blocked their IP for now

So in case they come back for more horses, the barn is securely locked up?

This person also has a US IP (have not denied this one yet).

How do you know their IP, and why haven't you blocked it? And, wait, are you talking about the IP they crawl from-- which could easily be some unrelated person's home ISP-- or the IP their site is hosted at?

There are ways to keep your content out of other people's iframes. Forums search for "framebuster" should bring up a few dozen variations.

If the offender has actually copied and serves your content from their site you might also try DMCA (infringement cease and desist) or appropriate for that country at both the search engine and host levels. You can extend the same to FB (which might respond) and twitter (likely nothing will happen), and google+ (which might be another way to get to google's serps as well. Make a stink, wherever you can, but do so with respect and professionalism... you'll get better results.

As lucy24 asked, if this is content in a frame on their site, blow it up (metaphorically) by inserting a framebuster of some kind.

Wouldn't framebusting negatively impact google showing my product images?

I'm researching framebusting but so far research results stress that using that will stop google from accessing my images.

I need all the help I can get for my little eCommerce site and my images showing up a lot in Google search with links to my website really help.

Huh? Break the offender. YOUR site is still indexed by the serps. Just make sure the OTHER guy(s) are not getting your stuff. At this point you don't worry about SEO you worry about THEFT.

Nothing I've done seems to be working.

At bottom of htaccess I have in this order (I've left the # codes out but they do work)

RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !mysite\.com$
RewriteRule ^ - [F]

# index.html hidden on home page url
# non www always to www

<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 164.138.21.137
deny from 209.239.122.132
deny from 5.144.128.190
.............

I've inserted this into one of my category pages the bad website is using:

<script> <!--
if (parent.frames.length > 0) top.location.replace(http://www.mysite.com); // Escape from frame, but retain one-click "Back". -->
</script>
.............

40 urls on offensive site are still exact duplicates of mine. I thought they would show up blank on the offensive site?

I REPLACED
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !mysite\.com$
RewriteRule ^ - [F]

with this and it seems to work:
# deal with bad site
RewriteCond %{HTTP_REFERER} badsite\.ir [NC]
RewriteRule .* - [F]

Do I still keep this?
<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 164.138.21.137
deny from 209.239.122.132
deny from 5.144.128.190
...........................................................

Should I still put this in all my website pages?
<script> <!--
if (parent.frames.length > 0) top.location.replace(http://www.mysite.com); // Escape from frame, but retain one-click "Back". -->
</script>
.............

Do I still keep this?
<Files 403.shtml>

Yes, yes, yes. Every module that issues 403s must also have an exemption for the 403 page. This one's the exemption for mod_authwhatever. If you do not have this <Files> envelope in place, every 403'd request will result in a series of internal errors as the server tries and fails to serve up the 403 page. The visitor will eventually get the 403 response-- but only after your server has tried 30 or so times to access the error document.

Thank you, Lucy.

Would it be good to have this at bottom of my website pages? I really had a hard time with this whole thing and I don't know if I still need to do more or if I've done too much. Any explanations would be appreciated.

<script> <!--
if (parent.frames.length > 0) top.location.replace(http://www.mysite.com); // Escape from frame, but retain one-click "Back". -->
</script>

Well, this is the Apache subforum. You may or may not get someone drifting by who's good at javascript, so you might want to double-check next door in the javascript subforum to get an informed opinion.

If you're looking at adding the same content to every page, then there are several alternatives to pasting-in the identical html every time. But that part depends on how many pages you've got.

Might look at server side includes to insert the js ... but do know that anyone surfing (or spidering) is javascript OFF will not be affected by that code.

I had this a few years ago, posts from my forum were appearing on a forum from somewhere in the middle east, as soon as I turned off RSS Feed they stopped.

I had this a few years ago, posts from my forum were appearing on a forum from somewhere in the middle east, as soon as I turned off RSS Feed they stopped.

I did notice my feed in their source code so I'll check into this.

Will definitely put in "include". Still reading on what else can be done for those who turn off js.

I have below at bottom of my htaccess file. Just to be sure, is below in correct order or should my "# deal with bad site" code be directly above <Files 403.shtml>?

# deal with bad site
RewriteCond %{HTTP_REFERER} badsite\.ir [NC]
RewriteRule .* - [F]

# index.html hidden on home page url
# non www always to www

<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 164.138.21.137
deny from 209.239.122.132
deny from 5.144.128.190
...........................................
Thanks for the help!

It doesn't matter where in the htaccess a <Files> envelope is located. The server evaluates <Files> and <FilesMatch> after the parts that aren't inside envelopes. (If more than one envelope can apply to the same request, they will be evaluated in top-to-bottom order, but this is rarely important.) So put them all where it's most convenient or intuitive for you, the human reader. I group mine at the top where they are easy for me to find.

Incidentally, the "403.shtml" implies that you're already using SSIs. Do all your filenames already end in .shtml, and/or do you already parse html files for includes? If so, it will be a simple matter to add the script to your existing includes. Someone in the javascript forum will be able to tell you whether it matters where on the page the framebuster script is located; I kinda think that in this specific case it makes no difference.

<aside>
Be sure to check your specific IPs periodically. When you're blocking an exact address down to the last digit, like 164.138.21.137 , it generally means an infected browser. Eventually it will get cleaned up, or the user will change addresses, so there's no point in prolonging the lockout.
</aside>

Yes - I'll tickle those ip's for 1 month or so and then probably delete if it looks safe. I had read about that but forgot so glad you mentioned that.

SSI's - Yes, I use them for quite a bit of my site and will add the script to my footer include which is where I keep the rest of my <scripts>. I read one of jdMorgan's responses (Msg#:1480982) to a post where he mentions putting this particular script at bottom worked better but not sure that applies in my case. I'll be checking into that some more...

I use html and php. I have a custom 404 but not 403 yet. I was thinking of leaving the 403 as is because it looks more ominous but that might just be my own warped way of thinking.

because it looks more ominous

Haha. I take the opposite approach. I figure nobody will actually look at the 403 page except humans, so write it for them. Yes, humans can get locked out, for a variety of reasons. For many years I-- as a human user-- thought of 403 as "no directory" vs. 404 "no page", since that's the most common way for a human to get barred: navigating up an URLpath and requesting a directory that doesn't happen to have an index file.

Yes, the human-friendly 403 page does provide the hypothetical robot with the names of a few more files-- but that's no skin off my nose, since they won't be allowed to see those files, and their names alone convey no information. (In the way that, for example, the mere existence of a file whose URL includes /wp/ or /admin/ would tell the botrunner which supplementary scripts to fire off.)