W6 Daily noticed the same problem with Daring Fireball’s referrer logs we did:
However, I note that as I write this, Jason Kottke constitutes six of the last 44 referrers. He is listed in positions 1 (as ‘www.kottke.org/’), 3 (as ‘kottke.org/’), 7 (as ‘www.kottke.org’), 12 (as ‘www.kottke.org/index.html’), 33 (as ‘www.kottke.org/remainder/’), and 43 (as ‘kottke.org/index.html’).
While defending TrackBack W6 Daily ultimately finds several faults with a referrer-based system. One criticism in particular struck a chord with us:
Referrer links also often include links that are not meant to be followed, including search engine links, web-based aggregator links, web-based email links and other “garbage” links.
We found this out the hard way. We recently followed a link to an outside site from our home-brewed CMS to verify we had typed it correctly. This, of course, sent as the referrer the URL of our CMS. This is bad enough. Anyone who follows that link looking for further discussion will find only a login screen—a dead end. But we made it worse. Later, we manually typed the address of our CMS directly into our browser’s location bar—as we often do—with the password tacked right on the end of the URL. You can probably guess what happened next.
We’ve fixed the problem, changed our password, and learned a very important lesson. We got off lucky. A site with actual traffic would have been wide open to abuse. Luckily, we were alone in following the referrer link back to our site (before the password was changed, anyway), saved only by obscurity.