That code will break all of your images, error pages, scripts, etc.

I'd suggest making the rule a little more specific by rewriting only .htm pages -- except for your custom error documents (if any).

RewriteCond %{HTTP_USER_AGENT} ^Blocked\ by\ Norton [NC]
RewriteCond %{REQUEST_URI} !^(40[34]¦410)\.htm$
RewriteRule \.htm$ /pageiwanttosendthemto.htm [L]

Actually, I'd suggest you don't do this: You will only frustrate your non-technical visitors and make your technically-oriented visitors mad (assuming these latter know about the user-agent/referrer blocker and turned/left it on intentionally).

As an alternative, consider using SSI or PHP to include a message at the top of your pages for visitors with the blocker enabled. A few may click on it and learn something, and you won't be driving away visitors.

This method is much more user-friendly, educational rather than confrontational, and on commercial sites has the distinct advantage of not causing a potential loss of sales and referrals.

Sometimes it works, too; On a "hobby site" I administer for a club I'm a member of, I used it to "save" several other members from an adware package with a user-agent name that resembles "AmusingInternetProduce". Nobody got mad and left; If they had the time and the inclination, they clicked through to the detailed explanation and removal instructions. If not, they did what they came to the site to do. Most came back later and clicked through and got rid of it.

The customer is always right, even when the customer is wrong, or not technically-competent, or even foolish. And just because (technically) we *can* do a thing, doesn't make it the right thing to do.

IMHO, YMMV, etc.
Jim

Not sure if this works:

Change standard banner size (by default blocked by NIS) to non-standard size, say 121*61 instead of 120*60.

For CJ's code, delete www.qksrv.net/ from CJ's code, use mod_rewrite to rewrite click(image)-****-**** to its real URL

This method is much more user-friendly, educational rather than confrontational, and on commercial sites has the distinct advantage of not causing a potential loss of sales and referrals.

For some of us, these ads, including adsense, are the only way our sites can survive. Our entire income is derived from the exact stuff being blocked. I would consider the price of a lost visitor that is unknowingly prevented from viewing my site as intended by the illegal actions of a third party to be less than the benefit gained by educating that lost visitor. And if the visitor is knowingly doing it, there is another page I would rather send them to.;) This is not for all sites, definitely. I have other sites that I would consider myself to be in breach of contract if I were to block NIScammers on.

RewriteCond %{REQUEST_URI}!^(40[34]¦410)\.htm$

does the $ allow for html?
can we replace it with 'php', etc.
?

Can someone with NIS installed tell me [url=http://www.example.com/] if it works[/url]?
If you are running it you should see a page that says so.

[edited by: jdMorgan at 2:19 pm (utc) on May 19, 2004]
[edit reason] Examplified link per WebmasterWorld TOS [/edit]

> RewriteCond %{HTTP_USER_AGENT} ^Blocked\ by\ Norton [NC,OR]

Which will check if norton is blocking referers only.

If I turn OFF advert blocking, I will still get redirected - thus you will get no revenue from any Norton user.

It is your money your losing.

That many more of Norton's customers will complain to Norton.:)

I have NIS 2004 with ad-blocking on and didn't get redirected (my current IP 217-231-133-120).

Anyway, what jdMorgan says makes so much sense. If you turn a customer away that would otherwise come back without NIS or with NIS ad-blocking turned off, you lose money twice. Or as we Germans say (but never obey): the customer is king.

NIS has caused me a lot of trouble, e.g. with its referrer blocking preventing me to post in certain forums. On the other hand, once I learned how to configure it properly and how to excempt certain sites from this referrer blocking, I actually found it very useful. For example, when I'm reverse engineering my competitors' rankings in G, I don't have to worry about them seeing the search phrases was using when I click their sites.

