homepage Welcome to WebmasterWorld Guest from 54.225.57.156
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Rewrite Q
Help be get rid of Casinos!
carfac




msg:3206830
 2:49 pm on Jan 3, 2007 (gmt 0)

Hi Jim and everyone!

First Happy New Year to all, and best wishes for 2007!

My problem is I have one site (out of a few!) that is getting hit rather hard by Referrer Spammers. I have no idea why, the referrer logs and all are password protected. I guess once they start, they just never stop...

So I have a rewrite rule to send them to oblivion... but part of it does not work, or work as I would expect.

One pattern I have noticed is two or three random letters either before or after the word casino (and other words, to be honest). Here is what I had to get these guys:

RewriteCond %{HTTP_REFERER}(casino\.com¦casino\w\w\w\.com¦casino\w\w\.com)[NC]
RewriteRule ^/.* /cgi/#*$!xx.cgi [NC,PT,L]

And yet, some of these are still getting through. So, what did I do wrong here?

On to the broader problem of spammers in log files, here is some of what I have found.

I have tried banning IP addys, but they are from all over- must be using proxies. It is much easier to try and match words than to gather ip addys.

It seems to rotate, a few weeks of casino, poker, keno, and then a few weeks of cialis, viagra and percocet.

Seems weird, but they are hitting me on one of my lowest hit sites- not on the bigger sites. I have all my sites on consecutive IP's- seems weird they have only targeted one.

They do NOT give up.

Does anyone have any effective way of dealing with these spammers?

Thanks!

Dave

 

jdMorgan




msg:3206846
 3:03 pm on Jan 3, 2007 (gmt 0)

Hi Dave,

Not real sure what the question is here, but what is wrong with using a baseball bat?

RewriteCond %{HTTP_REFERER} casino¦poker¦keno¦cialis¦viagra¦percocet [NC]
RewriteRule ^/.* /cgi/abcde.cgi [PT,L]

I note that this code appears to be for use in httpd.conf and as such, an explicit loop-prevention RewriteCond is not needed as it would be in .htaccess.

Jim

carfac




msg:3206862
 3:12 pm on Jan 3, 2007 (gmt 0)

There are SOME words that the baseball bat approach does not work for... though I cannot think of any offhand, there was a reason I went for a more surgical version.

But now that I reconsider, maybe it is fine to do that this way.

Yes, it is httpd.conf!

Dave

jdMorgan




msg:3206878
 3:30 pm on Jan 3, 2007 (gmt 0)

You can use the "baseball-bat-and-band-aid" method in limited cases, if needed:

RewriteCond %{HTTP_REFERER} [b]spam[/b]¦casino¦poker¦keno¦cialis¦viagra¦percocet [NC]
RewriteCond %{HTTP_REFERER} [b]!spam[/b]cop\.org
RewriteRule ^/.* /cgi/abcde.cgi [PT,L]

This shifts the approach slightly to the "whitelist" side.

Jim

Mopar93




msg:3208185
 4:58 pm on Jan 4, 2007 (gmt 0)

Here are some others you might want to pick from, as I've gathered these while searching through the log files:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*\.biz.* [OR]
RewriteCond %{HTTP_REFERER} ^.*poll.* [OR]
RewriteCond %{HTTP_REFERER} ^.*doctor.* [OR]
RewriteCond %{HTTP_REFERER} ^.*phentermine.* [OR]
RewriteCond %{HTTP_REFERER} ^.*holdem.* [OR]
RewriteCond %{HTTP_REFERER} ^.*onlineayz.* [OR]
RewriteCond %{HTTP_REFERER} ^.*onlinefe.* [OR]
RewriteCond %{HTTP_REFERER} ^.*onlinevi.* [OR]
RewriteCond %{HTTP_REFERER} ^.*pxbonline.* [OR]
RewriteCond %{HTTP_REFERER} ^.*casino.* [OR]
RewriteCond %{HTTP_REFERER} ^.*poker.* [OR]
RewriteCond %{HTTP_REFERER} ^.*insurance.* [OR]
RewriteCond %{HTTP_REFERER} ^.*fs.fed.us.* [OR]
RewriteCond %{HTTP_REFERER} ^.*loan.* [OR]
RewriteCond %{HTTP_REFERER} ^.*money.* [OR]
RewriteCond %{HTTP_REFERER} ^.*debt.* [OR]
RewriteCond %{HTTP_REFERER} ^.*credit.* [OR]
RewriteCond %{HTTP_REFERER} ^.*betting.* [OR]
RewriteCond %{HTTP_REFERER} ^.*wager.* [OR]
RewriteCond %{HTTP_REFERER} ^.*mortgage.* [OR]
RewriteCond %{HTTP_REFERER} ^.*drugs.* [OR]
RewriteCond %{HTTP_REFERER} ^.*pharmacy.*
RewriteRule ^.*$ - [F]

I realize now this can be done differently such as ^.*pharmacy.* can be just pharmacy, but still it works. It doesn't do any good to provide a rewrite rule as they won't follow a rewrite. They just want to show up in your private log files and password protected activity reports. They generally aren't too bright.

With a baseball bat, you have to first knock on their door. With a gun you can do it from a distance. :)

-Maurice

jdMorgan




msg:3208364
 6:43 pm on Jan 4, 2007 (gmt 0)

> won't follow a rewrite

Just to be specific, these clients won't follow an external redirect. Following a server-internal rewrite is not optional, since this is under the sole control of the server.

For the sake of efficiency, I recommend omitting start and/or end anchors where ".*" is the adjacent pattern and no back-reference is needed:

In a regular-expressions pattern, "somestring" is entirely equivalent to "^.*somestring.*$" and is shorter and faster to process.

Jim

Mopar93




msg:3208421
 7:24 pm on Jan 4, 2007 (gmt 0)

> Just to be specific, these clients won't follow an
> external redirect. Following a server-internal rewrite
> is not optional, since this is under the sole control
> of the server.

It wouldn't surprise me also, that in the case of the ones who just want to appear in the referrer field, that they might not even wait for the entire requested file to be downloaded. Unless of course, they are looking for email addresses and other URL's to attack while they are doing this.

-Maurice

jdMorgan




msg:3208465
 7:57 pm on Jan 4, 2007 (gmt 0)

Yes, since what they want is an entry in publicly-accessible log files/stats pages, all they really need to do is a HEAD request, and the only thing we can do is to issue a 403-Forbidden response to let them know that they're not welcome. I rewrite them to a single-byte 403 "page" and issue an immediate Connection: close header so they don't waste my bandwidth or tie up my server threads.

Most are very crude programs -- They don't even check to see if the log files *are* accessible, they just "shotgun" their target sites as fast and as simply (for them) as possible.

Jim

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved