137.59 - A Thievery Number
I received a rather alarming email from my hosting provider today, informing me that I was using an excessive amount of CPU, to the tune of 137.59 CPU minutes today. Further, my account was now to be subject to resource monitoring (starting tonight). The email was to inform me that I needed to start watching the resource monitor logs to find the source of the excessive usage.
Well, it didn’t take me long to find the likely source, even though I hadn’t yet been able to see the resource logs. A quick look at the Apache access.log shows that the bastard spammers are hitting my server about 30,000 times per day trying to insert their crap into my referral logs. The referral attack is the most common one that is launched against EE weblogs, since comment and trackback spam is much more difficult with EE. Because of this problem I’d turned off referrers about two months ago and I’d made the old referrer template inaccessible to anyone who was not a logged in member.
I thought (mistakenly) that by making the referral information inaccessible that the asshat spammers would lose the incentive to spam my referrer scripts and would eventually give up. Instead, it appears that they stepped up their attempts to the point of verging on a DDOS attack.
So today I took more drastic action. I used the .htaccess feature of EE’s Blacklist module to block these bastards before they can even hit EE, which should cut down dramatically on the number of PHP sessions and database connections. Since about 2:00pm today 10,609 spam referral attempts have already been blocked.
While I was at it I also disabled hotlinking of all images on this domain from outside domains. Analysis of my logs shows that there were a lot of young thug-wannabes who were linking to my gun pictures from their horribly formatted online profiles. Some examples:
Bustmygunphilly (definitely not safe for work)
cameronknight
Bobby04
airlydzie
It’s kind of funny to see their attempts to hotlink my gun pictures replaced with this:
Checking out Bustmygunphilly’s profile page, it kinda freaks me out to see Puss ‘n Boots together on the same screen.
Exceptionally bad web design. Even someone with NO skills at all should be able to do something simple and functional—these folks know just enough to make a complete wreck of things.
I’m guessing your images show up in Google Image searches and they just grab em for posting without a second thought.
Isn’t it also possible that each one’s local machine is using its cache for your gun image, so when he looks at it, it looks fine on his screen, but all his homies just see your cute dog? That would be even better, in my opinion (but they might not get the message clearly).
Yeah, the images show up in Google Image searches. I noticed in the referrer logs that there are lots of hits from Google.
I think that the cache will likely be overridden. Each time the browser loads images it checks the date on the original file to see if it changed. Instead of the 200 (OK) or 304 (Not Modified) it gets a 302 (Found,Elsewhere), which causes the client to go find the file elsewhere.
I suppose some browsers could ignore this, but it would be a bad implementation.