Hi:

Block the IP, not the UA....

Well i was wondering about the ua since i am getting a lot of different suspicious ips that seem to return asia pacific or lan.sify info. they all seem to have the same ua though. i was trying to think ahead of them since there are different ips coming in. but i found a 5.5 with a different ending than win 98 so i think i will just do the ips as you suggest as they come in or wait for them to trap themselves.

thank you

Andrue
Here's a couple a threads that may help.
It is urgent that you keep in mind that the Oceanic countries (Australia and New Zealand fall under these APNIC ranges as well.

[webmasterworld.com...]

[webmasterworld.com...]

Don

Yes, i just realized this was an australian possibility. I had previously thought it was singapore perhaps. i took the ua out and left the IPs banned. shortly after that there was the same UA but looked like a regular user.

i started blocking the UA after the checks on the IPs and then a followup with whois and a check on the IPs in the block list at spamcop.net. the IPs that my redirect blocked showed similar to some other spam IPs.

I will go check your links for info, thank you.

Andrue:

I had another, rather fun idea! If you have root access to httpd.conf, and mod rewrite, you could make up a conditional so that:

if the UA was 5.5 and the IP was a broad range of APNIC IP's, THEN it would block! That would be fun!

dave

well that sounds a bit beyond my current level however i was wondering if there was a way to do a ¦¦ or && style of if statement in the htaccess for rewrite....

i guess i can probably figure that out on my own since i know i can use [OR] and perhaps figure a way with just that to accomplish a statement that includes a set of 5.5 and apnic... i think i will just pay more attention to them and see if i can isolate anything that may be spam vs non spam.

i recently set this new domain up and have only been getting a few spam messages, and nothing since i started trapping and encoding the email tags.. however, my old site gets tons of spam. i was hoping to limit it with the new setup.

I got to thinking about this- I thought I did something like it.... this is in my httpd.conf:

RewriteCond %{HTTP_REFERER} ^-?$ [NC]
RewriteCond %{HTTP_USER_AGENT} ^-?$ [NC]
RewriteRule .* - [F,L]

Which says if the UA and referer is blank to forbid. I am not siue what the env. variable name for the IP address of the requester is (if someone knows, pleas chime in!) but you could easily add:

RewriteCond %{ENV_VAR_FOR_IP} IP-BLOCK
RewriteCond %{HTTP_USER_AGENT} MSIE 5.5 [NC]
RewriteRule .* - [F,L]

and that would do it....

dave

that env. variable name is REMOTE_ADDR

Hey Dave,

Note that with [F], [L] is redundant, as it is with [G].

Andrue,
You can combine the and/or functions, making a list of IP adresses and IP address ranges to be blocked if the UA contains MSIE 5.5;
For this code to function properly, it is critical that the last IP address not be followed by an [OR] flag.

RewriteCond %{REMOTE_ADDR} ^213\.137\.109\.74$ [OR]
RewriteCond %{REMOTE_ADDR} ^213\.181\.64\. [OR]
RewriteCond %{REMOTE_ADDR} ^213\.252\.152\.12$ [OR]
... more ...
RewriteCond %{REMOTE_ADDR} ^212\.123\.45\. [OR]
RewriteCond %{REMOTE_ADDR} ^211\.154\.211\. [OR]
RewriteCond %{REMOTE_ADDR} ^202\.95\.23\.
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/4\.0\ \(compatible\;\ MSIE\ 5\.5\;
RewriteRule .* - [F]

Also, I believe that wilderness' warning about Australia/Oceana was to say, "Make sure you're not blocking our friends down under by blocking too large a segment of the Asia/Pacific IP range." Some countries in that range do a much better job of controlling illicit internet activities, and shouldn't be blocked en masse.

Jim
<edit>modified placement of "... more ..." to clarify carfac's point below.</edit>

[edited by: jdMorgan at 3:52 am (utc) on April 2, 2003]

Jim:

>>Note that with [F], [L] is redundant, as it is with [G].

Oh well.... better safe than sorry. What is [G]? Gone?

Andrue:

Note: you can string together a lot of [OR]'s (and as Jim notes, do NOT [OR] the last one. But if you do not [OR] the SECONDS to the last (as in Jims example), it Or's all of the above and ANDS the last!

So, for a normal list of blocks (for UA or IP), they are typically all [OR]'d. If you wanted to specifically block JUST MSIE 5.5 from a large IP block, as I think you do, that would be a second ANDED block (if IP=XXX AND UA = MSIE 5.5)...

Thouroughly confused?

dave

Yes, [G] is 410-Gone.

The example I posted will block all listed IP addresses, but only if they use the MSIE 5.5 UA, as Andrue desires.

The boolean operator precedence is ( (badIP or badIP or badIP ... or badIP) and (UA=MSIE 5.5) ),
So it blocks any of those IP addresses which are also using the MSIE 5.5 UA.

Jim

Not confused, thank you. I understood that the last one didnt need the [OR] but didnt know if you put a bunch there that it would act like an "and". I am a C programmer mainly but am learning cgi. the more advanced htaccess stuff is new to me other then denying and setting the 404 page info.