.htaccess and comment spam

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess and comment spam

Can .htaccess be used to combat comment spam in webblogs?

Red5

9:51 pm on Nov 25, 2004 (gmt 0)

Dear all,

We have been using a well known brand of blogging software which includes a tool for comment moderation. However, the physical number of spambot comment posts is huge, and it requires an ever increasing amount of our time to delete these unwanted posts.

From the little I know about the .htaccess file, it occurs to me that it might be able to block attempts by spambots to access the commenting script (mt-comments.cgi).

Is it possible to deny requests for this file if they don't originate from my own server?

Many thanks in advance,

Red5

jdMorgan

3:25 am on Nov 26, 2004 (gmt 0)

This problem can be treated in much the same way as image hotlinking, a subject we have a fairly large number of threads about. Take a look through those, and see if they'll help.

You will be relying on the HTTP_REFERER header, which is inherently unreliable. For that reason, it will be necessary to allow access by requestors with a blank referrer, which opens a hole in the protection. However, many legitimate users will also have a blank referrer, so it is necessary.

You could also use mod_rewrite to 'hide' the cgi script by creating an alias name for it. However, you'll need to look at your logs and see how the spambots "find" your script to determine if this would be worthwhile.

Also, take a look at your forum script and see if you can't rename the "submit" button's "name" to something else. You might even be able to hide a fake submit button using CSS, and record the IP addresses of any clients that try to use it. These IP addresses could then be added automatically to your .htaccess file to deny further access.

The above is pretty general, because solutions for one site might be too cumbersome for another - a lot depends on the usual traffic levels and how bad your problem is.

Jim

Red5

1:39 pm on Nov 29, 2004 (gmt 0)

Hi there, and thank you for your reply.

So, if I understand you correctly, something like the following might work?

RewriteCond %{REQUEST_URI} mt-comment\.cgi$ [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?example\.com [NC]
RewriteRule .* - [F,L]

jdMorgan

2:13 pm on Nov 29, 2004 (gmt 0)

You will be relying on the HTTP_REFERER header, which is inherently unreliable. For that reason, it will be necessary to allow access by requestors with a blank referrer, which opens a hole in the protection. However, many legitimate users will also have a blank referrer, so it is necessary.

 RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com [NC]
RewriteRule mt-comment\.cgi$ - [F]

The first line allows blank referrers as discussed above, the mt-comment.cgi URL is moved to the RewriteRule for better efficiency, and the [L] flag has been removed; it is redundant when used with [F].

If you find that you get many blank referrers spamming your script, then one of the more-complicated techiques mentioned above will be needed. Actually, I recommend changing the referrer RewriteCond to


RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/[i]page_with_submit_button\.html[/i]$ [NC]

That is, allow only the "correct" page or few pages on your site to refer to the comment script. This is an easy way to "tighten up security" for the simple version.

Jim