How To Block SITE.RU Referrers (Block Referrer Spam)

(This is my first post in a long time, and first post ever using Gutenberg. It doesn’t suck as hard as I thought!)

Recently I’ve been noticing the referrer “site.ru” showing up in the server logs more and more.  At first I thought it was just simple referral spam, but since (as of now at least) the website site.ru is down, that didn’t make sense. So I took a closer look and it looks more like this is a generic bot or script searching for vulnerabilities in PHP files, vulnerable WordPress plugins, etc.  A quick sampling of the IP addresses associated with these “site.ru bots” shows that they virtually all come from server farms – so, it was time to block them all.

How To Block site.ru Bots

Because I’m running a server with 100’s of sites, using .HTACCESS to block it would be a pain, so instead I used Mod_Security, which protects all sites on the entire server.

I already had a rule created to block referrer spam, based on a REGEX list of  referrers that looked like this:

SecRule REQUEST_HEADERS:REFERER “(?i:(bad-referral|badreferrer2.com|badreferrer3.org))” “phase:1,severity:’3′,msg:’Spammy referrer’,id:240071” 

To make this ModSecurity rule work for this new referrer string, all I would have to do is add “|site.ru” to the list of referrers in the rule. But since I assumed that this list would grow, I decided to modify the rule to read the list from a file instead.  Mod_Security can parse and read a large list from a file 100 times faster than a REGEX list, so I changed the rule a bit so that it reads the list of referrer strings from a file:

SecRule REQUEST_HEADERS:REFERER “@pmFromFile /modsec/referrer-list.conf” “t:lowercase,t:compressWhiteSpace,t:replaceNulls,t:urlDecode,rev:2,phase:1,log,severity:’3′,msg:’**Spam Referrer’,id:240071”

I then created the file referrer-list.conf in the /modsec directory and added site.ru to the file (one string on each line). I also imported a list of 1500 or so known “bad referrers” I found on the interwebz and added them to the list.

This rule now blocks anything with any portion of the sites/text listed in referrer-list.conf file and returns an html error 406 to the offending bot. I also have CSF configured so that after a specific IP gets these errors more than a few times, that IP gets blocked at the firewall.  A few more hits from the same IP subnet, and that entire subnet also gets blocked.  So, no more site.ru spam!

Any time I create a new rule to bock anything with Mod_Security, I review everything it blocks for a few days to make sure I’m not accidentally blocking any legit visitors.  After reviewing the logs from this new rule for a few days, I’ve found 0 false-positives – 99% of the IP addresses of the site.ru ‘bots’ belonged to server farms and 100% were attempting to access .PHP files, most in /WP-CONTENT.  But I also noticed that out of the over 1,000 “bad” referrers in the list I downloaded, the only other bad referrer I’ve seen come around and get blocked was “uptime.com” .. So after a couple of days, this rule has blocked about 500 site.ru bots and about 200 uptime.com bots.

How to block a Referrer With .HTACCESS

To block site.ru or uptime.com (or any naughty referrer string) you could put something like this in .HTACCESS to accomplish the same thing: 

RewriteCond %{HTTP_REFERER} site.ru [NC]
RewriteCond %{HTTP_REFERER} site.ru
RewriteRule .* – [F]

Obviously adding a rule for multiple referrers or for more than just one website would be a pain, which is a great reason to use Mod Security. Even better to use Mod Security and integrate it with CSF Firewall.

Banned By PayPal TWICE!

This post is a followup by a reader based on their experience with Paypal:

PayPal again permanently re-limited our account and froze our funds on the SAME false grounds, two and a half years after our previous incident when the executive had assured me it would never happen again. And you all thought they were going to do the right thing, didn’t you? LOL.

On June 26th, 2018, I was notified by email that an automated system of PayPal had permanently limited my PayPal account without the chance to appeal, without providing any reason why. I called and spoke to several supervisors over the course of three weeks who strongly suggested this was a technical error that had recently been affecting many innocent accounts recently who had also been calling. The supervisors also viewed my account’s transaction history, YouTube channel, and website, and saw no wrongdoing or any violations of the Acceptable User Policy present. One Paypal CSR even recognized our logo on our account because her son was a fan of our channel and had just watched one of our videos earlier in the day with her.

