Hi everyone,

have a little problem with my blog ( based on pixelpost 1.3), and speka a little english, so i hope i'll made myself clear enough:

I've just received an email from my host saying that in the last days several query about statistics are slowing down the mysql server performance. The query are like this:

SELECT count( * ) AS count
FROM pietrophotoblog_visitors
WHERE (
referer = 'http://vicodin.zeroweb.org'
)
AND (
datetime > '2005-06-01 00:00:00'
)

the refere is a spam site, and in the last days i have received some spam comments to my blog. Maybe these comments originate the querys? So if i delete the comments, i solve the problem? Or what else can i do to solve this problem?

Please help me or the host will suspend my blog.

Thank you in advance e greetings from italy!
Pietro
www.microcosmi.it/pietrophotoblog

pixelpost 1.4.2 should fix this problem! we are doing our best to get it released as soon as possible.

i'm sorry to hear you are suffering under spam. spammers seem to select just a few blogs - I'm not sure what the weakness is.

jeeezuz... just looked at your referer list: it's the worst i've ever seen. i understand your hosts concern!!

http://www.microcosmi.it/pietrophotoblog/index.php?x=ref



i'll pm you a script that might sort some of it out.[/code]

have a look here: http://www.pixelpost.org/forum/viewtopic.php?t=1252&start=15



you can use this script:

<?php
/*
Script Name: No Refer Spam
Version: 1.00
Hack URI: http://frenchfragfactory.net/ozh/archives/2005/02/05/no-refer-spam/
Description: Send refer spammers back to their own sites
Author: Ozh
Author URI: http://planetOzh.com
*/

$spams = array (
"terashells.com", "chat-nett.com", "exitq.com", "cxa.de", "sysrem03.com",
"pharmacy.info", "guide.info", "drugstore.info",
"coresat.com", "psxtreme.com", "freakycheats.com", "cool-extreme.com",
"pervertedtaboo.com", "crescentarian.net", "texas-holdem", "fuck-fest", "yelucie.com",
"poker-online", "findwebhostingnow.com", "smsportali.net", "6q.org", "flowersdeliveredquick.com",
"ronnieazza", "lemonrider", "future-2000", "trackerom.com", "andrewsaluk.com", "4u.net", "4u.com", "doobu.com",
"nutzu", "italiancharms", "likejazz", "kloony", "isacommie.com", "musicbox1.com", "tigerspice", "roody.com",
"bigsitecity", "zs1.biz", "yesno.spb.ru", "newru.net", "9k.com", "cialis", "levitra", "viagra", "tramadol",
"phentermine", "7h.com", "hydrocodone"
);


$ref = $_SERVER["HTTP_REFERER"];

if ($ref) {
foreach ($spams as $site) {
$pattern = "/$site/i";
if (preg_match ($pattern, $ref)) {
header("Location: $ref"); exit();
}
}
}
?>


save that as no-refer-spam.php


and then in index.php add require("no-refer-spam.php");

I was having the same problem :(

I fixed using the referer spam plugin and .htaccess

For .htaccess I tried the one sugested in this thread, but wasn't working. But I found this code, and it's working for me.

# Tom Raftery's .htaccess file - use with caution - for more info on writing .htaccess files
# see http://www.tomrafteryit.net/category/htaccess/
# Last updated 27th May 05

# There was a lot of comment spam with the User Agents Crazy Browser 1.x.x and Mozilla/3.0 (compatible; Indy Library)
# so I am using the following code to block it. Note that I removed the starting "^", so that it will ban
# any user-agent with "Indy Library" or "TrackBack" anywhere in its user-agent string, and that it will
# accept any character - including a space - after "Indy" or TrackBack.
RewriteCond %{HTTP_USER_AGENT} Indy.Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} TrackBack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Crazy\ Browser [NC]
RewriteRule .* - [F]

# There was a lot of referrer spam coming from 12.163.72.13 (no uri)
# so I decided to block it with the following code
RewriteCond %{REMOTE_ADDR} ^12\.163\.72\.13$
RewriteRule .* - [F,L]

# A new tactic - using SetEnvIfNoCase instead of RewriteCond - seems to be quite effective (esp for referrers).
# Original version found at http://blog.koehntopp.de/archives/671-Mehr-ueber-den-Trackback-Spammer.html
# Many spams and trackbacks come from User Agent Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
# I added a line (SetEnvIfNoCase User-Agent 9x 4.90 spammer=yes) to deny this User Agent - be aware that if you
# include this line you risk banning some genuine browsers, although I could find no genuine browsers using that UA in my logs
SetEnvIfNoCase X-AAAAAAAAAAAA 1 spammer=yes
SetEnvIfNoCase Via pinappleproxy spammer=yes
SetEnvIfNoCase Referer yelucie.com spammer=yes
SetEnvIfNoCase Referer crescentarian.net spammer=yes
SetEnvIfNoCase Referer andrewsaluk.com spammer=yes
SetEnvIfNoCase Referer tigerspice spammer=yes
SetEnvIfNoCase Referer doobu.com spammer=yes
SetEnvIfNoCase Referer camfun24 spammer=yes
SetEnvIfNoCase Referer latinonakedgirl spammer=yes
SetEnvIfNoCase Referer ronnieazza.com spammer=yes
SetEnvIfNoCase Referer highprofitclub spammer=yes
SetEnvIfNoCase Referer dvdsqueeze.com spammer=yes
SetEnvIfNoCase Referer sexsearchcom.com spammer=yes
SetEnvIfNoCase Referer 6q.org spammer=yes
SetEnvIfNoCase Referer d4f.de spammer=yes
SetEnvIfNoCase Referer adultactioncam spammer=yes
SetEnvIfNoCase Referer seventwentyfour.com spammer=yes
SetEnvIfNoCase Referer genaholincorporated.com spammer=yes
SetEnvIfNoCase Referer firsthorizonmtg.com spammer=yes
SetEnvIfNoCase Referer personalsites.info spammer=yes
SetEnvIfNoCase Referer bukakke-bukake-bukkake-bukkakke.com spammer=yes
SetEnvIfNoCase Referer camgirlslive.com spammer=yes
SetEnvIfNoCase Referer dvd-copy.com spammer=yes
SetEnvIfNoCase Referer shaffelrecords.com spammer=yes
SetEnvIfNoCase Referer mcr8.com spammer=yes
SetEnvIfNoCase Referer dating.blogs.com spammer=yes
SetEnvIfNoCase Referer online-casino-pops spammer=yes
SetEnvIfNoCase Referer 8thstreetlatinas spammer=yes
SetEnvIfNoCase Referer boysfirsttime.com spammer=yes
SetEnvIfNoCase Referer buy-hgh-human-growth-hormone.net spammer=yes
SetEnvIfNoCase Referer 3d.net spammer=yes
SetEnvIfNoCase Referer zs1.biz spammer=yes
SetEnvIfNoCase Referer p2l.info spammer=yes
SetEnvIfNoCase Referer wowgeil.com spammer=yes
SetEnvIfNoCase Referer brad.com spammer=yes
SetEnvIfNoCase Referer dd.vu spammer=yes
SetEnvIfNoCase Referer 5gigs.com spammer=yes
SetEnvIfNoCase Referer 7h.com spammer=yes
SetEnvIfNoCase Referer bigsitecity.com spammer=yes
SetEnvIfNoCase Referer yesno.spb.ru spammer=yes
SetEnvIfNoCase Referer viagra spammer=yes
SetEnvIfNoCase Referer sexushost.com spammer=yes
SetEnvIfNoCase Referer azzafree.com spammer=yes
SetEnvIfNoCase Referer jeeran.com spammer=yes
SetEnvIfNoCase Referer cz-tewei.net spammer=yes
SetEnvIfNoCase Referer newru.net spammer=yes
SetEnvIfNoCase Referer drugstore.com spammer=yes
SetEnvIfNoCase Referer jewelrycity.org spammer=yes
SetEnvIfNoCase Referer pharmacy.net spammer=yes
SetEnvIfNoCase Referer drugs.com spammer=yes
SetEnvIfNoCase Referer drugs.net spammer=yes
SetEnvIfNoCase Referer dreamstation.com spammer=yes
SetEnvIfNoCase Referer envy.nu spammer=yes
SetEnvIfNoCase Referer galaxy99.net spammer=yes
SetEnvIfNoCase Referer wtcsites.com spammer=yes
SetEnvIfNoCase Referer 4-all.org spammer=yes
SetEnvIfNoCase Referer 6p.org.uk spammer=yes

deny from env=spammer

They're still appearing in my stats, but at least they don't count in the referers page.

Hope it helps

BTW The spammer list it's updated today.

]jeeezuz... just looked at your referer list: it's the worst i've ever seen. i understand your hosts concern!!


arrghh!!! I haven't updated the blog in the last three months and I had no idea of this... how could it happen?

