# assume spammers doing recon will only perform GETs SetEnvIfNoCase Request_Method "GET" spammer_recon # assume spammers always use both empty Referer and U-A SetEnvIfNoCase Referer ".+" !spammer_recon SetEnvIfNoCase User-Agent ".+" !spammer_recon # if the host/IP is any of these, they're spammers regardless SetEnvIfNoCase Remote_Host "\.barak\-online\.net" spammer_recon SetEnvIfNoCase Remote_Host "\.barak\.net\.il" spammer_recon SetEnvIfNoCase Remote_Host "\.cable\.casema\.nl" spammer_recon SetEnvIfNoCase Remote_Host "\.client\.bresnan\.net" spammer_recon SetEnvIfNoCase Remote_Host "\.ctinets\.com" spammer_recon SetEnvIfNoCase Remote_Host "\.dip\.t\-dialin\.net" spammer_recon SetEnvIfNoCase Remote_Host "\.dsl\.ip\.tiscali\.nl" spammer_recon SetEnvIfNoCase Remote_Host "\.easyspeedy\.com" spammer_recon SetEnvIfNoCase Remote_Host "\.goo\.ne\.jp" spammer_recon SetEnvIfNoCase Remote_Host "\.hostingprod\.com" spammer_recon SetEnvIfNoCase Remote_Host "\.internetserviceteam\.com" spammer_recon SetEnvIfNoCase Remote_Host "\.keymachine\.de" spammer_recon SetEnvIfNoCase Remote_Host "\.knology\.net" spammer_recon SetEnvIfNoCase Remote_Host "\.lorerweb\.net" spammer_recon SetEnvIfNoCase Remote_Host "\.onlinehome\-server\.info" spammer_recon SetEnvIfNoCase Remote_Host "\.pppoe\.mtu-net\.ru" spammer_recon SetEnvIfNoCase Remote_Host "\.qwerty\.ru" spammer_recon SetEnvIfNoCase Remote_Host "\.sputnikmedia\.net" spammer_recon SetEnvIfNoCase Remote_Host "\.static\.theplanet\.com" spammer_recon SetEnvIfNoCase Remote_Host "\.starnet\.md" spammer_recon SetEnvIfNoCase Remote_Host "\.starnet\.ru" spammer_recon SetEnvIfNoCase Remote_Host "\.svservers\.com" spammer_recon SetEnvIfNoCase Remote_Host "\.dip\.t\-dialin\.net" spammer_recon SetEnvIfNoCase Remote_Host "\.dip0\.t\-ipconnect\.de" spammer_recon SetEnvIfNoCase Remote_Host "\-xbox\.dedi\.inhoster\.com" spammer_recon SetEnvIfNoCase Remote_Host "\.keymachine\.de" spammer_recon SetEnvIfNoCase Remote_Host "\.static\.reverse\.ltdomains.com" spammer_recon SetEnvIfNoCase Remote_Host "\.pccwglobal\.net" spammer_recon SetEnvIfNoCase Remote_Host "garner\.funtaff\.com" spammer_recon SetEnvIfNoCase Remote_Host "server\.rnd\.pl" spammer_recon SetEnvIfNoCase Remote_Host "\.ap\.yournet\.ne\.jp" spammer_recon SetEnvIfNoCase Remote_Host "\-rev\.cernel\.net" spammer_recon SetEnvIfNoCase Remote_Addr "^210\.240\." spammer_recon SetEnvIfNoCase Remote_Addr "216\.72\.28\.8" spammer_recon SetEnvIfNoCase Remote_Addr "222\.240\.212\.29" spammer_recon SetEnvIfNoCase Remote_Addr "220\.84\.58\.27" spammer_recon SetEnvIfNoCase Remote_Addr "124\.53\.202\.111" spammer_recon SetEnvIfNoCase Remote_Addr "121\.35\.254\.97" spammer_recon SetEnvIfNoCase User-Agent "PlantyNet\_WebRobot.*" spammer_recon SetEnvIfNoCase User-Agent "WordPress.*" spammer_recon SetEnvIfNoCase User-Agent "topicblogs.*" spammer_recon #not really spammer recon but a repeat spam POSTer SetEnvIfNoCase Remote_Host "softbank[0-9]{12}\.bbtec.net" spammer_recon SetEnvIfNoCase Remote_Host "\.phx\.gbl" spammer_recon <Directory document_root> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all deny from env=spammer_recon </Directory> -------- Original Message -------- Subject: Re: <directory> and deny directives From: Joshua Slive <joshua@xxxxxxxx> To: users@xxxxxxxxxxxxxxxx Date: Friday, September 14, 2007 09:08:30 AM
On 9/14/07, Mark A. Craig <mark.a.craig@xxxxxxxxx> wrote:It would sure be nice if the code didn't pull a non-intuitive stunt like this, though! If the DNS lookup resolves to the specified *partial* hostname, it should act on it, not second-guess it with an rDNS like this.Yes, it is non-intuitive. But on the other hand, it is much more common to use hostnames for Allow directives than for Deny directives (since the hostname is often under the control of the attacker). You MUST check the forward and reverse for Allow directives, or else they would be worthless. And then it could potentially cause even more confusion if the Allow and Deny directives matched differently. Joshua.
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx