TIL about referer spam

362 words

This is cute. Suppose you are a spammer and you want to target website owners, how do you do this? Submitting spam comments is one possibility; either your spam is posted, in which case you win, or you get stuck in the spam filter, and the site admin will at some point scroll past it when checking if any proper comments were misflagged, and you’ll sort of win anyway. Here is a better strategy: access their website while spoofing your referer.

What is a referer, you ask? Let’s say you are browsing bethzero.com/2018/12/01/referer-spam, and you click a link to example.org. Your browser will, in its HTTP request to example.org, mention that you got referred to their page from bethzero.com/2018/12/01/referer-spam. This is so that website owners can know where their visitors come from. Super neat, how can we use this for spamming?

The trick is to send requests with fake referer attributes. (( This is the correct spelling. Except in some cases, such as rel=”noreferrer”.  )) Request the page https://bethzero.com, put https://bestblogideas.com as the referer. When the proprietor of bethzero.com looks at her visitor statistics, she will see that bestblogideas.com linked to her, and probably visit it herself to see what they write about her. This is where you sell her access to your cheap special $300 blogging video course.

Another fun way to use this is probably for doxxing. Create a special page tracking.com/<unique-code> and use that as referer. If you make sure that no other entry points to that page exist, then every visitor will be the Beth you’re targetting. For bonus points, you put Facebook’s tracking code on the page so that you’ll forever be able to target advertisements directly to Beth.

Beth might try to outsmart you and satisfy her interests in her referrers by pointing her browser at tracking.com without the unique code. In that case, you can try buying a number of domain names for a kind of adaptive group testing procedure. If you have a million dollars you can probably do this on bigger scales, finding the IP address of a good fraction of pseudonymous website owners. Looking at my own stats, I think this is really happening.

Leave a Reply