Paid Advertising
web application security lab

Mozilla Fixes Referrer Spoofing Issue

Good for Mozilla - they recently fixed a very odd referrer spoofing issue that I was talking about back in January. It wasn’t exactly ten days, but who’s counting. ;) But referring URLs are a tricky beast. I see them being relied on an awful lot. I also see a lot of misbehaving robots in my logs that seem to think they understand what a referring URL is, but yet… they don’t.

One good example are robots that forget how Google works: instead of (notice the “www.” and the trailing slash are missing.) Also spammers, please note that as of today and every other day I have checked I have never once been a link on the front page of Google’s website and if it did happen, there will be a great earthquake; and the sun will become black as sackcloth of hair, and the moon will become as blood, so we best not even talk about such things. There’s tons of this garbage in my logs all day long. It’s almost surprising to me that the bad guys would bother. If anything it makes it stand out like a sore thumb. Yet, I do see companies making security decisions based on referring URLs. Kinda scary given how many reasons referring URLs might be wrong or non existent.

As a side note, when I attempted to use the :username@ trick for phishing it did not silently drop the username, it actually redirected me to the search engine, which is actually pretty appropriate behavior given that it’s malformed. I’m glad someone was able to reproduce it because I had a hard time proving to myself that it was even something widespread enough to talk about. Anyway, Kudos to Mozilla for the patch!

4 Responses to “Mozilla Fixes Referrer Spoofing Issue”

  1. Wladimir Palant Says:

    What I also see a lot in my logs is:

    GET HTTP/1.1

    And pretty much every client doing such a request is a spam bot (though a few seem to be just crappy proxy servers). Guess the spammers only learned how to talk to HTTP proxies but not that you should send a path rather than URL when talking to the actual server.

    Yet another way to recognize spammers is their fake user agent string. Their approach to user agent randomizations seems to be an old user agent list from which they just pick one - and all the sudden I see Opera/5.02 in my logs.

    Yes, I really wonder why they even bother…

  2. Awesome AnDrEw Says:

    Well most official search engine crawlers do not send referrers in their request. Neither Google nor Yahoo! attach the HTTP referer header, but there is an exception: MSN/Windows Live Search. I noticed since it first crawled my website that the spider uses an IP range to collect the data, and then no more then a second later a completely different IP address belonging to Microsoft makes a request of the website with a search query referral pointing to the content it has just covered.
    Although only semi-related another issue I’ve noticed regarding SPAM bots, scrapers, and file-inclusion scanners is that they tend to wean between Friday, Saturday, and Sunday nights, but pick up steadily during the early hours of each Monday morning. I’ve also found that on most major holidays the volume of attacks is a lot smaller than on normal days. Wladimir, I too have often wondered why such user-agents are also chosen when such attacks occur.
    It’s highly doubtful anyone is actually running Mozilla 3.0, Internet Explorer 5 Beta, Firebird, and any other collection of dated browsers.

  3. Kishor Says:

    Wladimir, sometimes I use modify headers extension to change my referer to something else. So I don’t know if that url comes from the spammer exactly. (I don’t use the url that you listed here)

  4. Mike Says:

    Man, if only I had change access to Google’s homepage…