Both code snippetsw rely on the HTTP_REFERER header, which the client may or may not send.

The second code snippet won't work, because it requires the referrer to be two different values simultaneously -- RewriteConds are logically ANDed in the absense of the optional [OR] flag.

A better way to code those RewriteConds would be the single line:

 RewriteCond %{HTTP_REFERER} ^(www\.)?example\.com 

Options +FollowSymLinks is required, either in httpd.conf or in .htaccess, to enable mod_rewrite. If it makes no difference in your .htaccess testing, then it has already been set in httpd.conf.

Other than that, you can use either code snippet; The first blocks all referring doamins except your own from requesting images, while the second blocks the specific unwanted referring domain completely. So, either will block the undesired domain referrers, but only if the client sends a referrer header. You'll need to look at your raw logs to determine if requests are succeeding because the referrer is blank.

Jim

The suspect site is running an unwanted cron job to send my site heavy worthless traffic. I believe it was originally done by the old domain owner to fraudulently pump-up traffic stats to get a higher domain sales price, what with about 5-times the real traffic numbers due to the cron job!

Emailed the German firm many times to turn-off the free cron job but my emails were mostly ignored. All of Feb and March my previously posted (first one) code successfully blocked it. But suddenly last week they seem to have somehow figured out how to get around it and the heavy traffic started once again.

Per Jim's suggestion earlier today I put this in my new htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^(www\.)?example\.de
RewriteRule .(gif¦jpg)$ - [F]

However, it's not working as the high traffic continues with ongoing visits to the site every minute or so since implementing Jim's new code. Is the above code valid? I assume for the domain name to show-up in in the stats hosts log it must be sending referring headers, right?

Any other suggestions what to do as this is getting very troubling and also causing an extra bandwidth load on my server?

Are these requests showing an HTTP referer value in your raw log files?
If not, then you can't block those requests unless they come from a server (either the same IP address every time, or a small number of IP addresses or IP address ranges). In that case, block by REMOTE_ADDR, not HTTP_REFERER. If the requests are from a small number of addresses, you could ask your host to block them at the firewall.

What is your server's response -- 200-OK or 403-Forbidden?
The desired result is a 403-Forbidden. However, these requests will still appear in your raw access log file, and in your 'stats', unless they are from a host IP address blocked at the firewall.

You may need to add

 Options +FollowSymLinks 

ahead of the RewriteEngine on directive. This enables mod_rewrite. It is possible that your host has changed their default server configuration, removed this directive from httpd.conf, and therefore has disabled mod_rewrite on your site by doing so. Adding that directive to your .htaccess file would re-enable it, as long as the host allows it.

Jim

Problem solved. Thanks for asking about 403. It reminded me to look at it closer. I then realized the domain blocking was causing a 403 errorcode which in-turn forwarded the traffic back to the site since I had 403 errorcode running in addition to 400 401 404. The blocking now works since I removed errorcode403 from htaccess.

My Bad. Thanks Again jdMorgan.