This is a very bad administrational choice.

How would you react if another website redirected hundred or thousands of page requests to your server?

Best practice is to simply deny the visitor (i. e., 403).

Unfortunately, even if you deny the spammers (you haven't provided if their log spammers or forum spammers), the denials and their spam will still appear within your raw visitor logs.

RewriteCond %{REQUEST_URI} helpdesk.cgi

FWIW, the underlying problem for your email spammers, is likely a vulnerability in your script.

Suggest you begin looking for a secure script.

The script is fine, the spammer is typing captcha, but using helpdesk.cgi as entry page, and I want to avoid that.

Are they all from the same IP range or multiple IP ranges?

RewriteCond %{HTTP_USER_AGENT} ^$

If blank UA's are a criteria of the spammers, a blank UA should have been in place, long before this began.

RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F]

Probably overlapping several previous posts...

Taking your htaccess at face value without getting into the underlying issues:

RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_URI} helpdesk.cgi
RewriteCond %{HTTP_REFERER} !^http://www.domain.com/index.php
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* http://www.fbi.gov/

Almost every single line is wrong :( All you need is

RewriteCond %{HTTP_REFERER} !^http://www\.example\.com/$
RewriteRule helpdesk\.cgi - [F] 

#1 You don't want to constrain the rule to GET. In fact, your real problems are probably with POST, which should be covered in a separate rule. Blank user-agents also belong in a separate rule. I have mine in mod_setenvif as "BrowserMatch ^-?$ keep_out" leading to Deny from...

#2 The name of your front page ends in / alone. Ahem. Doesn't it? You will also need an alternative line-- involving cookies maybe-- for users whose browsers don't send a referer.

#3 The Rule applies to one specific page, so that goes in the Rule itself. Otherwise apache has to stop and evaluate the conditions for every single request it ever gets.

#4 Robots don't follow redirects, so fbi.gov is emotionally satisfying but really doesn't do anything. And it would annoy the fbi if it did work.

#5 All RewriteRules must end in [L] or some L-equivalent flag*, in this case [F] for Fail = 403. If you did redirect, it would be [R=301,L] because a redirect does not carry an implicit [L].


* Except in special circumstances best expressed as "unless your name is jdMorgan".

Thank you Lucy, excellent explanation, and simpler solution.

RewriteCond %{HTTP_REFERER} !^http://www\.example\.com/$
RewriteRule helpdesk\.cgi - [F]

Exactly.

I do the same thing on one site hit by spammers for all pages that allow submissions.

If the referrer isn't my domain name I redirect them the to home page just in case it's a legit user that somehow got a direct link to that page they can still get back.

As an added precaution I do reject all GET requests and reject anyone not accepting my cookies so it you don't have a cookie and aren't using a POST you also get bounced.

So if the referrer is not my domain OR the request is a GET OR they don't have my cookie they get bounced to the index page where they can start over from scratch ;)

I also bounce them if anything being submitted contains HTML or has a URL embedded or if the page doesn't pass a hidden value indicating they typed at the keyboard and it was tracked by javascript to stop really advanced spammers but those tricks are for the advanced class.

Went from annoying amounts of spam to ZERO years ago and I log all attempts and some still try daily but it goes silently away.

What I do on our site is push the spammers to a fake form and they can pound away writing their capchas all day long .. I also have a random number of times they have to type the capcha before it fake submits. LOL ...