RewriteCond %{HTTP_REFERER} xdomainx
RewriteRule .* - [F]

Placed in your root .htaccess file after you replace "xdomainx" with the name of the domain you want to block. If there are multiple bad referers you could add them using a slightly different format. Before you paste that in, you should know that the referrer is easily spoofed and that "bad referrer" domain may not really have any links to your site.

that "bad referrer" domain may not really have any links to your site

Most of the time it doesn't matter, though, because it's just referer spam and you'd want to block 'em regardless. In fact there are not many situations where you need to block a bona fide human following a bona fide link from a real site. My htaccess would get a lot more complicated if I ever had a genuine link from someone in Russia :)

Thank both of you very much. I see 2 bad referrers , one from Russia, other one, I don't know where he/she is from.

I don't know where he/she is from

Do you mean it's a dot com? Those generally have to be blocked individually by name. The whole point of a referer-based lockout is that it doesn't matter where the offending visitor comes from, only who (putatively) sent them.

I've got one piece that looks like this

RewriteCond %{HTTP_REFERER} \.(ru|ua)(/|$) [NC]
RewriteCond %{HTTP_REFERER} !(google|yandex|mail)\.
RewriteRule (^|\.html|/)$ - [F]

I generally constrain my RewriteRules to specific types of request, so the server doesn't have to waste a lot of time evaluating conditions; it's extremely rare for robots to ask for non-page files-- especially when they've already been blocked from the page that calls the other files. (Hotlinks are a separate routine.) There's another rule with the bare condition

RewriteCond %{HTTP_REFERER} \.(su|us|mobi|biz)(/|$)

with no exceptions. (google.ua exists; google.biz doesn't.)

The other approach has things like

SetEnvIf Referer semalt keep_out

which works in conjunction with

Deny from env=keep_out

I try to avoid doing things with mod_rewrite unless there's really no practical alternative. Shooting flies with an elephant rifle, type of thing.

it's just referer spam and you'd want to block 'em regardless.

I don't pay any attention to referer spam any more. I once did, but it became too time consuming since it never ended and the domains kept changing anyway.. I don't click on those links and my stats aren't published.

I guess it depends on how they're sending the referer. I don't mean the request itself, I mean whatever operation is behind the spamming. If it's a "pure" robot that doesn't do anything but request a page, it may not matter whether they get through or not. But if it's a botnet working with infected browsers, letting them in may mean also giving up a whole package of supporting files. And they clutter up your analytics.

Well, I tried controlling the botnets for a while but gave up on that eventually also. They were basically of two types (as you said Lucy.)

1. The infected servers, which I would usually already be blocking. If not, this was a good way to find out more server companies/ranges to block. All was good there.

2. The infected ISP accounts (browsers.) I would manually grab all the IPs and temporarily block them, removing a week or two later on the presumption they were detected and fixed. Sometimes that worked and blocked the second wave of hits a few hours/days later, but more often it ended up being wasted effort.

Eventually I got tired and gave up caring either way. My attention went to figuring out how to go mobile. Coincidentally I haven't seen any botnets in quite a while.

Lucy, One is a dot org

thank you all for your help