Spam Levels Part Two

Last month I introduced you to my concept of SPAM levels and how they are constantly increasing. I suspect it’s safe to assume you have all received your fair share of SPAM through your email program or web-based email account. But what about the other kind of SPAM? The kind that system administrators have to deal with – what I call “Traffic SPAM.”

If you run your own website or collection of sites you likely examine your statistics or traffic reports. These reports help illustrate your site usage in many ways including where your users originate. Something we have noticed at Metamend is an increase in bizarre requests for pages we don’t have on our site AND lists of Referring sites that do not contain any links to our site?

So, we did a little hunting around to try and determine how these requests and referrers were coming in – and from where! What we found was that most of them were either not resolvable (there was no host name attached to the IP address) or of an adult-oriented nature ( What’s more peculiar is we scanned the site(s) for links pointing to us that would cause the site to be listed as a referring site in our stats. No luck? We could not find a link anywhere. So, why then are those sites listed as referring sites?

The answer – server SPAM. It seems there are SPAM programs/spiders out there which generate floods of requests then direct them at a particular domain or server. These “SPAM-spiders” are capable of masking their true origin through IP spoofing which makes it seems as though they are coming from some 3rd party. This is very similar to the techniques involved in real email SPAM – Which is why you can receive SPAM from yourself 😉

The difference here is that these server spammers aren’t interested in selling you anything – it seems they are simply taxing your server by sending waves of requests for some unknown reason. (similar to Denial of Service attacks) The end result can be degraded server performance, increased server load and response times and inaccurate traffic reports. Well you ask, what can we do? There are several strategies you can try. The simplest for most sys-admin. guys will be to implement IP restrictions that essentially block all requests originating from a specific IP or IP range. The danger here, is you may block some legitimate users. Consequently this is a time consuming strategy that requires constant tweaking to ensure you cover all the offending IPs. A large task for anyone.

Unfortunately, there does not seem to be another effective solution at this time. Again, we are forced to “go to war” on SPAM daily. If you know of an effective solution, I’d love to hear about it.