While waiting for a full reply, go upstairs and read the Forums charter about using only "example.com". Or example dot something-else if you need to name more than one domain.

Do you mean the referring IP or the requesting IP? If the referer itself comes through as IP numbers, you can put that in the {HTTP_REFERER} line just like anything else. Also note that you don't always need an opening anchor in referers.

If you're talking about the source of the request, that becomes {REMOTE_ADDR}. But at that point you're probably looking at a simple Deny from... directive instead.

The specific IP you named-- which may get snipped in the process of Forums cleanup-- is listed as "Private customer" routed via wowrack. Sure sounds like someone you'd block out unconditionally in any case; the full range seems to be
216.176.176.0/20

:: wandering off to add range to my own Deny list ::

Thanks for replying. It shows in the log as a http referer from the IP I mentioned earlier that I now refer to with 000.

What I did was add the following:

RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?000\.000\.000\.000/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ http://example.com/example.jpg [L]

I tested it by the domain which works great. But I have no way of testing whether the addition of the ip works or not. Everything else does.

welcome to WebmasterWorld, schmel!


you could test it by navigating to the IP address <http://123.45.67.89/> and finding and clicking the link to your domain.

you could test it by navigating to the IP address <http://123.45.67.89/> and finding and clicking the link to your domain.

Assuming for the sake of discussion that it's really a link, rather than referer spam :) OK, I guess that's more common with page requests.

Could the form
http:/ /blahblah.123.34.67.89
ever occur as a viable URL? I'd expect numbers alone.

Now, unless you have a very odd site, you could probably get by with a global referer block on

\d+\.\d+\.\d+\.\d+

(substitute [0-9] if server is crotchety) because when would you ever get a legitimate image referer from a numerical IP address?

RewriteRule .*\.(jpe?g|gif|bmp|png)$

The leading .* is unnecessary and may slow things down. Since you're not capturing, all you need is the end-anchored extension.

You might also consider that most anti-hotlink routines are expressed with negative conditions:

Referer IS NOT blank (this is for search engines)
Referer IS NOT my own site (specifying with/without www form to exclude forged referers)
Referer IS NOT {short list of sites that you've personally approved for hotlinking}

Tried that. The referrer from the link that I found comes back from the domain and it works fine. That block works. I can't find the link they are using that comes back as the IP address.

I do have a good script for blocking hotlinking. Only problem I have with it is it blocks all links including those legitimate ones.

The server itself is a fairly strong server running centos. We use it as a VOD site running the wowzamedia server. It' a storm server through liquidweb.

I can't find the link they are using that comes back as the IP address.

It's not likely it would be a link, in-my-opinion. The most likely place I think you would find it is in an <img> request -- [img requests send referrer headers in all modern browsers I've looked into ;)] -- Check your server logs to see if you visited a page with the image request on it and got blocked then let us know.

Log:

---.---.---.--- - - [20/Sep/2013:11:01:17 -0400] "GET /image-x/new_age/new_age%20(3).jpg HTTP/1.1" 302 226 "http://000.000.000.000/forum/viewtopic.php?f=44&t=4185&sid=401aa2c6814039e0b4f38907dfae3ba3" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"

Looks like a direct request from their phpbbs script. the 000.000.000.000 is the culprit.

img requests send referrer headers in all modern browsers I've looked into

They'd darn well better, since that's what your ordinary hotlink protection is based on. You'll meet the rare isolated browser that doesn't send a referer, and ugh are they annoying.

looks like a direct request from their phpbbs script.

Yes, from someone posting the direct URL of your image in a forum like this one ;) Well, not exactly like this one, since we don't allow images. But why isn't this already blocked by your existing anti-hotlinking routine? The referer isn't blank, isn't your own site and-- I assume-- isn't on the short list of approved hotlinkers.

Do you really have a literal space in your filename? And equally literal parentheses? I sure hope you've got very good reasons for both.

What's the 302? I mean, duh, it's a temporary redirect, but what did they get redirected to, and why?

If you plug the IP into the link, you get to a php/bb Forums login page. Grr.