block UA "Mozilla/4.0" ONLY?

Forum Moderators: phranque

Message Too Old, No Replies

block UA "Mozilla/4.0" ONLY?

EastTexas

5:58 pm on Jun 13, 2014 (gmt 0)

This should block UA "Mozilla/4.0" ONLY?
(There is nothing else after the Mozilla/4.0.)

# Mozilla/4.0 ONLY
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} Mozilla/4.0\)$
RewriteRule . . [F,L]

not2easy

6:52 pm on Jun 13, 2014 (gmt 0)

You could probably get the job done even with out the \) part but you would need to escape the "." character and the / to block it anywhere in the UA string. If the only UA you want to block is only seen as Mozilla/4.0) with the closing parenthesis character, then add back the \) at the end.

Something like:
RewriteCond %{HTTP_USER_AGENT} Mozilla\/4\.0
RewriteRule .* - [F]

lucy24

9:00 pm on Jun 13, 2014 (gmt 0)

This should block UA "Mozilla/4.0" ONLY?

No: it would block

Mozilla/4.0)
Mozilla/4a0)
like Mozilla/4a0)
blahblah blahblah (similar to Mozilla/4a0)

et cetera. Do you want a final ) or don't you? And, equally important, do you want quotation marks or don't you?

Incidentally, the [F] flag always implies [L]. The superfluous [L] won't do any harm, but it isn't needed.

RewriteCond %{HTTP_USER_AGENT} Mozilla\/4\.0

You don't need to escape forward-slashes in mod_rewrite. Slashes only need to be escaped if they have special meaning in your specific RegEx engine; this applies to a handful of Apache mods but not this one. The only special RegEx rule in mod_rewrite is that you have to escape literal spaces (and you can't use them line-finally, or the server will explode ;)).

Now, my personal opinion is that mod_rewrite is no place for pure UA blocks; it's a resource-intensive mod, so it's always the last resort. I put this kind of thing in mod_setenvif in conjunction with mod_authz-thingy, like "Deny from env=keep_out".

I once tried to work up some UA blocking based purely on the total length of the UA string, but there's always some ### exception.

aristotle

9:06 pm on Jun 13, 2014 (gmt 0)

Are you sure that doing this won't block some real human visitors to your site? I still see Mozilla/4.0 in my logs sometimes. Most appear to be cases of referral spam or unwanted bots, but I've noticed that some real people still use rather old browsers.

lucy24

1:01 am on Jun 14, 2014 (gmt 0)

I think the intended target was "Mozilla/4.0" and that's all, so not MSIE <= next week's version.

I've seen the occasional "Mozilla/4.0" (alone) as some type of archiver associated with legitimate human visits. If it isn't from an otherwise blocked IP, I leave it alone.

Now, bare "Mozilla" and nothing else means they're up to no good. Same goes for just about anything in quotation marks, which is what made this thread's title so confusing.

EastTexas

3:37 am on Jun 14, 2014 (gmt 0)

My pest is a china bot or hacker.

not2easy

3:55 am on Jun 14, 2014 (gmt 0)

If you have one pest, check to see if they are always on the same IP address. They can change the UA to any fake thing, but the IP is the IP and simpler to block.

EastTexas

12:25 am on Jun 19, 2014 (gmt 0)

I block'em by UA, IP & Domain ;)