Stop the Topsites Spam!
There is a site I have had a lot of problems with in regards to the hosting. That is my Directory TopSite.
I finally moved the site to another hosting I have in which I pay $150 monthly for (15 C-class IPs, unlimited accounts etc). But then I got an urgent mail from the hosting support. It was found that topdirectories.info is using up all the CPU of the server and it has to be stopped rapidly or they would suspend. I was surprised and decided to check it out. I found out that it was not using very much bandwidth, the traffic was average like 200-300 daily uniques and the size of the database was not a problem.
I went into Webalizer and this is what I see:
Over 24K hits per hour!
I scroll down …
Over 94% coming from button.php!
I scroll down …
Here are all the biggest referrals. I check out the top 28 ones (60% of all hits) and I found out that they all are spammers!
Here is one example, look at that. They are collecting hundreds of buttons of Topsites and then probably have some bots that reloads that page thousands of times a day and also click on all the buttons to get better ranking on the topsites. These are from Aardvark Topsites but also other ones and the spammers are mainly from turkey using words such as “sohbet”. And for each reload button.php get’s executed and in that file are SQL queries that gets the correct numbers to display on the button. Imagine 20 thousand reloads of button.php each hour and the amount of CPU work …
So I wanted to ban these spammers in the .htaccess and found an excellent resource: Block hitbots with .htaccess
In the redirection field I placed the URL of the main spammer: http://www.gulum.net, hehe.. That solution was still triggering the PHP code so I changed it to deliver a 403 forbidden instead.
Here is the .htaccess code (Last updated: August 22, 2007):
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?5sohbet.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?aklimdasin.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?almanyachat.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?altdudak.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?anonym.to/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?automotive-links.mustangv8.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?ara-bul.org/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?arkadasohbet.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?asimp3.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?asksokagi.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?askyeri.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?astroloji.ws/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?bahisci.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?baysohbet.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?bedava.mirctr.org/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?bedavasohbet.org/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?bizimmekan.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?bizimonline.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?cafeyurt.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?cafeyurt.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?cetsohbet.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?chatchat.gen.tr/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?desichatpk.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?dirty-funny-joke.aisbird.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?dominacja.najlepsze.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?dost-chat.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?dsmartnedir.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?egecafe.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?e-iklan.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?elmaliseker.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?fenerbahce.gen.tr/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?foxchat.org/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?freehitwebcounters.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?galatasaray.gen.tr/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?geceninrengi.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?gulum.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?guzelsozler.name.tr/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?hadigel.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?iddaamac.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?ircstar.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?itirafsitesi.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?kacaksohbet.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?kadersizim.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?kamp3.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?kardelen.gen.tr/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?kayip.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?kodes.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?kralgazete.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?kurtlarvadisiteror.org/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?kvteror.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?kvteror.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?liseliguzeller.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?meyilli.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?mirc.gen.tr/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?mirc-irc.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?mircarsivi.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?mirchit.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?mircland.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?mirctr.org/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?mircturk.gen.tr/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?mircyukle.org/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?moviesmammoth.blogspot.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?musiqueray.org/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?myuitm.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?nazlimcafe.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?netlek.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?oyunyolu.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?pcforumlari.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?pornolar.org/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?radyo.mircturkey.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?rockdays.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sanahasret.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sevelim.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?site.name.tr/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbet.gen.tr/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbet.kenthaber.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbet.org/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbet.sevgi.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbet-tr.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbet23.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbet24.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbet27.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbet27.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbet35.org/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbetani.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbetara.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbetbol.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbetcafe.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbetchat.tc/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbetedin.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?sohbetyap.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?soyle.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?the-cloak.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?toplistler.idealsohbet.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?topsohbet.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?tr.cc/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?trcafe.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?trsohbet.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?tsohbet.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?turk-sohbet.org/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?turkbul.org/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?turkmirc.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?turkmuhabbet.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?yapma.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?yuzukchat.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?webalem.net/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?zurnasohbet.org/.*$ [NC]
RewriteRule .* - [F,L]Update:
Daniel was so kind to submit his own solution which are probably more effective. You can see his comment about it here. If his files are removed they are mirrored here. Just make sure that you have the updated list above of domain names to block for this.
You can or in other words, you must copy the above code in your .htaccess file if you run any kind of topsite. With this code the buttons will not even load, there will only be a link left to your top site. 
Just insert the code in your .htaccess that is located in the root folder or create one.
Please tell other topsite owners about this, there are hundreds out there that are getting affected by these Turkish spammers.
If you know any other domains that spams topsites, if you have any other feedback or need help then just comment here.
If you found this page useful, consider linking to it.
Simply copy and paste the code below into your web site (Ctrl+C to copy)
It will look like this: Stop the Topsites Spam!
[...] See this post: http://www.jimwestergren.com/stop-the-topsites-spam/ [...]
