Rui CarmoIn the meantime, as you may see by my automatic banlist, a massive Referrer Spam attack is ongoing (and apparently not just against my site), with dozens of distinct IP addresses trying to stuff my server logs with links to blue-pill Tonga subdomains: buy.to, get.to, dive.to, hey.to, drop.to, etc.
And I was only keeping track of the last 200 (I just added another zero to that figure).
Since most people don't have the faintest idea of the scale of the problem (most people aren't even aware that it exists), here follows a text snapshot of the automatic banlist, listing only IP addresses and reverse DNS records.
My heartfelt apologies to folk using RSS aggregators or mobile devices, but this is the best way to show how widespread the problem is...
IP Hostname 60.228.205.70 CPE-60-228-205-70.qld.bigpond.net.au 81.218.210.174 bzq-218-210-174.red.bezeqint.net 213.226.152.22 nat2.raktas.net 71.57.17.237 c-71-57-17-237.hsd1.il.comcast.net 63.233.35.101 0-1pool35-101.nas33.houston4.tx.us.da.qwest.net 87.2.132.170 host170-132.pool872.interbusiness.it 68.238.113.115 pool-68-238-113-115.atl.dsl-w.verizon.net 83.170.50.70 host-83-170-50-70.customer.teleport-iabg.de 83.33.160.252 252.Red-83-33-160.dynamicIP.rima-tde.net 84.92.34.127 robert2.plus.com 70.190.228.3 ip70-190-228-3.ph.ph.cox.net 82.33.114.10 82-33-114-10.cable.ubr07.azte.blueyonder.co.uk 69.160.2.161 69-160-2-161.bflony.adelphia.net 69.174.227.80 69-174-227-80.atlaga.adelphia.net 83.18.89.75 axl75.internetdsl.tpnet.pl 194.165.107.187 194.165.107.187 172.187.9.231 ACBB09E7.ipt.aol.com 84.64.124.146 user-1170.wfd81b.dsl.pol.co.uk 81.198.203.83 81.198.203.83 68.81.172.78 pcp01335454pcs.fairmt01.pa.comcast.net 83.26.11.180 akh180.neoplus.adsl.tpnet.pl 62.64.75.222 geneng2-gw.sovam.net.ua 85.140.26.193 ppp85-140-26-193.pppoe.mtu-net.ru 212.18.56.100 cpe-212-18-56-100.dynamic.amis.net 211.30.255.83 c211-30-255-83.rivrw8.nsw.optusnet.com.au 81.177.16.20 ns2.majordomo.ru 216.16.83.66 viborgDHCP-66.216-16-83.iw.net 133.205.105.175 FLA1Aai175.fks.mesh.ad.jp 172.158.221.106 AC9EDD6A.ipt.aol.com 83.119.81.51 83.119.81.51 194.158.220.138 194.158.220.138 213.5.32.238 ppp32-238dynamic.athens.acn.gr 86.133.116.95 host86-133-116-95.range86-133.btcentralplus.com 211.223.170.139 211.223.170.139 81.218.204.140 bzq-218-204-140.red.bezeqint.net 213.191.102.162 213.191.102.162 172.212.164.70 ACD4A446.ipt.aol.com 219.38.204.31 YahooBB219038204031.bbtec.net 84.139.88.151 p548B5897.dip.t-dialin.net 85.140.53.184 ppp85-140-53-184.pppoe.mtu-net.ru 81.198.129.150 81.198.129.150 12.162.0.162 12.162.0.162 200.45.71.40 host40.200-45-71.telecom.net.ar 82.38.181.54 82-38-181-54.cable.ubr02.shef.blueyonder.co.uk 172.214.151.153 ACD69799.ipt.aol.com 216.253.3.108 216.253.3.108 213.66.174.126 213-66-174-126-o926.tbon.telia.com 203.92.47.66 203.92.47.66 172.178.192.37 ACB2C025.ipt.aol.com 67.87.246.124 ool-4357f67c.dyn.optonline.net 200.175.154.22 200.175.154.22.dialup.gvt.net.br 81.164.21.154 d51A4159A.access.telenet.be 172.212.244.245 ACD4F4F5.ipt.aol.com 220.139.61.188 220-139-61-188.dynamic.hinet.net 68.33.226.4 pcp04984596pcs.mtromd01.md.comcast.net 213.219.87.195 adsl10237.estpak.ee 84.158.118.2 p549E7602.dip.t-dialin.net 84.74.13.66 84-74-13-66.dclient.hispeed.ch 172.212.63.114 ACD43F72.ipt.aol.com 82.115.99.139 