Weird Referrer (xxxx:++++++++++)

[Volred]

I saw this in my referrer logs today as I was checking out my site.

I got 6 hits with this referrer

xxxx:++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I found this post on a website from within a google search: linky

As most people who examine their log files every so often have also no doubt noticed, sometimes you find information in there that just doesn't make sense.

Take these two common referrer strings for example:

"XXXX:++++++++++++++++++++"
"Field blocked by Outpost firewall (http://www.agnitum.com)"

The first - well, nobody appears to have yet been able to determine where that comes from. It certainly does a good job of hiding the authentic referrer though. My personal guess is that "XXXX" replaces "HTTP", and the +++ replaces the actual referral URL. It looks like a personal firewall product that simply hides the referrer.

The second is actually spam. Well, it is and it isn't. Anyone using the Outpost Personal Firewall from Agnitum can hide referrer URLs with the program. It unfortunately then replaces the referrer with what is essentially an advert. Unfortunately, blocking this referrer really isn't an option as it isn't the user at fault - it's the shortsighted company that produces the firewall.

What to do about these is the interesting question. Personally, I leave them alone. Both are easy to filter out of a referrer log, and as far as I know it is authentic users leaving these marks. Another option I've had suggested is to filter users with these referrers to a page explaining why they are being redirected, and what they can do to stop it happening again - explaining, of course, that it isn't their fault.

The only thing that we can do as users is to not use products that do this. Use ones that hide the referrer, by all means, if you want to. No problem there. Just don't use products that replace the referrer with rubbish data or an advert - all that does is make life harder unnecessarily for web developers.

Anyone else find a referrer like this in their logs?
I am thinking of directing anyone with this referrer to a special page alerting them to this issue.

I imagine that I could do that redirecting with .htaccess, but I don't know much about how to use .htaccess.

Could anyone give me a few pointers?

 

[TheDude05]

you do it with mod_rewrite but its ages since i've done it

 

[Maichena]

You can find help on mod_rewrite at:

Apache URL Rewriting Guide

 

[ekliptikz]

I may be mistaken, and you have substantial proof to support that, but I was under the impression that Referrer was browser-based and misc. characters such as that support the idea that the user isn't using a standard web browser at all: I.E. it's a bot. I have a bit of experience with web-crawlers and such and this seems to be a very similar issue to those experienced by this kind of software. The web-crawler wont properly support standardized environmental variables and therefore you may notice wierd entries in your log files.

Maybe you could humor me and see if those 6 hits you found show any other abnormalities that may hint robot. If that is the case than there are a number of ways to work around it. But, I could be way off.

 

[Maichena]

From my experience, I noticed that Norton Internet Security (or whatever the heck it's called) can block HTTP headers from being transmitted to the server. I saw this first hand when my cgi script checked the referrer and my boss kept complaining that the script is broken. After several minutes of messing with his computer, I realized that his Norton Security thingy was blocking the headers from being transmitted.

With that in mind, perhaps a software or hardware solution could do something similar. It could block certain HTTP header and transmit its own in place of the blocked header.