Anyway, thank for the code. I've just added the script and hope it'll works.
But, another question, can i update the spam list with all the referer i got in my referer log page?
and, last one, how can i delete those entries or reset the statics?

thank you!

pietro

and, last one, how can i delete those entries or reset the statics?


and the very last one: in case it didn't work, how can i disable stats? my host just gave me til tomorrow to solve the problem!

:-)

pietro

Not sure if this can mess up other parts of the PP code but should work.

Try commenting the SQL calls to all "_visitors" table if the index.php.

This are the lines I found:

book_visitor($pixelpost_db_prefix."visitors");
whith //book_visitor($pixelpost_db_prefix."visitors");

and

$visitors = sql_array("select count(*) as count from ".$pixelpost_db_prefix."visitors");
$pixelpost_visitors = $visitors['count'];

with

//$visitors = sql_array("select count(*) as count from ".$pixelpost_db_prefix."visitors");
$pixelpost_visitors = 0;


Also you can disable the referrer page doing something like this

replace if($_GET['x'] == "referer") {

with if($_GET['x'] == "zzzzzreferer") {


I hope this helps, and plz do a backup of your index.php file before :)

I hope this helps, and plz do a backup of your index.php file before :)

the script didn't work (don't know why), so I had to disable it :-(

thank you!

pietro

try this. it's not a permanent solution as you have to clear the tables yourself but it works! :) http://www.shiftedexposure.com/anti_spam.zip

I had installed the anti-spam plugin, configured the .htaccess, and added the no-refer-spam file.

But today I had a massive attack :cry: , they're using other kind of words to achieve the attack.

If helps anyone, here's my list of banned words through the no-refer-spam file, I have also the same words in the plugin.

".com.cn",
"3d.net",
"4-all.org",
"4u.com",
"4u.net",
"6p.org.uk",
"6q.org",
"7h.com",
"9k.com",
"adipex",
"ad-services.info",
"advicer",
"agama",
"alprazolam",
"ambien",
"andrewsaluk.com",
"autoclan",
"azzafree.com",
"baccarrat",
"bigsitecity",
"bigsitecity.com",
"bizhat",
"bllogspot",
"booker",
"brad.com",
"butalbital",
"buy-diazepam",
"buy-hydrocodone",
"buy-hydrocone",
"buy-lortab",
"buy-valium",
"buy-vicodin",
"car-rental",
"carisoprodol",
"carribean-cruises",
"casino",
"casinos",
"celebrex",
"cell-phone",
"chat-nett.com",
"chatroom",
"cheap",
"cheap-hydrocone",
"chinamoulds",
"cialis",
"compare-hgh",
"cool-extreme.com",
"coresat.com",
"crescentarian.net",
"cwas",
"cxa.de",
"cyclen",
"cyclobenzaprine",
"czcn",
"czpcsj",
"da.ru",
"dawghouse",
"day-trading",
"didrex",
"dietary",
"digitalzones",
"discreetordering",
"doobu.com",
"dreamstation.com",
"drug",
"drugs",
"drugs.com",
"drugs.net",
"drugstore",
"drugstore.com",
"drugstore.info",
"dutyfree",
"duty-free",
"ebanon",
"ebanon.com",
"envy.nu",
"exitq.com",
"findmore",
"findmore.org",
"findteam",
"findwebhostingnow.com",
"fioricet",
"flexeril",
"flonase",
"flowersdeliveredquick.com",
"freakycheats.com",
"freemovie",
"freenet-shopping",
"fuck-fest",
"future-2000",
"galaxy99",
"-gambling",
"gay",
"golf-handicap",
"glwb.info",
"guide.info",
"herpes",
"hilton",
"holdem",
"hydrocodone",
"hydrocone",
"imitrex",
"incest",
"iqwide",
"isacommie.com",
"italiancharms",
"izhuqiu",
"jeeran",
"jennifer-love-hewitt",
"jewelrycity",
"jewelrycity.org",
"jobs4veterans",
"jvl",
"kloony",
"lemonrider",
"levitra",
"lexapro",
"likejazz",
"liveplaynow",
"loan4",
"loan4.org",
"lodging-taos",
"luxury-car",
"macinstruct",
"macvillage.net",
"male-fitness",
"maximum-result",
"meridia",
"meridia",
"muscle-relaxers",
"musicbox1.com",
"newru",
"newru.net",
"norco",
"nordette",
"nutrition",
"nutzu",
"o-f.com",
"oceania-cruises",
"offshore",
"ole6",
"-online",
"online-gambling",
"orchard-supply"
"p2l",
"p2l.info",
"parenteral",
"paris",
"paris-hilton",
"paxil",
"personal-injury",
"pervertedtaboo.com",
"pharmacy",
"pharmacy.info",
"pharmacy.net",
"phentemine",
"phentermine",
"pillsfarm",
"plasticmachinery",
"platinum-celebs",
"poker",
"poker-chip",
"poze",
"prescription",
"pro100",
"propecia",
"psxtreme.com",
"purchase-valium",
"ronnieazza",
"roody.com",
"search-engine",
"seducetips",
"-sex",
"sexlolita",
"shzu",
"sina.com",
"skelaxin",
"sliding-door",
"slot-machine",
"smsportali.net",
"soma",
"spb.ru",
"sphosting",
"sphosting.com",
"ssr.be",
"sysrem03.com",
"taboo",
"tbtest",
"teen",
"terashells.com",
"tewei.net",
"texas",
"tigerspice",
"titti",
"trackerom.com",
"tramadol",
"trim-spa",
"ultram",
"urbansearh",
"vahomeloans",
"valium",
"valtrex",
"veteranbiz",
"veterans",
"veteransbiz",
"veteransnews",
"viagra",
"vicodin",
"virtue.nu",
"weight-loss",
"wellbutrin",
"wholesale-car",
"wowgeil",
"wtcsites",
"xanax",
"xanax",
"xbuy",
"xenical",
"XXX",
"yelucie.com",
"yesno.spb.ru",
"yodoke",
"ywu",
"zolus",
"zomi.net",
"zoo-sex",
"zs1",
"zs1.biz"

