Welcome to WebmasterWorld Guest from 34.238.192.150

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

blocking a referrer

Nothing is working

     
6:18 pm on Dec 21, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 3, 2002
posts:2586
votes: 3


I am trying my best to block an annoying referrer. I've tried blocking the IP, the CIDR, and the domain using htaccess.

The referrer looks like this:

http://make-money-online.example.com/money.php?u=http://example.net


I have tried:

deny from IP
deny from CIDR

and

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} example\.com [NC]
RewriteRule .* - [F]


Any suggestions?

Thanks!

[edited by: phranque at 10:02 pm (utc) on Dec 21, 2014]
[edit reason] exemplified domains [/edit]

6:21 pm on Dec 21, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5507
votes: 5


SetEnvIf Referer money keep_out

BTW, there was a recent thread (even more than one) discussing the 'buttons' and 'semalt' refers.

The same solutions are applicable to the 'money' refer.
6:45 pm on Dec 21, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5507
votes: 5


in fact, the thread immediately below (Blocking visitors) this one offers your example and solution
8:16 pm on Dec 21, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 888


SetEnvIf Referer money keep_out

LOL. If your site involves anything other than, perhaps, banking services, this generic rule is pretty close to a One Size Fits All.
1:54 am on Dec 22, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 3, 2002
posts:2586
votes: 3


SetEnvIf Referer money keep_out

LOL. If your site involves anything other than, perhaps, banking services, this generic rule is pretty close to a One Size Fits All.


haha. yeah, I think it will work well. It's not a banking-services website (in fact, it's a science website), so this should work perfectly.

I appreciate the help with it.
4:54 am on Dec 22, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 888


Oh, oops, for the benefit of people coming along later and reading the thread and saying "Huh what?"

The mod_setenvif line
SetEnvIf Referer money keep_out 

has no effect by itself. It works in conjunction with the mod_authzthingamajig line
Deny from env=keep_out
11:28 pm on Dec 22, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 3, 2002
posts:2586
votes: 3



The mod_setenvif line
SetEnvIf Referer money keep_out
has no effect by itself. It works in conjunction with the mod_authzthingamajig line
Deny from env=keep_out


Lucy, do you mean that the "deny" line should follow immediately below the setenvif line, as in:

SetEnvIf Referer money keep_out
Deny from env=keep_out
1:25 am on Dec 23, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 888


The "Deny from..." line doesn't have to come immediately after, before, or in any other particular location relative to the SetEnvIf line. They're separate and unrelated modules. But you can be confident that mod_setenvif executes before mod_authzzzz and that's all that matters.

What you're doing is attaching an environmental variable to the request; in this discussion we're giving it the name "keep_out". (Apache docs sometimes use "bad_bot". Use any name you like.) And then later, when the request reaches the Allow/Deny phase, you say "Deny any request that includes such-and-such environmental variable".

In the course of this discussion I re-checked the docs. For your basic Allow or Deny directives you can't say anything about the particular value of the environmental variable. You can only check whether it exists or doesn't exist.