Pingback by Fighting the War Against Web Site Spam Bots — December 9, 2006 @ 5:17 am
[...] Ah ah hep bu türkler. Yabancýlar býkmýþ bizimkilerden. Türkler yüzündenmiþ. Bakýn. Stop the Topsites Spam! Aardvark Topsites PHP :: View topic - A Solution to Topsites Spam? __________________ Cihan Çulha - MCT [...]
Pingback by Aadvark Problem. - Webmaster Zone — January 17, 2007 @ 3:29 am
Post Navigation by Category
Next post in category: Protect yourself from invalid Adsense clicks
Man, what a pain in the ass. I would probably run some php code that logs button loads and if the number of loads exceeds X in X amount of time rewrite your .htaccess file to include their domain. This would keep a handle on new domains coming up without you having to physically watch your stats and edit .htaccess.
Hi Dir Critic
I was actually just a few days ago on your site and bookmarked it.
I don’t think the PHP code would be necessary now when I know what to do I can just spend like 5 minutes once a month blocking the biggest referrals that are spammers. It is easy to check in Webalizer. But my bigger concern is the other 100 or so that are getting spammed and have no protection or even clue …
O what a problem! The spammers are more and more wild and have new methods every day.
Fucking spammers!
Well done, I posted a link to this on my site.. Until we have banning capabilities this an awesome solution!
Great Work!
Thanks a lot Mark, nice that you spread the word. This should be included by default. I will update the .htaccess later on when I found more spammers, in that way we also catch new ones.
Oh, that sucks, bad karma for them!
I guess they´re using Reffy/PRstorm. A very dark technique for sure, but it´s supposed to be played by now. It used to work well a long time ago. Nothing new at all.
Hm, I hope the reason for this isn´t your own karma. No link buying or similar dark stuff lately?
I got a new mail from the web host yesterday, it was still too much CPU use.
I changed from the redirect to instead RewriteRule .* - [F,L] which is placing a 403 forbidden. To be extra sure I changed to whole button.php script to just display a button instead. Now it is 100% sure there will not be an overuse of the CPU.
Well, I bought some advertisement just recently but it was not AdWords so of course Google will not like it
I have now updated the list and also put it in alphabetical order.
Here’s another site for the list http://www.mirc-irc.com
Thanks a lot, the list is updated.
I’ve the same problem and solved it already a view months ago with some similar .htaccess code.
But I didn’t send them back to some other homepage - I give them a big fat “F*ck Off” picture - exploding their layout.
A few days later they removed my link. But of course there are always new domains I have to add to my .htaccess file.
Here you can find a zip file with all the files needed and a sample .htacces file.
http://www.malerfreunde.com/toplist/spamer_sample.zip
Thanks a lot Daniel. I have included your solution in my post.
You’re welcome!
New update of the list of domains to block!
Anybody thought about the idea of sending an email to the registrar of the domain (maybe through an - to be provided - online form, which sends an email to all known registars of the spammer-sites)?
I think a registrar should then (if many people complains) start doing something.
Maybe it would also be an idea to threaten the registrar to block all his ip-ranges in the future.
Daniel,
well … I just know that I don’t want to waste my time on them.
Jim,
I still use the 301 redirect you used above. I have enough bandwidth and other requirements that I am still able to redirect all of this crap to whoever the largest spammer is at the moment. Within 5 or 6 days they usually back off to almost nothing. Anyone who is able to use the 301 redirect should do so, since we are eseentially sending their crap back to the spammers and flooding their own servers with it at minimal cost to ourselves. I inderstand that in your case it simply won’t work due to the CPU usage, but if you are an Aardvark Top Sites user and you read this, please, please use Jim’s 301 method.
Brett
Thanks for this antispam mod
Cheers for code they are a real pain, guess they are helping you get a google rank as it has a link back lol
I’m confused do we add both htaccess files together or just the one on this site and not the one of Danny’s? I noticed that there are two different styles of writing the code, which is best?
You choose which one. I am using my own. My solution is simply blocking them while Dannys displays a nasty image to them. Test to see which one you like the most.
http://www.webalem.net and http://www.sohbetani.com list
Thank you. I have just done a new update. Added about 10 more.
Hi!
I’m just trying another way, since all the above methods didn’t work for 100%.
I saw that most of these sites uses Google-Adwords. So I sent an email to Google telling them about the sites and that they use this method to get a higher ranking on google. Maybe Google stops the the payment for them.
It would be a try if many people write to Google.
It can be done whithout telling your email.
To do so, just klick on the bottom left link under the ads. In Turkish it says “Google Reklamları”. Then change in the URL the parameter “hl=tr” to “hl=en” to read the instructions in English. On the bottom you find the link “Send Google your thoughts on the site or the ads you just saw”. And there a link ” Also Report a Violation?”.
