qq829.com: Malicious Scripts or Spam from China?
Website managers from all over the world are reporting some weird referrers from qq829.com to their sites. If you are following your site stats on a daily basis, you might have come across some peculiar and unexplained traffic from China, from a link that looks like this:
The domain itself, qq829.com, is Chinese and linked to http://new.cnzz.com – a known spammy domain. It’s hard to make sense of the site itself. Some information about the site can be found here.
At the moment, there aren’t certain answers as for what this link is, if it’s malicious or just Splog or spam. Currently, the most helpful source of information about this, is a discussion in Google Analytics Help.
You can also follow updates on the matter with a Google search, focused on the latest results.
The links are suspicious and a bit worrisome, because no one knows for sure if it’s a script attack, simple spam or a meaningless mistake on the Chinese side (unlikely). If you own a website, make sure your files haven’t been tampered with ( I’ve checked mine and they seem untouched) and that you have a strong FTP password and/or a strong admin password (if you have a CMS).
The best solution I have located thus far is to block the Chinese IPs through the .htaccess file. The IPs change with every hit, but you can also block whole batches of IP addresses from China if you don’t fear losing Chinese traffic.
If you wish to block traffic from cnzz.com and qq829.com, AurelloSoft suggests that you insert this code in your .htaccess file (COPY WITHOUT the dashes in the last line!):
SetEnvIfNoCase Referer "^qq829" TOBLOCK=1 SetEnvIfNoCase Referer "^cnzz" TOBLOCK=1 <FilesMatch "(.*)"> Order Allow,Deny Allow from all Deny from env=TOBLOCK </FilesMatch>
Update #1: There’s now a claim that qq829.com provides spammers with pre-written blogs. This re-enforces the assumption that the links are spam, but there hasn’t been any serious analysis of the site or the code.
Update #2: Thus far the best solution is blocking Chinese IP addresses via the .htaccess file. See instructions above.