Like most sys admins out there, we have yet to see a good reason why there these groups who seem to be hell bent on creating phony link referrals to sites. I’m not sure if it’s the same one, as the address 64.4.195.62 comes up quite a bit on reverse lookups of the sites that act like they’re linking to you and this is indeed a blacklisted site. But, they’re not all from there and it’s just flat out weird.
Quite simply, for the last couple of months, I’ve noticed that there are link referrals in my logs (the “from” address where people click to get to your site) that don’t actually link to my site. I’ve checked the originating pages and have never found any link to my site, but yet, there they are and they’ve kept growing for quite some time. Ultimately I don’t think that anything evil will happen from this, except that it looks like www.diet-pills-gambling-jackblackwonker.com is linking to you when they’re not and it makes it hard to keep track of valid referrals.
Here’s the other thing that’s strange in that this only happens to one site and not the others that I own, nor did I notice it start to happen with my previous company and they got considerably higher visits than I do to this site. It does seem to coincide about the same time that a security hole was discovered in AWStats (which I use) and I may not have patched it in time to avoid something getting recorded somewhere which is causing this problem. Once again, it doesn’t seem like a malicious problem, just very, very annoying.
I ended up finding some ways around it. One is to just use ‘deny from’ and then the IP for the crappy sites, but I think they’re faking their headers and thus getting around this fix. The other method, which seems to work is to set up ‘SetEnvIfNoCase Referer’ in your conf file for Apache when then uses another ‘deny from’ to block people if they refer from a certain site. This has really been a pain, as you need to enter one for each offending site, but it does seem to stop them in the end. Maybe they’ll get the clue that I’m not in to this and cut it out.
Other than that, burying the page where you see your stats and password protecting it are a good idea as well. Also, whatever you do, don’t click on the links that appear, as they’ll get the location of your stats and probably try to take advantage of the hole in AWStats, which I’m sure you patched, yes?