Site news: No referrer, no comment
by Volker Weber
If your personal firewall* blocks referrers, you can no longer post comments to the site. This is another effort to block malicious bots:
RewriteCond %{REQUEST_FILENAME} mt-cmmnt.cgi [NC]
RewriteCond %{HTTP_REFERER} !^http://vowe\.net.*$ [NC]
RewriteRule (.*) - [F,L]
Comment spam bots call cgi without going through the site. For now they are coming in with a blank referrer. Using mod_rewrite it is rather simple to divert them with a 403 return code before they hit cgi, thus avoiding any unnecessary load on the server.
Maybe I will add another rule for those smartass people that send a long string of ++++ instead of a referrer.
*) Technically you are not using a firewall but rather a local proxy server that takes requests from your browser, processes them and then relays the request to the site. Symantec calls the stripping of referrers Browser-Datenschutz in german. No idea how they call this in english.
Comments
Hi Volker,
there have been bits and pieces of defense information published on your blog. Do you have a summary? Kind of problem/solution table?
:-) stw
I guess, that would probably be read by spam bot authors pretty soon and would be a comprehensive compendium on which countermeasures to by-pass to even access a well-protected blog. In order to be one step ahead, this might not be such a good idea.
I published a summary of anti-spam measures here (in German):
http://vnude.typepad.com/itfrontal/2004/12/spamschutz_in_w.html
I'm using this rule since two weeks, no more spam so far - but hundreds of HTTP 403s in my log file.
Since you have to allow the comment script's URL as a referrer (because of comment previewing), it will be easy for spambots to fake a correct referrer - they just have to insert the script address. Guess it won't take too long until "smart" spambots will exploit that weakness.
I guess in English it´s call privacy protection. :-)
I can live without previews. Personally, I find them annoying. I proof read in the edit form and I an error slips through, well, that's life.
We could enforce the referer rule by using a regex like
!^http://vowe\.net/([0-9]+)\.html$
to ensure only requests made from entry archives are accepted.
And to check for either an entry archive or the comment cgi, we could use this (untested, but should work after some testing ;) )
RewriteCond %{REQUEST_FILENAME} mt-cmmnt.cgi [NC]
RewriteCond %{HTTP_REFERER} !^http://vowe\.net/([0-9]+)\.html$ [OR]
RewriteCond %{HTTP_REFERER} !^http://vowe\.net/cgi-bin/mt-cmmnt\.cgi$ [NC]
RewriteRule (.*) - [F,L]
If not this way, mod_rewrite also provides chaining, which also could solve the problem.
Post a comment
Recent comments
Karsten Lehmann
on Nice try at 01:17
Oswald Prucker
on Nice try at 00:54
Jim Boling
on Nice try at 23:24
Albert Dandl
on Nice try at 20:12
Karsten Lehmann
on Nice try at 19:18
Riza Baltazar
on Color coordination for web sites at 19:10
Sean Cull
on From my inbox at 19:00
Armin Roth
on Nice try at 18:02
Bart Severein
on From my inbox at 16:52
Hubert Stettner
on Why is Nokia such a complete failure? at 14:59
Ralf Stellmacher
on Overheard in New York at 12:47
Chris Frei
on Holy moly at 09:03
Ben Poole
on Why is Nokia such a complete failure? at 08:50
Dirk Steins
on Holy moly at 08:11
simon carter
on Why is Nokia such a complete failure? at 08:06
Ingo Seifert
on Holy moly at 05:50
Moritz Schroeder
on Why is Nokia such a complete failure? at 04:22
Mika Heinonen
on Why is Nokia such a complete failure? at 02:26
Andy Mell
on Holy moly at 00:54
Volker Weber
on Why is Nokia such a complete failure? at 00:23
Oswald Prucker
on Holy moly at 00:02
Yves Luther
on Why is Nokia such a complete failure? at 23:33
Volker Weber
on Why is Nokia such a complete failure? at 22:39
Hubert Stettner
on Why is Nokia such a complete failure? at 22:05
Roland Leißl
on Can't get it out of my head at 20:59
Click here to subscribe
