homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

Redirecting spammers to an external page
Spammers using helpdesk.cgi as entry page and not homepage

 7:52 pm on Oct 31, 2012 (gmt 0)


My site uses a cgi based help desk and the form is located at cgi-bin/tickets/helpdesk.cgi

I have checked log files, and spammers are using that page as the entry page while real visitors first visit the home page, and then if they want to contact us, they click on a link that takes them to the helpdesk.cgi page.

So, I am trying to block spammers via htaccess using directives below, but can't get it to work properly:

RewriteCond %{REQUEST_URI} helpdesk.cgi
RewriteCond %{HTTP_REFERER} !^http://www.domain.com/index.php
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* http://www.fbi.gov/

Any help is appreciated.



 8:03 pm on Oct 31, 2012 (gmt 0)

This is a very bad administrational choice.

How would you react if another website redirected hundred or thousands of page requests to your server?

Best practice is to simply deny the visitor (i. e., 403).

Unfortunately, even if you deny the spammers (you haven't provided if their log spammers or forum spammers), the denials and their spam will still appear within your raw visitor logs.


 8:25 pm on Oct 31, 2012 (gmt 0)

RewriteCond %{REQUEST_URI} helpdesk.cgi

FWIW, the underlying problem for your email spammers, is likely a vulnerability in your script.

Suggest you begin looking for a secure script.


 8:45 pm on Oct 31, 2012 (gmt 0)

The script is fine, the spammer is typing captcha, but using helpdesk.cgi as entry page, and I want to avoid that.


 9:02 pm on Oct 31, 2012 (gmt 0)

Are they all from the same IP range or multiple IP ranges?


 9:07 pm on Oct 31, 2012 (gmt 0)

RewriteCond %{HTTP_USER_AGENT} ^$

If blank UA's are a criteria of the spammers, a blank UA should have been in place, long before this began.

RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F]


 10:48 pm on Oct 31, 2012 (gmt 0)

Probably overlapping several previous posts...

Taking your htaccess at face value without getting into the underlying issues:

RewriteCond %{REQUEST_URI} helpdesk.cgi
RewriteCond %{HTTP_REFERER} !^http://www.domain.com/index.php
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* http://www.fbi.gov/

Almost every single line is wrong :( All you need is

RewriteCond %{HTTP_REFERER} !^http://www\.example\.com/$
RewriteRule helpdesk\.cgi - [F]

#1 You don't want to constrain the rule to GET. In fact, your real problems are probably with POST, which should be covered in a separate rule. Blank user-agents also belong in a separate rule. I have mine in mod_setenvif as "BrowserMatch ^-?$ keep_out" leading to Deny from...

#2 The name of your front page ends in / alone. Ahem. Doesn't it? You will also need an alternative line-- involving cookies maybe-- for users whose browsers don't send a referer.

#3 The Rule applies to one specific page, so that goes in the Rule itself. Otherwise apache has to stop and evaluate the conditions for every single request it ever gets.

#4 Robots don't follow redirects, so fbi.gov is emotionally satisfying but really doesn't do anything. And it would annoy the fbi if it did work.

#5 All RewriteRules must end in [L] or some L-equivalent flag*, in this case [F] for Fail = 403. If you did redirect, it would be [R=301,L] because a redirect does not carry an implicit [L].

* Except in special circumstances best expressed as "unless your name is jdMorgan".


 2:30 am on Nov 13, 2012 (gmt 0)

Thank you Lucy, excellent explanation, and simpler solution.


 2:39 am on Nov 13, 2012 (gmt 0)

RewriteCond %{HTTP_REFERER} !^http://www\.example\.com/$
RewriteRule helpdesk\.cgi - [F]


I do the same thing on one site hit by spammers for all pages that allow submissions.

If the referrer isn't my domain name I redirect them the to home page just in case it's a legit user that somehow got a direct link to that page they can still get back.

As an added precaution I do reject all GET requests and reject anyone not accepting my cookies so it you don't have a cookie and aren't using a POST you also get bounced.

So if the referrer is not my domain OR the request is a GET OR they don't have my cookie they get bounced to the index page where they can start over from scratch ;)

I also bounce them if anything being submitted contains HTML or has a URL embedded or if the page doesn't pass a hidden value indicating they typed at the keyboard and it was tracked by javascript to stop really advanced spammers but those tricks are for the advanced class.

Went from annoying amounts of spam to ZERO years ago and I log all attempts and some still try daily but it goes silently away.


 6:24 am on Nov 13, 2012 (gmt 0)

What I do on our site is push the spammers to a fake form and they can pound away writing their capchas all day long .. I also have a random number of times they have to type the capcha before it fake submits. LOL ...

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved