Forum Moderators: phranque
I've got a site spammer who is using the following techniques to post spam on my site and in my log files:
- They use dozens of IPs from many different IP blocks
- They post to/hit thousands of pages, not just one form
- They are promoting a dozen different URLs
I've looked at several solutions by blocking the IP or by using apache to check the referrer text, but the host in my log files doesn't always have an IP, and at times, there is no referrer provided.
I don't want to block entire countries, and I'd like to keep my .htaccess file as lightweight as possible.
Anyone have any solutions, or any idea as to how this person is automating this spam?
Thanks.
1. There is a 'bad bot' php script that will not allow more than a certain number of requests from a location for a period of time, try searching for it using a major SE and 'blocking bad bots site:webmasterworld.com'
2. If they are using a consistent user-agent, you should be able to block the requests this way.
RewriteCond %{HTTP_USER_AGENT} ^badrobot [NC]
RewriteRule . - [F]
3. Protect your log files. If they are truly just log spamming, they may quit after they realize only you have access to your logs.
4. You might look into SetEnvIF and try to block X-Forwarded-For requests, which can be used to spoof IP addresses. This may take some time to narrow down, if you need to let some forwards through, but if not, you might be able to get them this way.
Hope this helps, and please let us know what you come up with.
Justin
There are a few things you can do:1. There is a 'bad bot' php script that will not allow more than a certain number of requests from a location for a period of time, try searching for it using a major SE and 'blocking bad bots site:webmasterworld.com'
I'll take a look at that script.
2. If they are using a consistent user-agent, you should be able to block the requests this way.
Yeah, I left that out. It's a different browser and different platform with each hit.
3. Protect your log files. If they are truly just log spamming, they may quit after they realize only you have access to your logs.
This is true now...the logs are protected. I've seen the spam on many other sites. After looking a bit more, I don't think it's spam designed for logs as much as it's designed for forms/blog comments.
Thanks, Justin. I'll keep digging, but this points me in the right direction. As for now, I'm trying to block them by using the following:
RewriteCond %{HTTP_REFERER} ^http://(www.)?.*badurl1.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www.)?.*badurl2.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www.)?.*badurl3.*$ [NC]
RewriteRule ^.* - [F,L]
This seems to block the primary URLs that are in the spam.
RewriteCond %{HTTP_REFERER} black.?jack¦buy\-¦\-2005¦casino¦cialis¦consolidation¦debt¦empire\-¦equity¦
gambling¦hold\-em¦holdem¦loan¦pharmacy¦phentermine¦pills¦poker¦prescriptions¦roulette¦slots¦terashells¦
viagra¦xanax¦freefonts\.org\.uk¦ridgeviewelem\.org [NC]
RewriteRule!^403\.html -[F]
Wiz
[edit] The RewriteCond directive and all the keywords should all be on one line, ending with the [NC].
It was necessary to break this into several lines to fix the side-scrolling on this forum. jdm [/edit]
[edited by: jdMorgan at 3:09 am (utc) on June 17, 2005]
[edit reason] Fixed side-scroll, added /code tag. [/edit]
