Comments on: Blocking access based on referrer...?

Question: Blocking access based on referrer...?

poweredbybeard — Sun, 03 Sep 2006 12:16:44 -0800

Is it possible to restrict access to a web page (or whole site) based on the referrer?

I noticed that a site I manage (which includes a phpbb forum) has been getting traffic off of the google search "inurl posting.php?mode=newtopic". I'm pretty sure this is one of the ways spammers and/or spambots are finding the forum.

Specific to my problem, is there any way to restrict access to visits coming from that search? Through scripting? .htaccess? etc?

And out of general interest, is there a way to block access based on referrers?

By: Civil_Disobedient

Civil_Disobedient — Sun, 03 Sep 2006 12:35:46 -0800

.htaccess:

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} inurl posting\.\?mode\=newtopic [NC]
RewriteRule .* - [F]

That will block anyone trying to access the site from a URL with the string you mention above. I think.

By: Civil_Disobedient

Civil_Disobedient — Sun, 03 Sep 2006 12:37:05 -0800

Oh, remove the # sign if your website gives you "500 Service" errors.

By: poweredbybeard

poweredbybeard — Sun, 03 Sep 2006 12:39:59 -0800

Awesome, thanks - I'll try that out later.

By: reklaw

reklaw — Sun, 03 Sep 2006 12:41:37 -0800

Note that you should only ever exclude certain referrers, not make a certain referrer a condition of entry. So it's fine to block 'posting.php?mode=newtopic', for example, but don't set it so that everyone coming there has to have a referrer from 'www.yoursite.com/[whatever]', as that will block legitimate traffic that has decided not to send you a referrer for some reason.

By: winston

winston — Sun, 03 Sep 2006 13:12:56 -0800

Spambots don't give (accurate) referer information.

By: poweredbybeard

poweredbybeard — Sun, 03 Sep 2006 14:25:54 -0800

Winston - I kind of thought they might not, but I can't think of another reason for why anyone would search for that specific string. All it does is find you a bunch of phpbb boards, and I doubt if the one I admin is even in the first twenty results pages.

But mostly it just made me want to learn if this was possible, and if so, learn how.

By: Steven C. Den Beste

Steven C. Den Beste — Sun, 03 Sep 2006 18:10:54 -0800

Danger, Master Robinson: whenever you mess around with this, make damned sure to test it afterwards. Any mistake whatever will take your entire site down; .htaccess is extremely unforgiving, and the syntax is arcane.

Some syntax errors in the .htaccess file can result in every access to your site returning 503 errors, for instance.

By: poweredbybeard

poweredbybeard — Mon, 04 Sep 2006 12:19:24 -0800

Thanks, Steven. Duly noted. Still haven't had time to get my (virtual) hands dirty yet, but I'll certainly take care.

By: Civil_Disobedient

Civil_Disobedient — Mon, 04 Sep 2006 15:35:51 -0800

If you run into any problems, drop me an email.

By: owen

owen — Wed, 06 Sep 2006 08:28:12 -0800

Note that the referrer information can be easily spoofed, and shouldn't be relied on for real security. For example: RefSpoof.