14

For the sake of discussion, pretend that I have an Apache webserver which serves a website at www.example.org. This domain name resolves to the public IP address at 192.168.1.100 (pretend this is a public IP).

The discussion at Is there anything I can do about someone who has pointed their domain at my ip? demonstrates that anyone can point their domain at my IP. Apache won't prevent this by default, but an administrator can deal with these one at a time through use of a blacklist.

However, it's becoming more common for scammers to register dozens of domains (or more) for use in a scam. I'm concerned about the following possible attack:

  1. A scammer registers hundreds of domain names, and points them at my dedicated IP address.
  2. The scammer directs search engines at their scam domains, thus using my content to increase their standing in the search engines.
  3. Later, the scammer moves their domain names to point to their own servers which host a scam/porn, or a competing business, etc. thereby reaping the benefits of their standing in the search engines. Some of these domains might be used to in comment spam as well.
  4. Profit!!

I believe I have seen scammers using this trick in the past, involving dozens of domains. We didn't realize the scam implications at the time, and assumed these were misconfigured domains.

Is there a term for this nefarious SEO trick? SEO masquerading? DNS Diversion?

How could I prevent this using Apache? I'm considering a "whitelist" fix based on using a default VirtualHosts, ServerNames & ServerAliases so that Apache only responds to requests where these white-listed ServerNames appear in the "Host: " header. Everything else would be rejected (or redirected to a particular page). However, I am unsure if this is the best approach.

For example, I've configured the domain http://thisisnotserverfault.stefanco.com/ to point at the IP for Serverfault.com. You can see the results here: http://thisisnotserverfault.stefanco.com/ .

Community
  • 1
Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
  • I don't see a lot of SEO value in such a scheme. The only thing I can think of is for comment spam it might be easier to get a link to a US/EU site through the spam filter, but they would still need a US/EU IP address for submitting the spam anyways. There are many hosts even in the US/EU that will look the other way in regards to comment spam so it doesn't protect their sites or IP's either. The content would be duplicate content and not particularly valuable to steal so I don't see the value that way either. – stoj May 20 '11 at 04:53
  • 3
    If you don't want to use your real IP address in a posting, there are 768 IP addresses reserved in RFC 5737 for documentation. Any of those would be suitable as placeholder for a public IP address in a question on serverfault. – kasperd Mar 30 '14 at 23:39

3 Answers3

18

I would setup NameVirtualHost entries for all your own domain entries and have anything not matching those get an explanation page (which is what you have demonstrated from Serverfault). Reference http://httpd.apache.org/docs/2.0/vhosts/name-based.html

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
  • Right, and the first vhost is the default vhost where you'd put this page. You'd also want to add a mod_rewrite RewriteRule for it that rewrites every URL to this page. – Mark Wagner May 19 '11 at 20:09
  • Exactly, the scam should only work on ip-based virtual-hosting. Name-based virtual-hosting would only respond if the domain name is configure on the server (i.e. don't use wildcards). – Martijn Heemels May 19 '11 at 20:13
  • Alternatively, you could simply respond with a 400 Bad Request, 403 Forbidden, or 404 Not Found, although 400 implies a syntax error in the request, which isn't technically true. I prefer to simply *not* respond, although I'm unsure how to accomplish this in Apache (with Nginx, all I have to do is `return 444;` in the default vhost). – Kromey May 19 '11 at 20:38
4

You cannot prevent anybody from pointing their DNS servers to your IP. However, you can choose to not serve any HTTP content to those domains. Use Virtualhosts to serve content for your own domains, and do not set a default virtual host. Or use the default virtualhost to serve 404 or 403, that should scare the spammers away.

Julien
  • 1,028
  • 1
  • 12
  • 24
2

Put a http://en.wikipedia.org/wiki/Canonical_link_element into your webpages telling search engines the correct domain to use. The scammers links will then be an SEO benefit to you rather than a detriment.

JamesRyan
  • 8,138
  • 2
  • 24
  • 36