Welcome to WebmasterWorld Guest from 23.22.140.143

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Is this a valid user agent? and how do I block it?

Is this a valid user agent? and how do I block it?

     
2:52 pm on Jan 7, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


Hey guys, is this a valid user agent?

Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.25 (jaunty) Firefox/3.8

Have been getting a lot of referral spam mainly from #*$! websites from the above user agent. If this is invalid, any help on how I can block this in htaccess? Thank you!
7:17 pm on Jan 7, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:5808
votes: 64


The UA is common. Block by IP address.
10:41 pm on Jan 7, 2012 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3092
votes: 2


Jaunty is out of date now - I'm running 10.04 Lucid, which is also being slowly phased out.

I would be wary of the term Ubuntu/9.25. Ubuntu versions are either n.04 or n.10 - Jaunty is 9.04. A search for Ubuntu/9.25 does not produce many results and at least one of those says "forge your UA".

On Lucid I'm currently running firefox 9.1. Ubuntu seemed to be pushing 3.6 until a few months ago - I went straight from 3.6 to 7.something. Can't say I've heard of 3.8 for Ubuntu.
10:56 pm on Jan 7, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:6148
votes: 282


Sometimes we address the referer, too. Particularly with pron sites... there's aren't that many "words" to deal with. :)
7:48 pm on Jan 8, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


So would it be safe to block Ubuntu/9.25? Will something like this work:

RewriteCond %{HTTP_USER_AGENT} Ubuntu\ 9.25
9:26 pm on Jan 8, 2012 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3092
votes: 2


I would check previous logs and do a bit of research to be sure about blocking it.

As to the rewrite - can't help there, I'm afraid: I don't run htaccess.
10:36 pm on Jan 8, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month

joined:Apr 9, 2011
posts:12708
votes: 244


So would it be safe to block Ubuntu/9.25? Will something like this work:

RewriteCond %{HTTP_USER_AGENT} Ubuntu\ 9.25


You've correctly escaped the literal space, but you also need to escape the literal period. Unless you're expecting visits from "Ubuntu 9425" or "Ubuntu 9a25" or even "Ubuntu 9 25" and want to block those too. Which, come to think of it, wouldn't do any harm. But an unescaped period can lead to unwanted consequences, so it's best to stay in the habit.

And then, ahem, you need a Rule to go with the Cond ;)
5:35 pm on Jan 9, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


I did check the previous months logs and nearly all traffic from this agent is spam. Successfully blocked this using the following:

RewriteCond %{HTTP_USER_AGENT} Ubuntu\/9\.25 [NC]
RewriteRule .* - [F,L]
6:44 pm on Jan 9, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:5808
votes: 64


Just a FYI

RewriteRule .* - [F,L]


"F" means final and "L" means last, so in effect you are saying the same thing twice. Won't hurt, but a more succinct way of writing this would be:

RewriteRule .* - [F]
12:25 am on Jan 10, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month

joined:Apr 9, 2011
posts:12708
votes: 244


[F] doesn't mean Final, it means Forbidden (think "Fail")-- like Deny from. It's one of a handful of flags that carries an implied [L]. But it's a good habit to include [L] with each separate RewriteRule unless you've got a specific reason to exclude it, so you never leave it out by accident.

In Apache you don't escape / slashes. You're thinking of javascript. Or was that a typo for the same escaped space as before?
2:04 am on Jan 10, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:5808
votes: 64


[F] doesn't mean Final, it means Forbidden
Oh yeah, my bad. Since I only write regex that forbids something I guess I see it as final if there are no more rules. However, I never use both F and L and consider it redundant.

In Apache you don't escape / slashes. You're thinking of javascript. Or was that a typo for the same escaped space as before?

No need to escape forward URL slashes in JS either.
4:59 am on Jan 10, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month

joined:Apr 9, 2011
posts:12708
votes: 244


:) Except in Regular Expressions, because the slashes are what demarcates them.