[Moin-user] Antispam solution using .htaccess rewrite

Gnarlodious lists.gnarlodious at gmail.com
Mon Nov 5 22:53:59 EST 2007

I've been hit hard with scripted spam lately. Today I put an end to
it, at least for now. This is probably a cat-and-mouse game, but
rather than block all Chinese IP addresses here is what I did.

Scripts enter the UserPreferences page without reporting a "referer"
URL. Here is an actual access_log line: - - [05/Nov/2007:19:29:38 -0800] "GET /UserPreferences
HTTP/1.1" 302 310 "-" "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE

the dash enclosed by quotes is the referer URL, Apache adds the hyphen
to have something there, but in real time the string is blank.

Adding this rewrite rule to .htaccess has redirected the scumbag
robote to a page that says your IP address is blocked:

Options +FollowSymLinks
RewriteEngine On

RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{REQUEST_URI} UserPreferences
RewriteRule /UserPreferences
http://etc.Gnarlodious.com/BlockedAddress.html [R,L]

If you want to just send a blank page with a "Forbidden" header use
this final line instead:

RewriteRule .* - [F]

Note that you should not just copy and paste this text into an
htaccess file, because the file must be all UNIX characters. Non-UNIX
characters will cause servers to error.

Spammers can get around this obstacle by simply sending a non-zero
string for "referer".  Be aware that users who navigate to the
UserPreferences page from a bookmark will also be forbidden, since
bookmarks return no referer string. If they arrive from any moin page
they will be allowed.

This solution should satisfy us who will still be using the older moin
for a while. I have another more bulletproof solution but it blocks
all Chinese ISPs from the UserPreferences page, so this one is
preferable for now. Probably a better solution would be to block
address ranges and REQUEST_METHOD POST .

-- Gnarlie

More information about the Moin-user mailing list