referrer spam detection

>
> Hannes Wallnoefer wrote:
> > Hi list,
>
> Hi,
>
> > here is a very rough referrer spam detection and blocking script I
> > wrote for antville.org. I think it may be useful for other big
> > antville installations. It's very rough in  its current state, and not
> > at all integrated into the antville app infrastructure. It needs to be
> > polished and probably should be be integrated into the antville
> > SysMgr.
> <snip />
>
> thanxs for that. I thought of writing such a "thing" (global spam
> detection) myself, but hadn't the time.
>
> I will testdrive your script and let you know how it works.
>
> Thanxs again
>
> cu Philipp
> --
> XML is the ASCII for the new millenium
> (Cocoon Documentation)
> _______________________________________________
> Antville-dev mailing list
> Antville-dev@...
> http://helma.org/mailman/listinfo/antville-dev
>

> Actually, I think the approach I choose is not the ideal one. For
> instance, one person clicking through a (large) blogroll on his/her
> weblog looks very much like referrer spam to this script. From what I
> know now, I would suggest the following approach:
>
> * Track referrer hosts like my script currently does
> * Whenever one host is *definitely* referrer spam, automatically add
> it to a permanent blacklist and send the site admin a mail about it
> * Offer the site admin a list of referrer hosts sorted by requests/ip
> address ratio and let him/her manually add sites to the permanent
> blacklist.
> * A request with a referrer host that is blacklisted is redirected to
> the refspam page so if it's a valid request, users can still click
> through.

> Hi list,
>
> here is a very rough referrer spam detection and blocking script I
> wrote for antville.org. I think it may be useful for other big
> antville installations. It's very rough in  its current state, and not
> at all integrated into the antville app infrastructure. It needs to be
> polished and probably should be be integrated into the antville
> SysMgr.
>
> Attached you find file refspam, which provides a global object
> containing two functions: Refspam.track(), which should be called as
> first thing in HopObject.onRequest(), and Refspam.dump(), which should
> be called from Root.refspam_action() and provides output for current
> referrer blocking state and blocked requests.
>
> The way referrer detection and blocking works is very simple, it's
> described here <http://www.henso.com/log/2006.05.28/1154/>. We keep a
> least-recently-used Hashtable of size 128 in app.data.refspam which is
> keyed with the host names of referrer headers we get. As soon as we
> see more than 20 requests with a given referrer host, we check if the
> number of IP addresses the requests came from is below a given ratio,
> and if the number of referrer path names is above a certain ratio
> (this is to prevent valid intranet links to be qualified as spam), and
> if so, requests are redirected to the /refspam action which displays a
> message and provides a link to continue to the original target.
> Referrer bots won't follow the redirect, so it's a good safety net.
>
> The script also contains a hardcoded whiltelist for hostnames which
> currently contains ".antville.org" and ".google.". The parameters and
> the whitelist should probably be configurable through antville's
> management interface, and there probably should also be configurable
> blacklist.
>
> I hope this will be useful for somebody, and that somebody is going to
> integrate this into the antville code base.
>
> hannes
>
>
>