Even better would be if you do it on the Turkey-Google Page. Just klick on “Gördüğünüz reklamlarla ilgili düşüncelerinizi Google’a gönderin” and then choose “İhlalleri bildirin” (violation) from the dropdown and just write your message in english.
Maybe there is somehow a faster way to report such sites to Google-Adsense or a direct Email-addresse I haven’t found out yet.
Daniel it seems that ur http://www.malerfreunde.com/toplist/spamer_sample.zip has been gone? or someone just owned ur site?
anyone got a new link for this? http://www.malerfreunde.com/toplist/spamer_sample.zip
tnx
Biiter,
Here:
http://www.jimwestergren.com/files/spammer_sample.zip
Thanks jim.. i got it.. anyway you know how to redirect these spammers to a certain page?
Once again me: Pleas also try to write abuse mails to the registar of the pages.
For example trsohbet is registered by godaddy ->
https://www.godaddy.com/gdshop/spamreport/spamreport.asp?prog_id=godaddy&ci=292
Hi guys,
I’m from turkey ‘n i’m turkish… We apologies this bad ‘n disgousting events.
Turkish people aren’t spammers. we would have been avoid that people.
if you want, we work together to block the spammers.
us target and dream => “no spammers in turkey”.
Regards…
Hi Olgar,
Please stop the spammers!
Thank you for helping us on this. I have just updated the .htaccess code above. You can tell people to use it to block the spammers.
Hi Jim,
We don’t like spam and spammers. For example, we complainting spammers to google.
Some Turkish people who are 14-16 years old, creating spam pages and create dusty web pages.
Now the Turkish webmasters are so angry. We will block this guys (spammers).
But necessary you will help us. Please don’t block turkish people. This is wrong.
The truth is block spammers. We are good webmasters.
Hey guys,
You can understand to my adress that i’m turkish too
I hate every kind of spam. Like Olgar’s said the people who make spam are 10-16 years old they can’t make their pages they use cms portals. They only want to earn easy money.
We are not like them. I agree with you guys block their domains or ip’s but not all turkish ip’s…
Ok good. I am not blocking turkish IPs, only domains.
Thanks for helping to stop the spammers.
Daniel amına koduumunun pezevengi spamcı sizsiniz len orospu çocukları bizi karalamaya çalışmayın iki herif yaptu diye tüm türkler mi suçlu oldu şimdi
Im going to block all Turkish and Russian IPs right now. Spam away Turks!
hehe no spam realy?
Come on! You two are both spamming and are both on my blacklist!
Stop doing the spamming! You are destroying other web sites and hard work!
Damm it.
Are these all spammers?!
http://forum.iyinet.com/webmaster-genel-konular/47319-turk-oldugumdan-utandim.html
Just banned another Turkish comment spammer with IP 85.108.29.205
Fu.ck al sohbet spammers
sohbet spammers, do spam for ddos
i’m english not good :S
Just banned another Turkish comment spammer with IP 81.213.203.108
You guys,
I’m from Turkey too. I really am sorry that you go thru these, there are a bunch of morons around which keep on throwing shit for some backlinks. We are trying to sweep them away too. Just want you to know; do not consider these guys as Turks, lamers have no race right? These are underage horny kids who can do nothing but making a chat script(sohbet means chat) and hope for a girl to come along so they can mess with her with every animal instinct they have. Those domains above are like %90 of the problem i can say. So ban those “big” boys(yeah -boys- fit here) and it’ll be all better.
Whatever you do for now or later, don’t do it against a whole country no matter how mad you are.
Thank you for your understanding.
turkish webmaters learned this spams and others from you.
thanks its really work
hehe no spam realy?
These tips and hints are WAY more useful than the occasional threat of
Hi my webamster friends.Turkish spam is a big fault and very upsetting.Spamming is a bad habit like smoking, fighting, swearing. Not a habit of country.Please correct it with sohbet spammers, not Turkish spammers.
Hi,
I am kinda new to this topsite world and i just opened a (succesfull) topsite.
I would like to know from people who used this .htacces way if this really works!
Lately my topsite: http://gigprod.nl, get’s a lot of spammers and fake signups!
As soon as i go home i will test this method and i hope it works
One other question i have is ‘why are olmost all the spammers from turkey?’ Or russia!
Can someone explain me that…
fg,
Go_on
Matthieu de Groot, first try to upgrade the topsite to the latest version (v.5.2.0). It has a lot of improvements and has better spam protection.
Here is some more anti-spam tips, for anyone interested: http://www.aardvarktopsitesphp.com/forums/viewtopic.php?t=7135
god very spam all
The fotoplist4pe.jpg Can be better.
Find thing Turks mostley hate and put them in your picture.
Also a lot of pakistanian spammers are there. They are not too fond of India.
Indian Flag?
