The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Http Referrer Spam

Discussion in 'General Discussion' started by bigjohntoday, Sep 28, 2005.

  1. bigjohntoday

    bigjohntoday Registered

    Joined:
    Mar 19, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Ok I have researched this quite a bit and it has really been annoying me, I assume everyone knows what HTTP REFERRER SPAM is, my question is what is the easiest way to stop HTTP REFERRER SPAM since it is effecting each and every client on the server. It has really become a annoying and if anyone could help that would be great.

    Thank You in advance

    John
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    If you're talking about people forging http headers, such as the URL of the referrer, then there is, as far as I know, absolutely nothing you can do about this - http data has to be sent in plain text to the http server and as such you can't stop people sending whatever they feel.

    In what way is this causing problems for you?
     
  3. bigjohntoday

    bigjohntoday Registered

    Joined:
    Mar 19, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    basically it is filling up the log files with referrer spam, which is now moved onto the next step of comment spam.

    This is quite out of hand and their are many "fixs" for it but I don't want to have a "fix" i truly want to stop this referrer SPAM. anyone have any ideas?
     
  4. elitewebninja

    elitewebninja Active Member

    Joined:
    Jan 2, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Atlanta Ga!
    I had this same thing happen to one of my customers and it was WAAAY out of control. There are a few things you can do... may not be the BEST things, but it worked for me last week.

    Do the referrers have a common domain or common tld? Mine were all something.to .at .bz and several others. If you have mod_security installed, you can do a good block with a filter list in a .htaccess file. Here is what I used:

    SecFilterEngine On
    SecFilterScanPOST On
    SecFilterSelective "HTTP_REFERER" "\.at" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "\.bz" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "\.cc" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "\.de" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "\.gs" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "\.hm" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "\.it" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "\.net" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "\.nl" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "\.org" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "\.to" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "\.ua" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "a\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "b\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "c\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "d\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "e\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "f\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "g\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "h\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "i\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "j\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "k\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "l\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "m\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "n\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "p\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "q\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "r\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "s\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "t\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "u\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "v\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "w\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "x\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "y\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "z\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "1\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "2\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "3\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "4\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "5\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "6\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "7\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "8\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "9\.com" "deny,,status:500"
    SecFilterSelective "HTTP_REFERER" "0\.com" "deny,,status:500"

    Notice I left out:
    SecFilterSelective "HTTP_REFERER" "o\.com" "deny,,status:500"
    I left this out because the domain I host ends in o.com. Don't want to block the domain I host from seeing his blog or normal viewers.

    Unless the site is hit by a domain ending in o.com or a domain tld that's not listed, then they will get a 500 internal server error.

    Another thing I noticed was that 99.9% of the spam hits were from the RIPE network (china and places like that) so I just added the limit command to the .htaccess file to block most of them and put it in the blog directory:
    <Limit GET POST>
    order allow,deny
    deny from 60.
    deny from 61.
    deny from 62.
    deny from 80.
    deny from 81.
    deny from 82.
    deny from 83.
    deny from 84.
    deny from 85.
    deny from 86.
    deny from 87.
    deny from 88.
    deny from 133.
    deny from 139.
    deny from 140.
    deny from 141.
    deny from 151.
    deny from 155.
    deny from 193.
    deny from 194.
    deny from 195.
    deny from 200.
    deny from 201.
    deny from 202.
    deny from 210.
    deny from 212.
    deny from 213.
    deny from 216.
    deny from 217.
    deny from 218.
    deny from 219.
    deny from 220.
    deny from 221.
    deny from 222.
    allow from all
    </Limit>

    Keep in mind, this blocks EVERYONE in those IP ranges from even viewing the blog. Sucks, but my customer was being attacked pretty hard (like 2 to 4 requests a second) and I had to get radical. I know it's hard on Apache, but his blog isn't very large and doesn't get a lot of normal traffic so it wasn't too bad.

    I backed off on the IP blocks after the hits went down.

    As far as you not wanting a fix... but a solution to end it... I think if I included everyone that wanted that, I could include: you.... and oh... the rest of the internet.

    Hope this helps.

    Scott
     
    #4 elitewebninja, Oct 20, 2005
    Last edited: Oct 20, 2005
Loading...

Share This Page