82.115.99.139 4.249.42.19 dialup-4.249.42.19.Dial1.Washington2.Level3.net 86.131.20.66 host86-131-20-66.range86-131.btcentralplus.com 210.214.11.199 dialpool-210-214-11-199.maa.sify.net 85.140.53.215 ppp85-140-53-215.pppoe.mtu-net.ru 69.50.184.34 69.50.184.34 68.111.231.221 ip68-111-231-221.sd.sd.cox.net 193.77.115.208 BSN-77-115-208.dial-up.dsl.siol.net 193.231.243.121 193.231.243.121 210.213.129.152 210.213.129.152.pldt.net 172.203.171.156 ACCBAB9C.ipt.aol.com 81.190.255.24 host-81-190-255-24.elk.mm.pl 69.234.190.97 adsl-69-234-190-97.dsl.irvnca.pacbell.net 172.188.146.26 ACBC921A.ipt.aol.com 217.175.170.69 170-69.us.ool.fr 201.29.222.32 201.29.222.32 195.135.201.74 dialup42-nas0.infocom.km.ua 220.139.42.200 220-139-42-200.dynamic.hinet.net 83.244.2.18 83.244.2.18 84.131.83.91 p5483535B.dip.t-dialin.net 71.1.240.76 fl-71-1-240-76.dhcp.sprint-hsd.net 83.132.225.252 a83-132-225-252.cpe.netcabo.pt 194.158.220.62 194.158.220.62 60.228.205.13 CPE-60-228-205-13.qld.bigpond.net.au 66.6.187.52 mdm187-52.arc182.smfrct1.dasdial.com 200.126.77.72 200-126-77-72.bk5-dsl.surnet.cl 209.33.113.70 209.33.113.70 82.35.145.161 82-35-145-161.cable.ubr04.enfi.blueyonder.co.uk 196.202.26.5 196.202.26.5 82.10.33.253 host82-10-33-253.not-set-yet.ntli.net 68.205.35.189 189.35.205.68.cfl.res.rr.com 172.178.31.226 ACB21FE2.ipt.aol.com 216.195.19.193 dhcp-0-c-f1-9d-8c-c.cpe.townisp.com 4.159.113.157 dialup-4.159.113.157.Dial1.Chicago1.Level3.net 69.172.76.213 levitwnpr-terayon2-69-172-76-213.miamfl.adelphia.net 172.144.183.186 AC90B7BA.ipt.aol.com 65.185.124.206 cpe-65-185-124-206.woh.res.rr.com 172.132.94.23 AC845E17.ipt.aol.com 24.90.104.180 cpe-24-90-104-180.nyc.res.rr.com 200.71.99.190 ppp-99-190.telesat.com.co 24.20.140.115 c-24-20-140-115.hsd1.or.comcast.net 213.130.10.195 195.pool-2.en.dn.ua 68.228.132.210 ip68-228-132-210.hr.hr.cox.net 220.124.38.119 220.124.38.119 80.130.254.168 p5082FEA8.dip.t-dialin.net 200.71.98.150 ppp-98-150.telesat.com.co 65.95.109.186 Toronto-HSE-ppp3700421.sympatico.ca 138.130.48.174 CPE-138-130-48-174.nsw.bigpond.net.au 172.195.63.109 ACC33F6D.ipt.aol.com 172.148.220.10 AC94DC0A.ipt.aol.com 69.236.195.21 adsl-69-236-195-21.dsl.pltn13.pacbell.net 200.122.46.247 200-122-46-247.dsl.prima.net.ar 172.197.171.70 ACC5AB46.ipt.aol.com 85.206.2.86 85.206.2.86 217.115.220.219 217.115.220.219 24.196.26.122 unknown.lds.al.charter.com 82.169.206.118 82-169-206-118-mx.xdsl.tiscali.nl 68.123.238.66 adsl-68-123-238-66.dsl.irvnca.pacbell.net 172.140.209.5 AC8CD105.ipt.aol.com 62.195.98.79 i98079.upc-i.chello.nl 69.169.45.243 69-169-45-243.anhmca.adelphia.net 82.81.31.39 bzq-82-81-31-39.red.bezeqint.net 67.174.97.211 c-67-174-97-211.hsd1.co.comcast.net 67.83.162.159 ool-4353a29f.dyn.optonline.net 172.147.247.235 AC93F7EB.ipt.aol.com 220.62.219.230 YahooBB220062219230.bbtec.net 220.124.38.93 220.124.38.93 65.175.139.41 d-65-175-139-41.metrocast.net 86.135.185.145 host86-135-185-145.range86-135.btcentralplus.com 62.221.44.3 ns.online.dn.ua 194.204.4.204 194.204.4.204 212.100.113.220 220.adsl13.freecom.net 24.231.63.66 24.231.63.66 82.171.55.74 dsl-82-171-55-74.undef.tiscali.nl 172.212.181.23 ACD4B517.ipt.aol.com 80.58.5.46 80-58-5-46.proxycache.rima-tde.net 172.135.161.250 AC87A1FA.ipt.aol.com 195.238.51.35 195-238-51-35.direcpceu.com 24.100.72.205 