wilderness
msg:4440588 | 6:07 pm on Apr 13, 2012 (gmt 0) |
| http: //83.133.124.xx/?xurl=http: //83.133.124.xx/dKF0hECx8vc7cf603d0c543052a48f3acafa625g&xref=http://example.com |
|
Is this the actual (modified for this forum) raw log refer?
OR
is this the requested page?
If the aforementioned?
Please keep in mind that denials via referral are less than ideal, although useful.
Also keep in mind that denying access will NOT prevent the request from appearing in your raw logs.
One method
#keep_out or what ever name you use. Requires use of env=.
#Any of these will work
SetEnvIfNoCase Referer example keep_out
SetEnvIfNoCase Referer xurl keep_out
SetEnvIfNoCase Referer 83 keep_out
SetEnvIfNoCase Referer 133 keep_out
another method in mod_rewrite
RewriteEngine on (note; if not already on)
#contains any of these, than deny access
#note the missing [OR] on last RewriteCond line is REQUIRED
RewriteCond %{HTTP_REFERER} example [OR]
RewriteCond %{HTTP_REFERER} xurl [OR]
RewriteCond %{HTTP_REFERER} 83 [OR]
RewriteCond %{HTTP_REFERER} 133
RewriteRule .* - [F]
|
incrediBILL
msg:4440616 | 7:34 pm on Apr 13, 2012 (gmt 0) |
That looks more like either a URL redirect or an exploit hack attempt, maybe Trojan.Downloader.Agent, but hardly referrer spam.
|
crobb305
msg:4440623 | 7:50 pm on Apr 13, 2012 (gmt 0) |
Yes I guess I used the wrong phrase. It is indeed a URL redirect (the "example.com" at the end is my domain), just looks like spam in my logs. I am trying to deny access. They are Russian/German IPs. Not sure what their purpose is (hack attempt, etc). Thank you for the tips wilderness.
|
wilderness
msg:4440626 | 7:59 pm on Apr 13, 2012 (gmt 0) |
are they coming from the 192 Class A?
I get 10-12 visits daily requesting the same page, with 2-6 attempts in succession per visit.
They all include spam refers with ru domains.
Everybody else is getting them also, if that's any comfort.
|
lucy24
msg:4440721 | 2:56 am on Apr 14, 2012 (gmt 0) |
I feel left out. I get Ukrainians from 92, 95 and 193 but nobody in particular from 192.
Referer blocks can be a useful backup if they suddenly switch IPs on you.
:: shuffling papers ::
RewriteCond %{HTTP_REFERER} \.(trafficfaker\.com|su|mobi)(/|^) [NC]
RewriteRule (\.html|/)$ - [F]
RewriteCond %{HTTP_REFERER} yandsearch\?text=(www\.)?example\.com
RewriteRule (\.html|/)$ - [F]
RewriteCond %{HTTP_REFERER} \.(ru|ua)(/|^) [NC]
RewriteCond %{HTTP_REFERER} !(google|yandex)\.
RewriteRule (\.html|/)$ - [F]
RewriteCond %{HTTP_REFERER} fun/AlonzoMelissa\.html
RewriteRule fun/AlonzoMelissa\.html - [F]
They have to be in that order so the right ones get caught at the right time. I have tried and failed to find a construction that covers auto-referers globally, so I have blocks for a couple of specific pages that seem to be especially attractive to robots.
The second Rule is for the case where a robot-- probably Ukrainian-- puts in a bogus yandsearch referer giving only your domain name. (Yes, I get bona fide humans from Yandex.)
|
btherl
msg:4472393 | 3:34 am on Jul 4, 2012 (gmt 0) |
I block this one by referrer, there's just no other way. It appears to be related to this:
[sub0day.com...]
Sometimes there's an ip address, sometimes a hostname. Since it's a botnet the IP changes constantly.
|
mihomes
msg:4477341 | 11:44 pm on Jul 19, 2012 (gmt 0) |
Would this be suitable to deny any links with xurl or xref?
RewriteCond %{HTTP_REFERER} xurl [OR]
RewriteCond %{HTTP_REFERER} xref
RewriteRule .* - [F]
I realize the last line sends a 403 forbidden... is this the best way? I also am seeing these for many of my sites and would like to prevent it as much as possible assuming none of these are legit in anyway which they do not seem to be.
|
lucy24
msg:4477404 | 6:40 am on Jul 20, 2012 (gmt 0) |
Yes, well, you do want to block them don't you? I hope you are not worried about hurting their feelings ;)
Try to avoid the [OR] construction in RewriteConds. Sometimes it does the opposite of what you intended. And sometimes there's a shorter easier way, as in
%{HTTP_REFERER} x(url|ref)
I generally constrain Rewrite blocks to requests for pages, so the server doesn't have to take that extra hiccup every single time. Robots don't usually walk in off the street and start asking for stylesheets.
That's where you get the
(\.html|/)$
above. Substitute your own extension, of course. And you may need some further tweaking if they're asking for your top-level Index page.
|
mihomes
msg:4477412 | 7:02 am on Jul 20, 2012 (gmt 0) |
In the particular case I am talking about they are asking for the top level domain - no extension... the way I figure it I will never be using xurl or xref on the site so I can simply use the 'RewriteRule .* - [F]' for anything that contains either or... sounds good to me.
|
mihomes
msg:4477413 | 7:03 am on Jul 20, 2012 (gmt 0) |
In the particular case I am talking about they are asking for the top level domain - no extension... the way I figure it I will never be using xurl or xref on the site so I can simply use the 'RewriteRule .* - [F]' for anything that contains either or... sounds good to me.
|
|