We must bild oversize golfish bowl and get army to row to turkey in de bowl, before trapping spammers in bowl and bombing inside the bowl so the spammers die to earth. email me: sames at hotmail.co.uk if you’re inta restid in coming with me to bom turkey spamarses (inside golfish bowls!)
Revenge is sweet, and bowldy fun! (we must firs hav sexy time ok? ;))
Thank you for your sharing
I come from Hong Kong.
I got suffer from 5sohbet.net
My hosting just said i got DDOS attack and suspend my account …and i do not know what is happen..
2 weeks after, i change to another hosting…of course problem still exist…
Then, Thanks god, i come to here and finally know what is happening.
You are so helpful!
Thank you!!!
hello,
i did follow the code, but still no use
since it still burn out my CPU usage that my site got suspended again
help
thanks
Daniel, wath shell i do with your file?
I must rename “take_this.php” as “button.php” ?And change the htaccess also, as seen on top?
I have big problems with the php. I have delete the topsite skript, but the attack comes again
Thanks Jim and Daniel.
I am currently under attack by a few of these and Daniels “little” image works out great. I hope they notice and remove my site link… it has brought my directory to a stand-still.
very nice idea.thank you.
I hope someone can help. I have done whats recommended and I amd still getting the spam. I even deleted the topsites and the spammer keeps trying to connect to button.php
this is from the apache staus (its the main offender0
GET /topsites/button.php?u=kavakclub HTTP/1.1
from cpanel
http://www.5sohbet.net/kavak/index.htm has 1225311 hits
and http://www.5sohbet.net/viphikaye/index.htm has 1083519 hits
its killing the server
I have now updated the blacklist above, if you copied it before then take the new list as there are new spammers out there.
Motti and Joe,
If you have deleted the button.php it should not be any problem anymore. The problem is that the spammers request the button.php and executes and PHP code in it that connects to the database and all this takes a lot of CPU. Without button.php there is nothing to do and it is not a problem.
Cannot thank you enough.. this is great, I will recommend this to others.. so keep updating the list.. Its helping thousands of webmasters all over the globe … Two thumbs up
Thanks a lot Zeeshawn, that was really nice said and you made my day better
I will keep updating the list
I found another way:
use a .mov file and rename that one in button.php
The file must be larger as 150 MB
After 2- 3 Vistits, they never come back
sikeyum toplistlerini amına koyım cok uyanıksınız alayınız türklerden
geciniyorsunuz amk kodum sünnetsiz piçleri.
Utananında amına koım yahudi piç.
see.
I applied your mod, deleted button.php then created a blank button.php but nothing helped.
The last time I checked the stats with a blank button.php, there was 300 hits in less than 10 seconds and each hits made 333 bytes of transfer. Enough to get my server down. Any solution to have hits with 0 bytes?
I am the owner of the site http://automotive-links.mustangv8.com/RSS-directory/ listed in your list of spammers.
I placed your button there to promote a new directory and I thought that placing your link in a PR6 directory would benefit both of us. There is no malicious script being used in any page and every time your button was loaded, it was by real human visitors that may have been visiting your website.
If this is called spam, I am sorry but it was not my attention.
Hi,
the Script in the Top didn´t work. I use Apache 2.2.
but i only get 403.
another Idea?
Thanks for any help.
You can add the following sites:
http://www.karyola.net/toplist.html
http://75.126.201.143/1.php
I like Daniel’s idea but instead of redirecting to a F*ck image why don’t we all get together and redirect our button.php to the spammers homepage?
This will crash their server very fast and resolve all our problems.
1 1001772 46.85% http://www.mestina.com/hky.html
There is a much effective solution that I found that actually blocks the spam traffic before it gets to your web server, removing the load from it. It requires using iptables which is enabled by default on most/all Linux distributions.
Here is a sample code that saved our server, which was brought down by the topsites spam traffic:
############################################
#clear/flash the iptables information, deletes all previous setup.
/sbin/iptables -F
#delete the BLACKLIST table if it was previously created.
/sbin/iptables -X BLACKLIST
#create a new table called BLACKLIST
/sbin/iptables -N BLACKLIST
#configure the table BLACKLIST
/sbin/iptables -A INPUT -p tcp –dport 80 -j BLACKLIST
#add IPs to be blocked to the table.
/sbin/iptables -I BLACKLIST -s 212.175.13.42 -j DROP
#add networks to be blocked to the table
/sbin/iptables -I BLACKLIST -s 212.175.0.0/16 -j DROP
#add networks in Turkey (sohbet and others come from there)
#Network addresses that start from 80 through 91 appear to be in Turkey
#majority of the topsites spam traffic comes from those networks
#if you don’t care about visitors from Turkey or you have to restore access
#to your server in a hurry, block all of them.