You can use the following to enable error files to be shown with any extension:

RewriteCond %{REQUEST_URI} !^(40[34]¦410)\.[^.]{3,4}$

...or just change the RewriteCond posted by jdMorgan, and replace the

htm

on the end of the line to anything else, like

php

.

requested page /just+block+my+ip+and+then+start+blocking+all+other+ips+because+ you+never+know+who+is+at+the+other+end+of+the+wire+pulling+the+string s+but+lets+skip+that+for+now+and+_get+back+to+some+serious+blocking

ROTFLMAO.
Sorry about the url jd. As always, you have proven to be the most helpful person I've run across here at WW, if not anywhere.

Hanu
217.***.120 - - [19/May/2004:05:56:24 -0400] "GET / HTTP/1.1" 200 11999 "-" "-"

2 questions; Did you see the adsense, or the banner at the bottom. Have you altered your UA or is that the standard install of Norton?

Oh yeah, does the dollar sign in the code above include html as well as htm? I'm guessing it does, but if not, that could be why you got through to index.html

Damn broken pipe! I fixed that and then tried a user agent spoofing doohickey. It is blocking the uaser agent on htm, but not on html. Also, it is not redirecting, but giving an internal server error. I asked myself "Am I redirecting them to a page that they are banned from?"

It would seem so. I changed the name of the page to blockedbynorton.html (and the part of the code in .htaccess to reflect that) and now it works. I like this. They can come in through my homepage. Then when they go somewhere else get redirected to a nicely written page explaining what happened and then go to the same page they were on, but named .html (or something else).

added-Anyone with NIS know the steps to disable ad-blocking so I can put that on the redirection page. And how to change the UA if possible.

The following code in .htaccess will rewrite any request for .htm or .html pages, or for "/" -- the index page -- to /alternate_page.htm, if the user-agent starts with "Blocked by Norton". Custom error pages 403.htm, 404.htm, and 410.htm are excluded, as is the alternate page itself, in order to prevent a recursive looping problem.

RewriteCond %{HTTP_USER_AGENT} ^Blocked\ by\ Norton [NC]
RewriteCond %{REQUEST_URI} !^/(40[34]¦410¦alternate_page)\.htm$
RewriteRule (\.html?$¦^$) /alternate_page.htm [L]

Additionally, you might want to add:

RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteCond %{REQUEST_URI} !^/(40[34]¦410¦alternate_page)\.htm$
RewriteRule (\.html?$¦^$) /alternate_page.htm [L]

to take care of blank referrer/blank user-agent requests and "fake blank" referrers/user-agents as well.

These can be combined, if you wish:

RewriteCond %{HTTP_REFERER}<>%{HTTP_USER_AGENT} ^-?<>-?$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Blocked\ by\ Norton [NC]
RewriteCond %{REQUEST_URI} !^/(40[34]¦410¦alternate_page)\.htm$
RewriteRule (\.html?$¦^$) /alternate_page.htm [L]

There are a hundred different ways to do this, depending on exactly what you want to do -- let your log files show the way.

You must edit the code to replace all broken pipe "¦" characters with solid pipes before use.

For the meaning of the regular expressions used in mod_rewrite, see this regular expressions tutorial [etext.lib.virginia.edu].

Note that the "<>" character string used in the var1<>var2 construct shown above, while implying concatenation, has no special meaning in mod_rewrite; this is simply a unique string used to define the boundary between the two variables in the combined pattern, which would otherwise be ambiguous.

Jim

Does the "Blocked by Norton" string actually exist in anyone's logfiles?

I've just searched several million logfile entries and couldn't find even ONE instance of it.

On the other hand, almost 15% of all users surf with Referrals strings stripped-off, probably by Norton or similar sw.

It is difficult for me to understand why most of the people are asking first without trying to solve the case by themselves...
Check this out:
[search.symantec.com...]

By the way it seems that by default the UA string is not altered by NIS, only if the user changes it.

Check this out:
[search.symantec.com...]

From that link at Symantec:

Web servers often request browser (user-agent) information from your computer.

Funny, I had thought it was a suggested header that the browser SHOULD supply as a common courtesy.