I hope that the development team can find a solution to this.

Netwalker,

I had to go through my harddisks to find the version 1.3
I made some changes and tested it in an "old" installation

I did the following:
I set the relevant variable $referer empty in all cases
I deleted the function to create the referrer list (but visitors are still booked, without refererrer URL)

now you must do the following:

1) delete the file referer_template.html in your "active" template-directory

2) delete this tag from your image_template.html: <SITE_REFLINK>

3) make a backup of your actual index.php in the main-directory (not admin/index.php)

4) download http://www.bildgier.de/download/pp13noreferindex.zip, unzip it and load this index.php to your website

it has no functionality to write any referrer-URLs in the database anymore, this SQL which slowed down the server is deleted, any URL like

"http://wwww.yourdomain.com/pixelpost/index.php?x=ref"

will not work anymore

you can test that here before you install it:

deactivated referrers:

http://www.bildgier.de/pp13popup/index.php?x=ref

activated referrers:
http://www.bildgier.de/pp13nopopup/?x=ref

I hope I could help you out of this deseaster!

good luck, thumbs up!

Thanks Connie for the fast answer.

I have already took some actions to solve this problem. Actually I don't have the link to the referer page, and I changed the name of the file (I didn't deleted the file, because I didn't know how can that affect).

I'm using the latest version of PP (1.4.1).

The no-refer-spam posted in other thread was a good stop to spam, but I detected today other words used.

How can I remove the referer function from the current version? I don't know much of PHP, so I don't want to blow up my site by moving something I don't really know. Also, is some way that when one of this sites goes to www.mysite.com/index.php?x=ref shows a 404 page or something similar?

Thanks for the help

Oh je, I understood you are running version 1.3

give me 30 minutes, I must go to breakfast, then I will send you the index.php for 1.4.1

sorry, be patient!

Netwalker,

here is the download:
http://www.bildgier.de/download/pp141noreferindex.zip

do the following:

- take off the referer_template.html
- download the zip
- replace the index.php in your main-page with "index.php" from the zip
- replace /includes/functions.php with "functions.php" from the zip
- delete the referrer-tag <SITE_REFLINK> from your image_template.html

no referrer will be entered in the database anymore
any call to index.php?x=ref will just do nothing, screen will be empty

you can test that at one my test-php141-places:
http://www.hafenfotografen.de/pixelpost2/

good luck!

Connie

Thanks Connie, I just did what you told me.

Thanks again.

Hi Connie. I'm using ur mod index.php and functions.php. I'm not sure about those spams have been reduced or not, but it seems like my visitors counter not working anymore. Is it suppose to be so or could it be something else wrong?