#personally I would block them until the Turkey government establishes #some kind of a law prosecuting the offenders. If everyone blocks offending
#networks, they will notice it very very quickly
/sbin/iptables -I BLACKLIST -s 80.0.0.0/8 -j DROP
#more networks here from 80-91 range
/sbin/iptables -I BLACKLIST -s 91.0.0.0/8 -j DROP
############################################
Hope this helps you as it helped us. Please post IP addresses of other offending
networks here.
God Bless
I fixed it by reporting the website for DDos attacking my server, at the host where they were hosted. Worked ok didn’t get the site down but my topsite button was removed from the site.
Look at this sohbet site:
forumsevgi.com
Someone has blocked access to their buttons from this site and displays pop up login windows with “F*ck off your spam site” messages. I think this idea is great and with hundreds pop ups like that on their page, they will certainly delete all topsites buttons and it will end this kind of spam.
Does anyone has any idea how this can be done?
spam_hater i’m not sure how I can apply your solution using iptables. Can you please guide me?
spam_hater you’re blocking whole Europe. I’m from the Netherlands and I have a 8******** ip.
Joost is correct, the range 80 to 91 contains more than just Turkish IP’s
Im in the UK, and my IP starts with 86.whatever
So the blocking a wide range like that will block out a lot of people from Europe….
this is very bad…
Hello all,
Yes, I found out since that my iptables blacklisting was too broad. I have started using the Geoip database of IP addresses mapped to countries and can selectively block the offending networks and/or countries.
http://www.maxmind.com/app/geoip_country
There is a module for Apache that can help with that, but without iptables it isn’t pariculary helpfull. The module is called mod_geoip.
http://www.maxmind.com/app/mod_geoip
What I have done is blacklisted the bad or unimportant to our site countries (we primarily serve Russian/Ukrainian content) using mod_geoip for Apache. Although mod_geoip denies access to your site, a lot of processing power is still used up reading and then denying the bad requests. mod_geoip reports each denied request in the error_log file. I am using that information to block the IPs. I scan the error_log file for “denied” error messages and extract the IP address from each and blacklist it using iptables. In my situation the resourses (memory) are very limited so I cannot always blacklist per IP address, since iptables runs out of memory at around 1000 entries. So I blacklist networks but make sure it’s not too broad. In my previous post I had selected a huge IP ranges to blacklist (88.0.0.0/8) which effectively blocks all requests starting with 88. Right now I do 88.101.0.0/16 blacklisting which is a much finer selection (it will block IPs starting with 88.101). Also, I clear the blacklist every 6 hours or so and start over. If there are a lot of spam request coming in, it slows them down considerably in about 5-10 minutes after restarting/flashing iptables.
You can also scan whatever the main log file for your domain is for keywords, like sohbet etc. and extract the IP address from each of those lines and blacklist it. So, if you are receiving a lot of spam traffic, monitor your log file for a while, find out who the offending referrer is and start blacklisting each IP or network ( — for example: 88.101.22.53/16 will blacklist all 88.101.x.x IPs, if you want even finer selection, do ip/24 blacklisting, with will blacklist all 88.101.22.x ips but from my experience its not very effective) coming in from that referrer.
EXAMPLE LOG LINE:
82.236.215.32 - - [08/Oct/2007:12:55:59 -0500] “GET /top/button.php?id=1149 HTTP/1.1″ 200 38 “http://www.5sohbet.net/s1/89.htm” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; winfx; .NET CLR 1.1.4322)”
So, in Linux/Unix do:
cat mylogfile.log | grep sohbet | awk ‘{print $1}’
which will print out the IPs.
Of course, it all depends on the format of your log file and if you know Unix/Linux at all you will figure it out.
I do not use the above commands to extract the IPs, it’s just an example. I wrote my own script that scans the logs continually and updates the iptables.
And to Turkish people — we do not hate Turks, we just needs to find some means of protecting our servers. Although we might blacklist the entire country, it’s just our site that does it. You still have access to the rest of Internet. If we thought that Turks can read Russian and needed to access our site, we would never blacklist Turkey. We also get some spam from Russia, not as much but with our too broad block we have also blocked most of Russia (we were happy for a while that there was no load on our server and then figured out that we get almost no traffic from Russia because of our blacklist, so we had to fix that quickly).
The problem is that we cannot complain to the law authorities in Turkey or do anything legally to someone in any other country, so we have to find other means of fighting it. DDOS (Distributed Denial Of Service) attacks are very very difficult to fight so we have to do whatever we can.
Good Bless,
spam_hater
I would also suggest for who don’t use any special capabilities of Apache or even if you have to use Apache, to try Lighttpd.
http://www.lighttpd.net/
It is much much leaner than Apache, uses much less memory and faster.
Where our site will become completely unresponsive under the spam attack while using Apache, with Lighttpd it just slows down a little, with around 220meg of RAM used total, and that’s under heavy load.
Nice ,any one tell me how can I find this type blog.
Matthieu de Groot, first try to upgrade the topsite to the latest version (v.5.2.0). It has a lot of improvements and has better spam protection.
I’m getting a ton from trsohbet.com - might want to add that to your list. thanks for the .htaccess thing
I just added this code to my topsites folder … how long does it take to work? I am still not able to access my website… my server said I was getting over 100 people at my site at one time and it was overloading them…. thanks to the spammers =o( Does this take time to work? Also, is this something I should to do my main folder of my site?
I am new to this spamming business and I have such a headache from it. Thanks for putting this up!
I forgot to say that I added these to my htaccess file:
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?gazeteler.tv/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?canlitv.gen.tr/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?trsohbet.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?oyunlar1.gen.tr/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?plazacentre.net/.*$ [NC,OR]
I took down Aardvark Topsites. I don’t want to waste the precious moments of my life dealing with these morons.
I’ve replaced button.php with this photo from the Armenian Genocide: http://www.armeniangenocide.com/photos/data/504/medium/armenian_genocide.jpg
Here’s a better .htaccess file to block traffic from Turkey.
order allow,deny
deny from 62.29.0.0/17
deny from 62.68.192.0/19
deny from 62.85.128.0/19
deny from 62.108.64.0/19
deny from 62.113.0.0/19
deny from 62.201.192.0/18
deny from 62.244.192.0/18
deny from 62.248.0.0/17
deny from 77.67.128.0/17
deny from 77.72.184.0/21
deny from 77.73.216.0/21
deny from 77.75.32.0/21
deny from 77.75.216.0/21
deny from 77.79.64.0/18
deny from 77.92.0.0/19
deny from 77.92.96.0/19
deny from 77.92.128.0/19
deny from 77.223.128.0/19
deny from 77.245.144.0/20
deny from 78.135.0.0/17
deny from 78.160.0.0/11
deny from 80.71.128.0/20
deny from 80.87.48.0/20
deny from 80.93.208.0/20
deny from 80.245.80.0/20
deny from 80.251.0.0/20
deny from 80.251.32.0/20
deny from 81.6.64.0/18
deny from 81.8.0.0/17
deny from 81.21.160.0/20
deny from 81.22.96.0/20
deny from 81.91.16.0/20
deny from 81.91.112.0/20
deny from 81.212.0.0/14
deny from 82.145.224.0/19
deny from 82.151.128.0/19
deny from 82.222.0.0/16
deny from 83.66.0.0/16
deny from 84.17.64.0/19
deny from 84.44.0.0/17
deny from 84.51.0.0/18
deny from 85.29.0.0/18
deny from 85.96.0.0/12
deny from 85.119.32.0/21
deny from 85.119.64.0/21
deny from 85.153.0.0/16
deny from 85.158.96.0/21
deny from 85.159.64.0/21
deny from 85.159.72.0/21
deny from 85.235.64.0/19
deny from 86.108.128.0/17
deny from 87.236.96.0/21
deny from 87.251.0.0/19
deny from 88.151.232.0/21
deny from 88.224.0.0/11
deny from 89.19.0.0/19
deny from 89.106.0.0/19
deny from 89.252.128.0/18
deny from 90.158.0.0/15
deny from 91.93.0.0/16
deny from 91.102.160.0/21
deny from 91.151.80.0/20
deny from 91.188.192.0/18
deny from 91.191.160.0/20
deny from 193.0.61.0/24
deny from 193.23.156.0/24
deny from 193.25.124.0/23
deny from 193.34.132.0/23
deny from 193.36.0.0/24
deny from 193.36.184.0/24
deny from 193.37.135.0/24
deny from 193.37.154.0/24
deny from 193.41.2.0/23
deny from 193.42.216.0/24
deny from 193.58.236.0/24
deny from 193.108.213.0/24
deny from 193.110.170.0/23
deny from 193.110.208.0/21
deny from 193.138.30.0/24
deny from 193.140.0.0/16
deny from 193.143.226.0/24
deny from 193.150.165.0/24
deny from 193.164.9.0/24
deny from 193.188.198.0/23
deny from 193.189.142.0/24
deny from 193.192.96.0/19
deny from 193.200.134.0/24
deny from 193.200.170.0/24
deny from 193.200.180.0/24
deny from 193.200.188.0/24