HTTP 1.1 RFC 2616, see Sections 5.3 and 14.43
ftp://ftp.isi.edu/in-notes/rfc2616.txt

evrything I saw there pertained to the 2002 and previous editions. I just perused the manual briefly for 2004 Personal Firewall and couldn't quickly find anything about the UA

2 questions; Did you see the adsense, or the banner at the bottom. Have you altered your UA or is that the standard install of Norton?

I did see the adsense. I didn't see the banner. This is exactly what I want. I don't mind adsense but I do mind banners.

In a standard install, the "Enable Browser Privacy" is on, blocking UA and Referrer.

So, how bad is the downside of blocking those with no referrer?

Could be very bad...

In addition to visitors who intentionally installed NIS and set it to block referrrers, there are thousands of people behind corporate and ISP caching proxies -- all of which will drop the referrer if they fetch a page into cache when the visitors requests it.

Referrer-based access control is simple but unreliable. Other methods are more complex and involve a lot more development and testing. Maybe you could set up your server to proxy AdWords files, calling a script for each request that logs the requestor's IP address. (I have no idea if Google would be "OK" with proxying Adwords requests, this is just a technical idea.) For any IP that requests a second page of your site before requesting any Adwords, redirect to a page that tells them that they're blocking your revenue. This would require that you keep a database of IP addresses which recently accessed your pages, and provide for flushing it out periodically.

You'd also have to provide for users of ISPs like AOL, who seem to have a different IP address for each and every page request (because of the aforementioned caching proxies). Maybe you could use cookies or session IDs instead of IP addresses for this. But then some users block cookies too, so sessions it is. So now, you'll need to provide friendly session-less URLs to SE spiders when they call. Anyway, the whole thing snowballs quickly into a fairly respectable project. In this light, even loose referrer-based access control looks OK as a quick-fix if it catches some useful number of problems.

Jim

Interesting. Including testing, that sounds like a lot of work. Seems like a lost battle to me ...

If you block the users with no referrer, wouldn't that also block people typing the URL into the address field or clicking a favourite?

Oh, another idea. What about using secure http? Proxies have to pass it through, NIS can't intercept the referrer. It's just you (your server) and them (the users' browsers). You only need to buy a certificate from an certification authority.

> If you block the users with no referrer, wouldn't that also block people typing the URL into the address field or clicking a favourite?

Yes, it would -- and cut-n-paste from e-mail, JS-scripted calls for images, and a lot of other access methods as well... It is a mess. So, we have to choose between more complicated and/or expensive solutions and the imperfect-but-simple not-blank-but-incorrect-referrer-blocking for simple image access control. However, that still leaves us with the problem of AdWord and other creatives being blocked on sites that rely on them for revenue. For that, it seems to me that some sort or scripted, sessions-based solution will be the simplest.

Jim

I went through my referral logs and 90% of the few users with "-" "-" as the referrer and user agent were up to no good. That leaves about 10% of those that are using NIS or something similar. So it would seem this is the way to go. Correct?

RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteCond %{REQUEST_URI}!^/(40[34]¦410¦alternate_page)\.htm$
RewriteRule (\.html?$¦^$) /alternate_page.htm [L]

When I was doing some tests with Norton, I spotted it changes the HTTP_ACCEPT_ENCODING header to HTTP________________ (a _ for each letter). I assume this is to stop the server sending compressed data, which would be harder for it to filter for ads.

Hope this helps.

The "-" in the apache log means the quoted nothing, it is just a kind of placeholder. So you don't need to look for hypen matches in your rewrites, just use simply ^$ (empty string). It is not a big deal, but nice to know (and maybe makes the rewriting process faster with 0,01%)

> The "-" in the apache log means the quoted nothing

Ah, that's true. But some tricky bad-bots use a literal "-" as their user-agent string, in order to "hide" in the Apache access log files and bypass checks for an empty user-agent string. :)

Jim