Open in app

Sign in

Write

Sign in

HTTP host spoof spam — a new kind of spam / hack that you should be aware of if you run a site.

Andrew Dear
2 min readMay 2, 2021

I recently noticed that my website error log was filling up with a strange type of 404 errors. Thankfully my 404 page reports it on the server-side when someone navigates to an incorrect URL so that I can be aware of broken links on my site WebCull. So today I was going in to check on the error_log to understand an issue that got reported and noticed my error log was over 60 MB in size and contained over 500,000 thousand lines. I check this error log pretty often so I know this is from recent activity. There I can see line after line, hundreds of thousands of 404 errors. I’m like, “interesting, must be a new kind of 404 spam” but it was actually worse. It seems to be some kind of host spoofing spam. I had to turn on HTTP logging to actually see what was going on and soon after (since these requests are coming in by the second) I could see that the HTTP_HOST and SERVER_NAME headers contained domains and paths to all sorts of random sites.

Some of the URLS i checked were digital marketing companies, random link farms, business sites, you name it... General spam from sites that are willing to use any method they can think of to try to boost their ranking on search engines or get people to click the links from stats pages I guess. I was also reading up here about a potential hack using this method if you use the host header as your domain in links, thankfully that’s not something I do. My server links are always hard coded using constants.

So the problems with this type of spam is its sucking up needless bandwidth and filling the error log with garbage errors. To fix it I simply check if the host or server name is incorrect and send a simple error before anything else loads.

Example:

if (@$_SERVER['HTTP_HOST'] != "webcull.com" || @$_SERVER['SERVER_NAME'] != "webcull.com") {
 print "Invalid host header.";
 http_response_code(406);
 exit;
}

Problem solved, if the host or server name is not of my own domain, I send a 406 error response code which means “not acceptable” and stop the execution of the bootstrap. I think it’s good practice to implement this. Just make sure you include any sub domains that you use including www if your site uses that. You may want to tweak this code to check an array of domains that are acceptable on your site.

Spam
Hosting
Webmaster
Website
Servers

--

--

Andrew Dear

Written by Andrew Dear

4 Followers

Software architect with over 20 years of experience

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams