 2012 9:37 am
Location: Zurich

Re: Referrer Spam buttons-for-website.com

Unread post by stephan-zrh »

Thanks a lot!
stephan-zrh
Forum User
Forum User
Posts: 71
Joined: Mon May 07, 2012 9:37 am
Location: Zurich

Re: Referrer Spam buttons-for-website.com

Unread post by stephan-zrh »

I just noticed that in the Rule it says buttons-for-websites.com. But the referrer is actually buttons-for-website.com (not websiteS).

I had it wrong in my original message.

Kind regards -Stephan
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Referrer Spam buttons-for-website.com

Unread post by mikeshinn »

Latest rules should cover both cases. :-)
stephan-zrh
Forum User
Forum User
Posts: 71
Joined: Mon May 07, 2012 9:37 am
Location: Zurich

Re: Referrer Spam buttons-for-website.com

Unread post by stephan-zrh »

Thanks for your help!

I just noticed these entries in access_log:
210.4.115.212 - - [18/Mar/2015:07:39:15 +0100] "GET / HTTP/1.0" 200 12576 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
179.192.231.65 - - [18/Mar/2015:13:40:58 +0100] "GET / HTTP/1.0" 200 1538 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

Shouldn't these be receiving Status 403? The files in modsecurity.d/ are from this morning (18.3. 7:13), so should be up-to-date.

Kind regards

-Stephan
stephan-zrh
Forum User
Forum User
Posts: 71
Joined: Mon May 07, 2012 9:37 am
Location: Zurich

Re: Referrer Spam buttons-for-website.com

Unread post by stephan-zrh »

Now it's working:

119.94.118.161 - - [26/Mar/2015:07:22:20 +0100] "GET / HTTP/1.0" 403 188 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
37.77.122.42 - - [26/Mar/2015:08:43:30 +0100] "GET / HTTP/1.0" 403 188 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

Very cool. Thank you!

Kind regards -Stephan
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: [SOLVED] Referrer Spam buttons-for-website.com

Unread post by mikeshinn »

You are very welcome!
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: [SOLVED] Referrer Spam buttons-for-website.com

Unread post by faris »

Which ruleset are the rules for this sort of thing in?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
ceasar
New Forum User
New Forum User
Posts: 2
Joined: Wed Jun 03, 2015 1:18 pm
Location: netherlands

Re: [SOLVED] Referrer Spam buttons-for-website.com

Unread post by ceasar »

Please add 'success-seo.com'

Also part of semalt
ceasar
New Forum User
New Forum User
Posts: 2
Joined: Wed Jun 03, 2015 1:18 pm
Location: netherlands

Re: [SOLVED] Referrer Spam buttons-for-website.com

Unread post by ceasar »

And here another one

videos-for-your-business.com

Also semalt.com
Post Reply