Of spooks and spam: What to do when the åFBIπ spams your Web site

 

By Chris Gulker

 

The FBI came åknockingπ the other day here at gulker.com. They wanted me to know that my Weblog, an expression of free speech protected by the U.S. Constitutionπs First Amendment was now included on their åsuspectsπ watch list.

 

Or, at least thatπs what I initially made of a reference in my Web serverπs access log. Web servers, the 21^st Centuryπs version of Gutenbergπs press, if you didnπt already know, create a record of everybody who visits.

 

And a Weblog, also for those who donπt know, is a personal online diary of things that interest me, maintained in reverse chronological order. Mine is served by an aging Macintosh running Apache, the Open Source Web server software. Apache records, among other things, the IP address of every Web visitor, as well as something called the åreferrerπ.

 

The referrer is a line that, in theory, tells me who sent the visitor my way. For example, if you clicked a link on the Independentπs Digital Web page that sent you to www.gulker.com, the access log would record a line that would include the following:

 

209.220.11.66 ≥GET index.html≤ ≥http://news.independent.co.uk/digital≤

 

Translated, this means someone whose computer was using the IP address 209.220.11.66 accessed the home page (åindex.htmlπ), which they got to by clicking a referring link on the Independentπs Digital page.  So, imagine my surprise when these åreferrerπ lines appeared:

 

http://homeland.fbi.gov/Watchlists/suspect/view.jsp?record=895754

 

http://homeland.fbi.gov/Watchlists/suspect/view.jsp?record=948082

 

FBI? Watchlists? Suspect? Uh, oh Houston, I think we have a problem, hereä

 

A nerdy Sherlock would infer from these lines that 2 pages of my Web site had been recorded in a database maintained on a server named åhomelandπ belonging to the FBI.  Were shadowy figures lurking in a spooky government facility perusing my åsuspectπ Web pages?

 

But things arenπt always what they seem to be. The pages that homeland.fbi.gov had supposedly viewed were 2 rather dry, technical treatises, not some of my more outspoken rants expressing deep reservations about my nationπs current foray into Iraq. Curious, I thought.

 

A quick check of the worldπs Domain Name Server records, showed no entry for åhomeland.fbi.govπ. However, a Google search revealed some 200 pages containing  åhomeland.fbi.govπ. 

 

Diving into those pages, it was apparent that dozens of Weblogs had seen the same thing. Brent Simmons, a Seattle-based programmer had seen them on his utterly apolitical Weblog.

 

Brentπs Weblog allows visitors to leave comments: many of those comments, left by  other programmers proclaimed the whole affair a hoax.  The same opinion was offered by a number of computer scientists on an email list where my experience was posted.

 

It turns out that itπs easy to spoof the åreferrerπ line: a programmer with only modest skills could write a short program called a script that would cause the entries seen at  gulker.com and elsewhere.

 

So, hoaxed againä but it then occurred to me that the hoaxer had chosen a very unusual medium through which to perpetrate this mischief. A Web serverπs access log is hardly email or a Web page.

 

But the hoaxer succeeded, knowing that I, like other Webloggers periodically scan these logs to see whoπs been visiting.  Many have even observed åreferrer spamπ in which a site records a sudden surge of hits.  When the curious victim clicks the referring link they get a page advertising the usual spammer dross.

 

Indeed one firm touts its åReferrer Advertisingπ services, but they may be ruing the day.  Turns out a miffed programmer wrote and posted a script that proved popular: when the firmπs software visits a Weblog with a spam link, the script returns a referrer link of its own, replete with a lengthy, and highly unpublishable admonition.