I've been noticing some strange things in my referrer log lately. It seems I am getting many referrals from other blogs, all of them Movable Type blogs, and all the referrals coming from "/archives" or "mt-comments.cgi". When I go to the blogs, there are no links to my site. The referrals come to seemingly random places in both my blog, and the Hyatt blog. The referring blogs look legit, though. I've been wondering for a few weeks now about this.
Today, I noticed that all of these referrals are done by one entity - ns1.adros.net, which is evidently a Polish nameserver. I don't quite understand what a nameserver is doing browsing my pages, but perhaps it is just a victim of IP masquerading.
I looked at my logs, and found out after the each referral, ns1.adros.net is doing a POST to my mt-comments.cgi (in my case renamed to mtc.cgi). Here's an example from the logs:
What is going on here? Searching the web for problems like mine, I can only find a Japanese webpage, which I cannot translate through babelfish.ns1.adros.net - - [02/Sep/2004:02:35:48 -0500] "GET /archives/000127.html HTTP/1.1" 200 8166 "http://www.ffej.org/archives/" "Windows XP Internet Explorer 6.x" ns1.adros.net - - [02/Sep/2004:02:35:49 -0500] "POST /cgi-bin/mt/mtc.cgi HTTP/1.1" 200 3881 "http://thehyatts.net/cgi-bin/mt/mtc.cgi" "Windows XP Internet Explorer 6.x"
I better put this info out there in case other people are wondering the same thing, so perhaps some information can be spread about this phenomenon. I still don't know why this is happening, it doesn't seem like referral spam. It is something new. Perhaps innocent, but certainly deceptive.
Posted by ahyatt at September 3, 2004 12:59 PMI've noticed this as well. Same basic thing, and none of the URLs spammed into the log are anything odd, except of course that they don't have a single reference to my site. Maybe it's a test to see if the method will work, and now we're all going to be drowned in useless referrers.
Posted by: Ayse on September 5, 2004 10:40 PMSame here. I have comments turned off, so the POST tries to go to the archives directory. If you open http://adros.net/, you get flipped to a prono site. I am guessing this is some type of comments spam attempt.
Posted by: Michael on September 6, 2004 03:31 PMI had the same problem myself. I like to have accurate stats showing WHERE referrals come from - so I simply banned the host in my apache config file. This host now gets a "403 forbidden", and will not show up in my web log analyzer as ordinary hits.
Posted by: Irios on September 14, 2004 12:21 AMHi, I was searching for some info on that andfound your entry. I have had this starting on my private site, too. The person trying to get access to my comments comes through a trackback logged on another blogger's site, not through the main url. So these people obviously spider search engines and blogs to have somewhere to go and then check if they can abuse comments and mail forms. Their referral info [and if, then certainly their OS info, too] are totally spoofed.
These people are banned from my domain.
But what is the point? All that really gets them is ns1.adros.net showing up on that log stats page (if such a page is even public)? And it would seem that the false referrers are not even necessary for that.
Posted by: Andrew Hyatt on September 14, 2004 03:44 AMI too have been seeing these apparent referer spams, although they don't make any sense (since the URLs from which they suppposedly originate are not ones that can be loaded in a browser). So far, I am just filtering them out of my referer display.
Posted by: Dave Seidel on October 5, 2004 07:29 AM