CPE0004e2c228e4-CM023469903474.cpe.net.cable.rogers.com 172.158.180.232 AC9EB4E8.ipt.aol.com 85.117.54.66 85.117.54.66 217.72.90.142 vo142-90.dial-up.volja.net 172.142.165.143 AC8EA58F.ipt.aol.com 69.151.245.89 adsl-69-151-245-89.dsl.hstntx.swbell.net 202.156.6.54 202-156-6-54.cache.maxonline.com.sg 218.111.201.183 218.111.201.183 86.195.133.14 ANantes-256-1-6-14.w86-195.abo.wanadoo.fr 66.140.172.164 adsl-66-140-172-164.dsl.wchtks.swbell.net 172.186.27.193 ACBA1BC1.ipt.aol.com 213.227.199.147 199-147.dialup.alkar.net 213.161.27.212 cpe1-27-212.cable.triera.net 200.241.153.129 cordopecado.oops.com.br 61.33.145.40 61.33.145.40 219.8.135.17 YahooBB219008135017.bbtec.net 172.194.152.56 ACC29838.ipt.aol.com 172.134.224.168 AC86E0A8.ipt.aol.com 87.1.118.150 host150-118.pool871.interbusiness.it 172.201.221.116 ACC9DD74.ipt.aol.com 172.186.177.30 ACBAB11E.ipt.aol.com 219.38.146.49 YahooBB219038146049.bbtec.net 84.25.115.218 cp69785-a.landg1.lb.home.nl 72.24.44.228 44-228.72-24-cpe.cableone.net 222.120.74.124 222.120.74.124 70.118.74.191 191.74.118.70.cfl.res.rr.com 172.132.165.15 AC84A50F.ipt.aol.com 61.68.109.166 61.68.109.166 61.17.249.39 61.17.249.39.static.vsnl.net.in 61.214.91.105 p1105-ipad01kagawa.kagawa.ocn.ne.jp 172.212.37.225 ACD425E1.ipt.aol.com 80.9.200.44 Mix-Montpellier-114-2-44.w80-9.abo.wanadoo.fr 60.231.218.253 CPE-60-231-218-253.sa.bigpond.net.au 82.114.72.62 82.114.72.62 84.52.171.167 84.52.171.167 12.210.220.58 12-210-220-58.client.insightBB.com 83.109.41.39 ti122110a080-10535.bb.online.no 83.103.129.196 Home04347.cluj.astra.ro 62.61.132.51 62.61.132.51.generic-hostname.arrownet.dk 83.248.24.217 c83-248-24-217.bredband.comhem.se 200.88.5.149 200.88.5.149 87.1.9.149 host149-9.pool871.interbusiness.it 83.99.169.78 balticom-169-78.balticom.lv 68.48.158.159 pcp08020822pcs.dalect01.va.comcast.net 81.236.131.96 h96n4-m-rg-gr100.ias.bredband.telia.com 85.30.195.127 h127-n195.orexovo.net 12.181.13.59 12-181-13-59.dyn.mound.net 82.121.52.20 APlessis-Bouchard-151-1-6-20.w82-121.abo.wanadoo.fr 172.188.97.134 ACBC6186.ipt.aol.com 80.142.177.112 p508EB170.dip0.t-ipconnect.de 218.111.25.227 218.111.25.227 24.186.60.122 ool-18ba3c7a.dyn.optonline.net 162.40.160.198 h198.160.40.162.ip.alltel.net 217.196.171.49 dphab22.tnet.dp.ua 213.35.133.227 213-35-133-227-dsl.prn.estpak.ee 66.189.165.119 66-189-165-119.dhcp.trlk.ca.charter.com 24.186.157.254 ool-18ba9dfe.dyn.optonline.net 218.212.168.143 cm143.sigma168.maxonline.com.sg 172.166.103.199 ACA667C7.ipt.aol.com 219.64.179.235 219.64.179.235.del.dialup.vsnl.net.in 84.100.37.174 174.37.100-84.rev.gaoland.net 66.56.176.187 cpe-066-056-176-187.triad.res.rr.com
It's not just about sleazy software anymore - the likelyhood of this being done by people voluntarily running crapware is zero.
So if you need evidence that Windows trojans are being used to perform Referrer Spam attacks, look no further. And yes, all of the User-Agent strings are Windows-based (assuming the trojan in question is using the Windows HTTP libraries to issue requests, the data should be valid).
What really annoys me, though, is that it's getting worse - the sheer volume of traffic has already overtaken "normal" HTTP traffic to the site, and the JavaScript technique I implemented a while back seems to be under attack, too.