Blocking/redirecting referrer-spoofed referrals CHALLENGE!

Example:

An internal page of mine is linked to this way (actual URLs edited out):

...referrerspoof.com/?http://mywebsite.com/internalpage.html

I checked out the headers for this link and got two locations:

LOCATION 1

GET /?http://mywebsite.com/myinternalpage.html HTTP/1.1 Host: referrerspoof.com
User-Agent: my computer
Referer: ...rexswain.com/httpview.html
Connection: close

HTTP/1.1·302·Moved·Temporarily(CR)(LF) Date:·Sun,·10·Oct·2010·19:34:37·GMT(CR)(LF) Server:·Apache(CR)(LF) X-Powered-By:·PHP/5.2.13(CR)(LF) location:·http://referrerspoof.com/r2.php?http://mywebsite.com/myinternalpage.html(CR)(LF) Content-Length:·0(CR)(LF) Connection:·close(CR)(LF) Content-Type:·text/html(CR)(LF) (CR)(LF)

LOCATION 2

URL = ...referrerspoof.com/r2.php?http://mywebsite.com/myinternalpage.html UAG = my computer REF = ...rexswain.com/httpview.html AEN = REQ = GET ; VER = 1.1 ; FMT = TXT Sending request:

GET /r2.php?http://mywebsite.com/2myinternalpage.html HTTP/1.1
Host: referrerspoof.com User-Agent: mycomputer Referer: ...rexswain.com/httpview.html Connection: close

HTTP/1.1·200·OK(CR)(LF) Date:·Sun,·10·Oct·2010·19:34:38·GMT(CR)(LF) Server:·Apache(CR)(LF) X-Powered-By:·PHP/5.2.13(CR)(LF) Connection:·close(CR)(LF) Transfer-Encoding:·chunked(CR)(LF) Content-Type:·text/html(CR)(LF) (CR)(LF)

And these are the contents

d7(CR)(LF)  
(LF)  
<html>(LF)  
<head>(LF)  
(HT)<title>Referrer Spoof·Link</title>(LF)  
(HT)<meta·http-equiv="content-type"·content="text/html;·charset=utf-8"·/>(LF)  
(HT)<meta·http-equiv="refresh"·content="(CR)(LF)  
1(CR)(LF)  
0(CR)(LF)  
6(CR)(LF)  
;·URL=(CR)(LF)  
3c(CR)(LF)  
http://mywebsite.com/myinternalpage.html(CR)(LF)  
103(CR)(LF)  
">(LF)  
(HT)<meta·name="keywords"·content="anonym,anonymous·link,link·anonymous,·anonymous·redirector,·hide·referer">(LF)  
(HT)<meta·name="description"·content="Hide·referring·urls·from·the·public,·and·shorten·link·anonymous">(LF)  
</head>(LF)  
<body>(LF)  
</body>(LF)  
</html>(CR)(LF)  
0(CR)(LF)  
(CR)(LF)

Then I tried again, and it was like this (they seem to change things around):

21d(CR)(LF)  
(LF)  
<html>(LF)  
<head>(LF)  
(HT)<title>Spoofed Referrer·Link</title>(LF)  
(HT)<meta·http-equiv="content-type"·content="text/html;·charset=utf-8"·/>(LF)  
(HT)<meta·http-equiv="refresh"·content="0;·URL=http://mywebsite.com/myinternalpage.html"&gt;(LF)  
(HT)<meta·name="keywords"·content="anonym,anonymous·link,link·anonymous,·short·refer·link,·anonymous·redirector,·hide·referer">(LF)  
(HT)<meta·name="description"·content="Hide·referring·urls·from·the·public,·and·shorten·link·anonymous">(LF)  
</head>(LF)  
<body>(LF)  
</body>(LF)  
</html>(CR)(LF)  
0(CR)(LF)  
(CR)(LF)

=======================

How this appears in my logs: MY.IP.000.000 - - [09/Oct/2010:20:40:31 -0500] "GET / HTTP/1.1" 302 221 "-" "Mozilla/5.0 (Windows;etc) mybrowser"

=======================

I want to bounce those spoofed META-REFRESH request to my index page rather than my internal page.

Note that the link in the "second location" has an additional element "r2"

I'M BEING TOLD THIS CAN'T BE DONE!

ansaurus

tags:

views:

answers:

Blocking/redirecting referrer-spoofed referrals CHALLENGE!

related questions