Hi Dave,

Not real sure what the question is here, but what is wrong with using a baseball bat?

RewriteCond %{HTTP_REFERER} casino¦poker¦keno¦cialis¦viagra¦percocet [NC]
RewriteRule ^/.* /cgi/abcde.cgi [PT,L]

I note that this code appears to be for use in httpd.conf and as such, an explicit loop-prevention RewriteCond is not needed as it would be in .htaccess.

Jim

There are SOME words that the baseball bat approach does not work for... though I cannot think of any offhand, there was a reason I went for a more surgical version.

But now that I reconsider, maybe it is fine to do that this way.

Yes, it is httpd.conf!

Dave

You can use the "baseball-bat-and-band-aid" method in limited cases, if needed:

RewriteCond %{HTTP_REFERER} [b]spam[/b]¦casino¦poker¦keno¦cialis¦viagra¦percocet [NC]
RewriteCond %{HTTP_REFERER} [b]!spam[/b]cop\.org
RewriteRule ^/.* /cgi/abcde.cgi [PT,L]

This shifts the approach slightly to the "whitelist" side.

Jim

Here are some others you might want to pick from, as I've gathered these while searching through the log files:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*\.biz.* [OR]
RewriteCond %{HTTP_REFERER} ^.*poll.* [OR]
RewriteCond %{HTTP_REFERER} ^.*doctor.* [OR]
RewriteCond %{HTTP_REFERER} ^.*phentermine.* [OR]
RewriteCond %{HTTP_REFERER} ^.*holdem.* [OR]
RewriteCond %{HTTP_REFERER} ^.*onlineayz.* [OR]
RewriteCond %{HTTP_REFERER} ^.*onlinefe.* [OR]
RewriteCond %{HTTP_REFERER} ^.*onlinevi.* [OR]
RewriteCond %{HTTP_REFERER} ^.*pxbonline.* [OR]
RewriteCond %{HTTP_REFERER} ^.*casino.* [OR]
RewriteCond %{HTTP_REFERER} ^.*poker.* [OR]
RewriteCond %{HTTP_REFERER} ^.*insurance.* [OR]
RewriteCond %{HTTP_REFERER} ^.*fs.fed.us.* [OR]
RewriteCond %{HTTP_REFERER} ^.*loan.* [OR]
RewriteCond %{HTTP_REFERER} ^.*money.* [OR]
RewriteCond %{HTTP_REFERER} ^.*debt.* [OR]
RewriteCond %{HTTP_REFERER} ^.*credit.* [OR]
RewriteCond %{HTTP_REFERER} ^.*betting.* [OR]
RewriteCond %{HTTP_REFERER} ^.*wager.* [OR]
RewriteCond %{HTTP_REFERER} ^.*mortgage.* [OR]
RewriteCond %{HTTP_REFERER} ^.*drugs.* [OR]
RewriteCond %{HTTP_REFERER} ^.*pharmacy.*
RewriteRule ^.*$ - [F]

I realize now this can be done differently such as ^.*pharmacy.* can be just pharmacy, but still it works. It doesn't do any good to provide a rewrite rule as they won't follow a rewrite. They just want to show up in your private log files and password protected activity reports. They generally aren't too bright.

With a baseball bat, you have to first knock on their door. With a gun you can do it from a distance. :)

-Maurice

> won't follow a rewrite

Just to be specific, these clients won't follow an external redirect. Following a server-internal rewrite is not optional, since this is under the sole control of the server.

For the sake of efficiency, I recommend omitting start and/or end anchors where ".*" is the adjacent pattern and no back-reference is needed:

In a regular-expressions pattern, "somestring" is entirely equivalent to "^.*somestring.*$" and is shorter and faster to process.

Jim

> Just to be specific, these clients won't follow an
> external redirect. Following a server-internal rewrite
> is not optional, since this is under the sole control
> of the server.

It wouldn't surprise me also, that in the case of the ones who just want to appear in the referrer field, that they might not even wait for the entire requested file to be downloaded. Unless of course, they are looking for email addresses and other URL's to attack while they are doing this.

-Maurice

Yes, since what they want is an entry in publicly-accessible log files/stats pages, all they really need to do is a HEAD request, and the only thing we can do is to issue a 403-Forbidden response to let them know that they're not welcome. I rewrite them to a single-byte 403 "page" and issue an immediate Connection: close header so they don't waste my bandwidth or tie up my server threads.

Most are very crude programs -- They don't even check to see if the log files *are* accessible, they just "shotgun" their target sites as fast and as simply (for them) as possible.

Jim