deny from 193.201.128.0/22
deny from 193.201.149.192/26
deny from 193.201.157.0/25
deny from 193.202.18.0/24
deny from 193.202.120.0/24
deny from 193.218.113.0/24
deny from 193.218.200.0/24
deny from 193.223.76.0/24
deny from 193.243.192.0/19
deny from 193.254.228.0/23
deny from 193.254.252.0/23
deny from 193.255.0.0/16
deny from 194.0.130.0/24
deny from 194.0.142.0/24
deny from 194.0.178.0/24
deny from 194.0.202.0/24
deny from 194.9.174.0/24
deny from 194.24.168.0/23
deny from 194.24.224.0/23
deny from 194.27.0.0/16
deny from 194.29.208.0/21
deny from 194.36.160.0/24
deny from 194.50.84.0/24
deny from 194.50.179.0/24
deny from 194.54.32.0/19
deny from 194.60.73.0/24
deny from 194.69.206.0/24
deny from 194.110.150.0/24
deny from 194.110.213.0/24
deny from 194.125.232.0/22
deny from 194.126.230.0/24
deny from 194.140.227.0/24
deny from 194.169.253.0/24
deny from 194.242.32.0/24
deny from 195.8.109.0/24
deny from 195.14.19.0/24
deny from 195.33.192.0/18
deny from 195.39.224.0/23
deny from 195.46.128.0/19
deny from 195.49.216.0/21
deny from 195.85.242.0/24
deny from 195.85.255.0/24
deny from 195.87.0.0/16
deny from 195.95.149.0/24
deny from 195.95.160.0/24
deny from 195.95.179.0/24
deny from 195.112.128.0/19
deny from 195.114.108.0/23
deny from 195.128.32.0/21
deny from 195.128.254.0/23
deny from 195.137.222.0/23
deny from 195.138.222.0/24
deny from 195.140.196.0/22
deny from 195.142.0.0/16
deny from 195.149.85.0/24
deny from 195.149.116.0/24
deny from 195.155.0.0/16
deny from 195.174.0.0/16
deny from 195.175.0.0/16
deny from 195.177.206.0/23
deny from 195.177.230.0/23
deny from 195.182.25.0/24
deny from 195.200.222.0/24
deny from 195.214.128.0/18
deny from 195.234.52.0/24
deny from 195.234.165.0/24
deny from 195.242.122.0/23
deny from 195.244.32.0/19
deny from 195.245.227.0/24
deny from 212.2.192.0/19
deny from 212.12.128.0/19
deny from 212.15.0.0/19
deny from 212.29.64.0/18
deny from 212.31.0.0/19
deny from 212.48.224.0/19
deny from 212.50.32.0/19
deny from 212.57.0.0/19
deny from 212.58.0.0/19
deny from 212.64.192.0/19
deny from 212.65.128.0/19
deny from 212.79.96.0/19
deny from 212.98.0.0/19
deny from 212.98.192.0/18
deny from 212.101.96.0/19
deny from 212.108.128.0/19
deny from 212.109.96.0/19
deny from 212.109.224.0/19
deny from 212.115.0.0/19
deny from 212.125.0.0/19
deny from 212.127.96.0/19
deny from 212.133.128.0/17
deny from 212.146.128.0/17
deny from 212.154.0.0/17
deny from 212.156.0.0/16
deny from 212.174.0.0/16
deny from 212.175.0.0/16
deny from 212.252.0.0/16
deny from 212.253.0.0/16
deny from 213.14.0.0/16
deny from 213.43.0.0/16
deny from 213.74.0.0/16
deny from 213.138.0.0/19
deny from 213.139.192.0/19
deny from 213.139.224.0/19
deny from 213.143.224.0/19
deny from 213.144.96.0/19
deny from 213.148.64.0/19
deny from 213.153.128.0/19
deny from 213.153.160.0/19
deny from 213.153.192.0/18
deny from 213.155.96.0/19
deny from 213.159.32.0/19
deny from 213.161.128.0/19
deny from 213.186.128.0/19
deny from 213.194.64.0/18
deny from 213.202.0.0/19
deny from 213.204.64.0/18
deny from 213.232.0.0/18
deny from 213.236.32.0/19
deny from 213.238.128.0/18
deny from 213.243.0.0/19
deny from 213.243.32.0/19
deny from 213.248.128.0/18
deny from 213.254.128.0/19
deny from 217.17.144.0/20
deny from 217.31.224.0/20
deny from 217.31.240.0/20
deny from 217.64.144.0/20
deny from 217.64.208.0/20
deny from 217.68.208.0/20
deny from 217.131.0.0/16
deny from 217.169.192.0/20
deny from 217.174.32.0/20
deny from 217.195.192.0/20
allow from all
Well my hosting has hotlink protection.. it’s been set-up already w/ some of the big spammers.. this is how my hotlink protection list looks like.. (all set-up by host =] no spam!)
