The new wave of HTTP referrer spam

Posted on January 15th, 2008 in General,Linux System Administration by Brandon

I’ve noticed an increase in HTTP Referrer spam on my own web site and in some websites that I manage. See Wikipedia’s articles on the HTTP Referrer and Referrer spam for a definition of what exactly referrer spam is.

Wikipedia, and some other pages on the Internet that I found describing referrer spam say that the spammer’s intent is to end up on published web stats pages in order to create links to their site. I don’t think that is (or no longer is) the case.

I would argue that the real intent of these spammers is to get the website owner who is looking at the stats, to click on their links. Most users who have a blog or small website check their statistics often, and are really interested when they find a new site that appears to be linking to theirs. It is very likely that they will intentionally look at any new incoming links.

As evidence along this route, I just noticed that I got 4 hits on one of my sites with the following referrer:

http://www.amazon.com/s/ref=sr_pg_4&tag=somespamer_20

I’m familiar with Amazon’s link structure and immediately noticed that it was an affiliate URL. If you hit that URL, then Amazon will attribute your click as coming from the spammer. Amazon will set a cookie that contains the spammers affiliate ID, and any purchase that you make at Amazon in the next 30 days will be credited to the spammer. They will then get a 4% commission on your purchases.

Obviously, not everybody buys something from Amazon once a month, but I’d bet that enough people do to make it worth the risk. Fortunately, it looks like Amazon has already caught on to this one, and that particular link just goes to an error page now.

That is a pretty deceitful and probably successful tactic for the spammer. Creating referrer spam is incredibly easy. I don’t think there is any great way to detect it either. I’ve seen some WordPress plugins and such that attempt to deal with it, but I don’t think there is much going on in this area yet.

My first thought would be to request the referred page and look for links to your site. That has some potential problems working reliably on a large scale though. Also, it might enable a sortof distributed denial of service by proxy attack.

Another possible way to fight referrer spam would involve a blacklist. It could contain both IP Addresses of known spammers, and the links that they are spamming. I found one called referrercop that looks like it is owned by Google now, so that may show some promise – although it doesn’t look like it has been updated recently.

3 Responses to 'The new wave of HTTP referrer spam'

Subscribe to comments with RSS or TrackBack to 'The new wave of HTTP referrer spam'.


  1. on January 16th, 2008 at 3:19 pm

    Good find. The good news is that they are stealing from Amazon, who happens to be the company that sends their cheque.. As soon as Amazon sees something suspicious, I assume they have the means to make sure the spammer doesn’t get paid. If a big company like Amazon has an incentive to go after these guys, I bet they won’t last long.

    I would think a more effective way for them to do this would be to embed a hidden iframe in their own website with the link to Amazon… Then again, Amazon would have an easy time tracking that down.

  2. Brandon said,

    on January 16th, 2008 at 3:37 pm

    Yeah, so far, spamming your affiliate link like this only really makes sense for big sites (amazon, ebay, and such) where they can spam everybody in hopes that some percentage of those users will buy something from that site. The big sites would have resources to track this down and cancel the payments before they actually send the spammer any money.

    Your idea to use the hidden links is pretty good. Actually, there are several reasons why a spammer might want to do that:
    1- Somebody would be less likely to report them to amazon. I immediately noticed the affiliate link, but if I was just on some spammer’s page, I wouldn’t take the time to view-source on it.
    2- Affiliate links are often obvious, like in this case of amazon, or with a Commission Junction link. By using their own page, they don’t have to display those.
    3- With one visit to the spammer’s website, they can load multiple hidden affiliate links.

    With that in mind, I’d bet that the next thing we’ll see is targeted referrer spamming. If you have a blog about widgets, they spam you with a link to their site. Their URL will contain something about ‘widgets’ in the URL. They will sign up with any affiliate companies that sell widgets, and put hidden affiliate links on their page for when you visit.


  3. on January 16th, 2008 at 8:13 pm

    Yeah, that could become an issue. I could see it happening not just with spammers though, but with shady webmasters as well.. If you get, say, 2000 hits/day of traffic, you could put an affiliate iframe (or multiple) in each page. You wouldn’t even have to spam, if you have the traffic. I’ve never seen this done, probably just because it would be so easy to track down.

Post a comment

Please copy the string SdAd80 to the field below: