Blocking unknown traffic from india with http_referer to indian news sites

#1

Since yesterday we’re facing a lot of requests coming manly from India, the requests are for paths or
assets we don’t have like /Spike/SpikePersonalizedServlet?siteId=103 or /Spike/spike.js for example.
All the referers are from India News Sites.
When i go to one of this referer sites i see that there are not direct calls to our domain or IP. But i see that the same files are requested to adgebra.co.in .
I don’t know exactly whats going on, and why this traffic is being asked to our domain, but i would like to know the best way to block this traffic that is completed distributed and done by real clients browsers. In this moment i just blocked traffic from India, to block the majority requests, but the same is happening from US, NL, and a little bit from all over the world.

#2

Can you post a log excerpt of these requests?

#3

Sure.

This is some of them…

Apr 05 18:06:37 MYMACHINENAME nginx: 192.168.153.235 - - [05/Apr/2019:18:06:37 +0100] “GET /afpf/site?p1=3&p2=19040521&p3=Kolkata%20vs%20Bangalore%202019%20Match%2017%20live%20score%2C%20Kolkata%20vs%20Bangalore%202019%20Match%2017%20commentary%2C%20Kolkata%20vs%20Bangalore%202019%20Match%2017%20live%20score%20commentary&pixel=3 HTTP/1.1” 301 184 “https://telugu.mykhel.com/cricket/bangalore-vs-kolkata-ipl-2019-match-17-live-score-45773/” “Mozilla/5.0 (Linux; Android 8.1.0; Redmi S2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36”
Apr 05 18:06:37 MYMACHINENAME nginx: 192.168.153.235 - - [05/Apr/2019:18:06:37 +0100] “GET /Spike/amp-spike.html?domain=https://tamil.oneindia.com&randomid=123 HTTP/1.1” 301 184 “https://tamil.oneindia.com/amphtml/news/thiruvannamalai/youth-killed-by-women-on-illegal-affair-issue-near-seyyar-346018.html” “Mozilla/5.0 (Linux; Android 6.0; Lenovo A7010a48) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36”
Apr 05 18:06:37 MYMACHINENAME nginx: 192.168.153.235 - - [05/Apr/2019:18:06:37 +0100] “GET /afpf/GetAfpftpJs?parentAttribute=afpftpPixel_79_1554483996878 HTTP/1.1” 301 184 “https://backfills3.ph.affinity.com/DirectCampaigns/BaadshahGaming/IP_cricbuzz.com_320x50_Direct.html” “Mozilla/5.0 (Linux; Android 8.1.0; RMX1801) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.76 Mobile Safari/537.36”
Apr 05 18:06:37 MYMACHINENAME nginx: 192.168.153.235 - - [05/Apr/2019:18:06:37 +0100] “GET /afpf/afpf.js?p1=3&p2=0&p3=0&p4=2~2!https://www.goodreturns.in/gold-rates/bangalore.html&p5=&isIBN=1&IBNkeyword=gold%20rate%20in%20Bangalore,%20gold%20price%20in%20Bangalore,%20today%20gold%20rate%20in%20Bangalore,%20gold%20price%20today%20in%20Bangalore,%20gold%20rate%20today%20in%20Bangalore,%20todays%20gold%20rate%20in%20Bangalore,%20gold%20rate%20in%20Bengaluru%20today,%20gold%20rate%20Bengaluru,%20gold%20price%20today,%2022%20carat,%2024%20karat!Todays%20Gold%20Rate%20in%20Bangalore,%2022%2024%20Carat%20Gold%20Price%20on%205th%20Apr%202019&slotId=1&templateId=820&geoId=0&isDfpApp=0 HTTP/1.1” 301 184 “https://www.goodreturns.in/gold-rates/bangalore.html” “Mozilla/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36”

#4

The requests are a bit random and there is no clear pattern I would recognise from the posted examples, but if you say the requests are always for similar paths and they do not exist on your server, you could try the following (extend it with other paths as you deem fit)

1 Like
#5

You should also consider a backlink audit and disavow in Bing/Google etc.

1 Like