Page 1 of 1
[SOLVED] Referrer Spam buttons-for-website.com
Posted: Tue Mar 03, 2015 5:00 am
by stephan-zrh
Hello,
Google Analytics is increasingly reporting hits from buttons-for-websites.com. It seems to be similar to semalt.com (referrer spam), which gets blocked by ASL rule 393766.
Can you add buttons-for-website.com so it gets blocked or can I do it myself?
Kind regards
-Stephan
EDIT: corrected referrer. It's called buttons-for-website.com (not buttons-for-websites.com)
Re: Referrer Spam buttons-for-website.com
Posted: Wed Mar 04, 2015 7:05 pm
by mikeshinn
Sure, can you send us the appropriate access logs and we'll get a rule out.
Re: Referrer Spam buttons-for-website.com
Posted: Thu Mar 05, 2015 2:39 am
by stephan-zrh
Thanks, here are some requests I found in access_log:
Code: Select all
177.101.127.50 - - [28/Feb/2015:12:02:40 +0100] "GET / HTTP/1.0" 301 448 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
177.101.127.50 - - [28/Feb/2015:12:02:41 +0100] "GET / HTTP/1.0" 200 20486 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
177.84.109.86 - - [02/Mar/2015:14:17:54 +0100] "GET / HTTP/1.0" 301 448 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
177.84.109.86 - - [02/Mar/2015:14:17:56 +0100] "GET / HTTP/1.0" 200 20495 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
108.198.19.92 - - [04/Mar/2015:00:56:00 +0100] "GET / HTTP/1.0" 301 448 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
108.198.19.92 - - [04/Mar/2015:00:56:01 +0100] "GET / HTTP/1.0" 200 20478 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
77.162.179.155 - - [04/Mar/2015:22:20:59 +0100] "GET / HTTP/1.0" 301 448 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
77.162.179.155 - - [04/Mar/2015:22:20:59 +0100] "GET / HTTP/1.0" 200 20491 "http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
Is this what you need or any more records?
Kind regards -Stephan
Re: Referrer Spam buttons-for-website.com
Posted: Fri Mar 06, 2015 2:17 pm
by mikeshinn
For this kind of event, thats what we needed. Rule update for this went our last night.
If you run into any other cases, please let us know.
https://www.atomicorp.com/wiki/index.ph ... _Positives
Re: Referrer Spam buttons-for-website.com
Posted: Tue Mar 10, 2015 3:08 am
by stephan-zrh
Thanks a lot!
Re: Referrer Spam buttons-for-website.com
Posted: Tue Mar 10, 2015 3:11 am
by stephan-zrh
I just noticed that in the Rule it says buttons-for-websites.com. But the referrer is actually buttons-for-website.com (not websiteS).
I had it wrong in my original message.
Kind regards -Stephan
Re: Referrer Spam buttons-for-website.com
Posted: Tue Mar 10, 2015 6:52 pm
by mikeshinn
Latest rules should cover both cases.
Re: Referrer Spam buttons-for-website.com
Posted: Wed Mar 18, 2015 7:47 am
by stephan-zrh
Thanks for your help!
I just noticed these entries in access_log:
210.4.115.212 - - [18/Mar/2015:07:39:15 +0100] "GET / HTTP/1.0" 200 12576 "
http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
179.192.231.65 - - [18/Mar/2015:13:40:58 +0100] "GET / HTTP/1.0" 200 1538 "
http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
Shouldn't these be receiving Status 403? The files in modsecurity.d/ are from this morning (18.3. 7:13), so should be up-to-date.
Kind regards
-Stephan
Re: Referrer Spam buttons-for-website.com
Posted: Thu Mar 26, 2015 3:01 am
by stephan-zrh
Now it's working:
119.94.118.161 - - [26/Mar/2015:07:22:20 +0100] "GET / HTTP/1.0" 403 188 "
http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
37.77.122.42 - - [26/Mar/2015:08:43:30 +0100] "GET / HTTP/1.0" 403 188 "
http://buttons-for-website.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
Very cool. Thank you!
Kind regards -Stephan
Re: [SOLVED] Referrer Spam buttons-for-website.com
Posted: Fri Mar 27, 2015 10:08 am
by mikeshinn
You are very welcome!
Re: [SOLVED] Referrer Spam buttons-for-website.com
Posted: Fri May 08, 2015 4:33 pm
by faris
Which ruleset are the rules for this sort of thing in?
Re: [SOLVED] Referrer Spam buttons-for-website.com
Posted: Mon Jul 06, 2015 5:42 pm
by ceasar
Please add 'success-seo.com'
Also part of semalt
Re: [SOLVED] Referrer Spam buttons-for-website.com
Posted: Fri Jul 24, 2015 7:22 am
by ceasar
And here another one
videos-for-your-business.com
Also semalt.com