Referrer Spam Prediction: Heavy Downpour

In the meantime, as you may see by my automatic banlist, a massive Referrer Spam attack is ongoing (and apparently not just against my site), with dozens of distinct IP addresses trying to stuff my server logs with links to blue-pill Tonga subdomains:,,,,, etc.

And I was only keeping track of the last 200 (I just added another zero to that figure).

Since most people don't have the faintest idea of the scale of the problem (most people aren't even aware that it exists), here follows a text snapshot of the automatic banlist, listing only IP addresses and reverse DNS records.

My heartfelt apologies to folk using RSS aggregators or mobile devices, but this is the best way to show how widespread the problem is...

IP              Hostname

It's not just about sleazy software anymore - the likelyhood of this being done by people voluntarily running crapware is zero.

So if you need evidence that Windows trojans are being used to perform Referrer Spam attacks, look no further. And yes, all of the User-Agent strings are Windows-based (assuming the trojan in question is using the Windows HTTP libraries to issue requests, the data should be valid).

What really annoys me, though, is that it's getting worse - the sheer volume of traffic has already overtaken "normal" HTTP traffic to the site, and the JavaScript technique I implemented a while back seems to be under attack, too.