Jul 172009
 

Last updated on November 21st, 2015

Introduction to the Problem and .htaccess Usage

Space.com - Levitra_Without_Prescrip's Page

Space.com - Levitra Without Prescrip's Page

I’ve had a few weird hits over time from “normal” websites containing “abnormal” content.  Take today, for instance….

According to my Wassup log and the stats that appear on the main screen widget, I got reffered by:

https://www.space.com/common/community/profile.php?u=1078916

Erectile DysfunctionClick this if you will.  It’s an ad for male erectile dysfunction enhancer pills – levitra.

What perked my interest was the space.com domain.  It’s space and astronomy stuff.

What is happening is that users (the spammer) register with space.com, and the user profile produced is actually the selling area for the knob pills.

Of extra interest is the full Wassup record of the event:

94.102.49.66 2009-07-17 14:34:50

/127/wordpress-internal-post-to-page-links-dont-work-properly/
Referrer: https://www.space.com/common/community/profile.php?u=1078916
Hostname: serv1.extremedhost.org
  • 94.102.49.66 is in Amsterdam
  • extremedhost.org is protected by “Protected Domain Services” of Colorado, USA.

Solution

wall of spam

wall of spam

Well I’m a bit fed up of these pains, so I thought .htaccess might be the way.  I’ve blocked IP addresses individually before and used the file for a host (pun intended) of things.  Now I’ve found a wildcard way of blocking such cracked profiles on public websites.

In a nutshell, I’ve blocked referrers coming from any web-page with ‘profile’ in it’s URL!  This seems a reasonable thing to do and won’t block too many valid visits.  This is the code:

# Spam Protection http://blog.taragana.com/index.php/archive/simple-htaccess-rules-to-block-spammers/
# and https://www.webmasterworld.com/apache/3048850.htm
#'profile' is because some sites are pinging from hacked profile accounts!!
SetEnvIfNoCase Referer profile spammer=yes
deny from env=spammer
# block all referrers that have spammer set:USE THIS IF ABOVE NOT WORK
#<FilesMatch "(.*)">
#Order Allow,Deny
#Allow from all
#Deny from env=spammer
#</FilesMatch>

The second remmed out (or commented) part (# is the line remark in .htaccess)is in case the first bit doesn’t ‘take’. From info on the web, some of this stuff doesn’t always work as intended and I assume the second bit is a belt-and-braces approach. Links to the sources I usually include in my .htaccess so that I know where I got it from! I’ve hyper-linked them here, but if you use it, ensure that the URL html tags don’t get copied into your .htaccess as well…

I could expand it to block sites with ‘viagra’ in their name, say, but this isn’t necessary – other things do that.  To me, this seems a reasonable way to hook down onto a key method that this spammer is using.  It just means that any system that uses a folder name of ‘profile’ won’t be able to click to me from that path.

Absolute Zoo

My creations

Hacked Account Zoo

To see the extent that space.com has been hacked into, just copy the spammer’s link and change the end of the query string to a different profile number….    Assuming profiles are added in numerical order (and why wouldn’t they be?), I had to go back to ~1076000 to find a “standard” user profile that wasn’t hacked for dodgy knob drugs!

That’s THOUSANDS!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

© 1977, Strangely Perfect.