code ref

Referrer abuse

Syndu annotates all incoming traffic and extracts behavioral signals that help explain intent. This page defines the ref signal — what it means, how to interpret it, and how it will later connect to live evidence across IPs, subnets, organizations, ISPs, countries, and cities.

Signal gist Referrer patterns look manipulated, irrelevant, or inconsistent with normal navigation.

Read the definition → View live signal sections →

Definition

Canonical reference for ref behavior.

Catalog code

ref

Display name

Referrer abuse

How to read this signal

This annotator represents a behavioral pattern, not a claim of identity. It’s designed to help you understand why certain traffic looks suspicious, automated, probing, or exploit-oriented — and to support consistent reporting across the Syndu system.

Explanation

                Flags suspicious referrer behavior such as clearly fabricated referrers, referrers that do not match realistic navigation paths, or referrers used in repetitive spam-like ways. This annotator helps explain why referrer analytics may be untrustworthy and can also indicate low-effort automation or probing.
              

Live sections

These panels will be wired to real metrics, enrichment context, and drill-down links.

Signal footprint over time

Rolling volume, bursts, first/last seen, and time-window slices (e.g. last hour/day/week). This will help separate chronic background noise from active campaigns.

Coming next: time series + burst markers

Top affected entities

Links to the entities where ref is most present: IPs, subnets, organizations/ASNs, ISPs, and geographies — with “why” context.

Coming next: entity leaderboards + drill-down

Enrichment context

How enrichment affects interpretation: known crawlers, monitored ranges, trusted scanners, or policy exceptions. This is where “benign but noisy” gets separated from “unknown and risky.”

Coming next: enrichment flags + allowlist context

Referrer abuse

Definition

Live sections

Confirm Action