^http(s)?://(www\.)?aklimdasin.net
^http(s)?://(www\.)?almanyachat.com
^http(s)?://(www\.)?altdudak.com
^http(s)?://(www\.)?anonym.to
^http(s)?://(www\.)?ara-bul.org
^http(s)?://(www\.)?arkadasohbet.com
^http(s)?://(www\.)?asksokagi.net
^http(s)?://(www\.)?askyeri.net
^http(s)?://(www\.)?astroloji.ws
^http(s)?://(www\.)?bahisci.net
^http(s)?://(www\.)?baysohbet.com
^http(s)?://(www\.)?bedava.mirctr.org
^http(s)?://(www\.)?bedavasohbet.org
^http(s)?://(www\.)?bizimmekan.com
^http(s)?://(www\.)?bizimonline.com
^http(s)?://(www\.)?cafeyurt.com
^http(s)?://(www\.)?cetsohbet.com
^http(s)?://(www\.)?chatchat.gen.tr
^http(s)?://(www\.)?dominacja.najlepsze.net
^http(s)?://(www\.)?dost-chat.com
^http(s)?://(www\.)?e-iklan.net
^http(s)?://(www\.)?egecafe.com
^http(s)?://(www\.)?elmaliseker.net
^http(s)?://(www\.)?foxchat.org
^http(s)?://(www\.)?freehitwebcounters.com
^http(s)?://(www\.)?galatasaray.gen.tr
^http(s)?://(www\.)?geceninrengi.net
^http(s)?://(www\.)?gulum.net
^http(s)?://(www\.)?hadigel.net
^http(s)?://(www\.)?iddaamac.com
^http(s)?://(www\.)?ircstar.net
^http(s)?://(www\.)?itirafsitesi.com
^http(s)?://(www\.)?kacaksohbet.net
^http(s)?://(www\.)?kadersizim.com
^http(s)?://(www\.)?kardelen.gen.tr
^http(s)?://(www\.)?kayip.com
^http(s)?://(www\.)?kodes.com
^http(s)?://(www\.)?kralgazete.com
^http(s)?://(www\.)?kurtlarvadisiteror.org
^http(s)?://(www\.)?kvteror.com
^http(s)?://(www\.)?kvteror.net
^http(s)?://(www\.)?liseliguzeller.net
^http(s)?://(www\.)?meyilli.com
^http(s)?://(www\.)?mirc-irc.com
^http(s)?://(www\.)?mirc.gen.tr
^http(s)?://(www\.)?mircarsivi.com
^http(s)?://(www\.)?mirchit.net
^http(s)?://(www\.)?mircland.com
^http(s)?://(www\.)?mirctr.org
^http(s)?://(www\.)?mircturk.gen.tr
^http(s)?://(www\.)?mircyukle.org
^http(s)?://(www\.)?moviesmammoth.blogspot.com
^http(s)?://(www\.)?musiqueray.org
^http(s)?://(www\.)?myuitm.com
^http(s)?://(www\.)?nazlimcafe.com
^http(s)?://(www\.)?netlek.com
^http(s)?://(www\.)?oyunyolu.net
^http(s)?://(www\.)?pcforumlari.com
^http(s)?://(www\.)?pornolar.org
^http(s)?://(www\.)?radyo.mircturkey.com
^http(s)?://(www\.)?rockdays.net
^http(s)?://(www\.)?sevelim.com
^http(s)?://(www\.)?site.name.tr
^http(s)?://(www\.)?sohbet.gen.tr
^http(s)?://(www\.)?sohbet.kenthaber.com
^http(s)?://(www\.)?sohbet.org
^http(s)?://(www\.)?sohbet.sevgi.net
^http(s)?://(www\.)?sohbet24.net
^http(s)?://(www\.)?sohbet27.com
^http(s)?://(www\.)?sohbet27.net
^http(s)?://(www\.)?sohbet35.org
^http(s)?://(www\.)?sohbetani.com
^http(s)?://(www\.)?sohbetara.com
^http(s)?://(www\.)?sohbetbol.net
^http(s)?://(www\.)?sohbetcafe.com
^http(s)?://(www\.)?sohbetchat.tc
^http(s)?://(www\.)?sohbetedin.net
^http(s)?://(www\.)?sohbetyap.com
^http(s)?://(www\.)?soyle.net
^http(s)?://(www\.)?the-cloak.com
^http(s)?://(www\.)?topsohbet.com
^http(s)?://(www\.)?tr.cc
^http(s)?://(www\.)?trsohbet.com
^http(s)?://(www\.)?tsohbet.com
^http(s)?://(www\.)?turk-sohbet.org
^http(s)?://(www\.)?turkbul.org
^http(s)?://(www\.)?turkmirc.com
^http(s)?://(www\.)?turkmuhabbet.com
^http(s)?://(www\.)?webalem.net
^http(s)?://(www\.)?yapma.net
^http(s)?://(www\.)?yuzukchat.net
P.S.
your spam protection for comment is really good.. it took me 5.4 seconds to figure out ^^
Doesn’t work for me. Neither blocking or redirecting to a custom page or URL.
I’m using the .htaccess from the top pf the page, not the one in the .zip.
Is it possible that it could be due to server’s configuration? I know they don’t allow php code (for example) in the .htaccess file.
Anyway, the biggest spammer of mine (sevgibar.com/soft.php) still displays my button and not the redirected page.