Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Referrer spam
skewray wrote #340572:
I suspect these hits are Google Cloud, not fake IPs. FYI, my ham-handed solution :
# Google AS15169 Evil=96.2% 2025-08-27 Warning: May block Google employees....The ranges are not a complete set, just what I’ve seen on my site. If I get the cookie thing working, I may rip this sort of stuff out. It is a bit labor intensive to create.
Thanks so much. I’ll look into it tomorrow when I’m fresh. Meanwhile, I have halved the speeds and added an apology to all the pages of the website.
I do not think that there are for LLMs as they also list a referrer sites such as techcrunch, sears, etc. I do not think that bonafide LLM bots would do that, although I may be wrong.
<IfModule ratelimit_module>
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 50
SetEnv rate-initial-burst 200
</IfModule>Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Referrer spam
What I’ve been seeing recently are bursts of hits, but each one is from not only different IPs, but from all over the world. Not referrer spam, though; I haven’t seen any of that in years. Whoever is crawling my site, for whatever reason, is renting a cloud server somewhere, doing a bunch of single-access drive-by hits, and then closing it down. Multiplied by thousands. Very sly.
Sometimes these clusters have a central country of origin. Since I’ve shut down the US, then it was China, then India, then Brazil, then Vietnam. Whoever this is, they use cloud+ISP companies, so just blocking the entire ASN isn’t worth it.
Offline
Re: Referrer spam
colak wrote #340566:
Edited to add that
ratelimit_modulehas reduced the speed of the bots dramatically.
Excellent!
Offline
Re: Referrer spam
colak wrote #340570:
Maybe I should wait until then?
No guarantee I will update it with any speed.. the plugin should still work after the modification so I’m not too concerned about updating it. Although it will be very nice for future plugins
Offline
Re: Referrer spam
vistopher wrote #340576:
No guarantee I will update it with any speed.. the plugin should still work after the modification so I’m not too concerned about updating it. Although it will be very nice for future plugins
Hi,
I installed and enabled the plugin, but I cannot see the IPs in admin > Visitor logs, but I do see them after clicking on the relevant table in rss_admin_db_manager.
I’m running the latest txp.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Referrer spam
skewray wrote #340572:
I suspect these hits are Google Cloud, not fake IPs. FYI, my ham-handed solution :
# Google AS15169 Evil=96.2% 2025-08-27 Warning: May block Google employees....The ranges are not a complete set, just what I’ve seen on my site. If I get the cookie thing working, I may rip this sort of stuff out. It is a bit labor intensive to create.
The RewriteCond %{HTTP_USER_AGENT} directive returns a 500 for me:(
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Referrer spam
I’ve been researching if I can apply the ratelimit_module only for specific IPs. At the moment it is a global directive which is not nice for legit visitors. No results were returned.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Referrer spam
colak wrote #340578:
Hi,
I installed and enabled the plugin, but I cannot see the IPs in admin > Visitor logs, but I do see them after clicking on the relevant table in rss_admin_db_manager.
I’m running the latest txp.
I’ve only tested it on 4.8.8, not the beta versions. I will try to install the latest beta tonight and see if what the issue is.
Offline
Re: Referrer spam
It appears that all attacks come from ips belonging to google starting with 34.174. I’m very close to apply a Deny from 34.174. directive to up to 1 million users.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Referrer spam
TXP Builders – finely-crafted code, design and txp
Offline
Re: Referrer spam
jakob wrote #340593:
You are, it seems, not alone as many others are reporting similar activity from those IPs.
Thanks so much Julian, I’m glad I’m not the only one. I wrote to google and their form said that they would respond within a week. As others have the problem hopefully Google will take action.
Meanwhile, I’m denying access to every single ip that starts with 34.174.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Referrer spam
colak wrote #340578:
Hi,
I installed and enabled the plugin, but I cannot see the IPs in admin > Visitor logs, but I do see them after clicking on the relevant table in rss_admin_db_manager.
I’m running the latest txp.
Alright, the github is updated and works with the 4.9.0 beta versions.
This is the change I had not accounted for:- Developer: ‘Visitor logs’ panel is now bound to the new ‘lore’ event name (was: ‘log’) to prevent conflicts with privacy filters.
Offline