The supervisors at PayPal’s call center in Nebraska, who don’t have the authority to overturn the limitation themselves, left detailed notes to the brand risk management department stating their findings that this was strongly believed to be a machine-made error, and requested the internal team to review and reinstate my account at their earliest convenience.

However, upon his inspection, Paul of the brand risk management department saw notes from some of our patrons alluding to the viewing of behind-the-scenes extras attached to their voluntary donations to us. Paul hastily and incorrectly assumed this meant we were “selling videos” to our fans, and upheld the machine-made permanent limitation on the false grounds that we were “selling prohibited items.” Paul actually refused to disclose his reason for upholding the erroneous decision, and instead sent me a canned response through email after I contacted his department using the aup@paypal.com email address.

I called PayPal again and requested my case to be escalated to their executive department, and my request was granted. I received an email from this department a week later, and the employee confirmed in an email to me that Paul’s reason for upholding the decision to ban me from PayPal was for accusations of “using PayPal to sell prohibited items.” This of course was a false accusation, as I have never used PayPal to sell anything. Likely in response to my detailed email back to the executive, my funds that PayPal was illegitimately holding ransom for 180 days were suddenly released to me, and I immediately transferred them to my bank.

I have since partnered with new money-transfer services for receiving donations from our loyal and supportive fans, and I’m much happier knowing that we’ll never have to deal with PayPal and its sketchy, unprofessional business tactics again. I’ve left them behind for good, and I strongly advise everyone out there to take caution if you decide to use their service, because they apparently can legally falsely accuse you of nonsense, freeze your funds, and get away with it because they’re currently the biggest money-transfer service out there — but they aren’t the only service out there, and at this rate, one day that will hopefully change.

PayPal Bans Talking Bad About PayPal

Paypal has just sent out it’s Notice of Policy Updates for 2017.  Among the standard raising of rates, one new clause in the agreement caught my eye – the “non-discouragement” clause which makes talking bad about, or discouraging customers from using Paypal or promoting another payment method over Paypal, a violation of the Paypal agreement which could lead to your account being closed and/or your funds being “held”.

Paypal Non-Discouragement Clause

  • In representations to your customers or in public communications, you agree not to mischaracterize PayPal as a payment method. At all of your points of sale (in whatever form), you agree not to try to dissuade or inhibit your customers from using PayPal; and, if you enable your customers to pay you with PayPal, you agree to treat PayPal’s payment mark at least at par with other payment methods offered.

The first part of the non discouragement clause is a little confusing to me: “you agree not to mischaracterize PayPal as a payment method“.  This means that by calling Paypal a “payment method” you are wrong (mischaracterizing it) and violating PayPal’s rules.  What I don’t understand is, if Paypal is not a payment method, WTF is it? I’m sure there is some wording buried in the service agreement/terms of service/legal mumbo jumbo that names Paypal as something other than a payment method, but to me, if people use Paypal as a method of paying for stuff, it is a payment method.

Paypal non-discouragement clause
Paypal’s new “non-discouragement clause”

The second part of the non discouragement clause is the kicker and where Paypal can ban you for talking bad about, or not treating it the same as your other payment methods – or even trying to push people to using another payment method instead: you agree not to try to dissuade or inhibit your customers from using PayPal; “…and, if you enable your customers to pay you with PayPal, you agree to treat PayPal’s payment mark at least at par with other payment methods offered.”

This means that if you, for example offer both Paypal and Square, but you prefer people to use Square because they don’t gouge you as hard as Paypal, you can’t say anything about it, you can’t ask customers to use Square instead, you can’t offer an incentive to use Square instead of Paypal – you can’t do anything.  You can simply display a Paypal button/logo and a Square button/log next to each other. You can’t even make the Square logo bigger than Paypal’s button. The PayPal button must be “at par” with other payment methods.  Who decides if the way you placed Paypl’s payment mark is “on par” with your other payment method? Well, Paypal does of course.. But don’t worry, you can trust Paypal.. Right?

Unfortunately, because currently there really is no other payment method as large, easy to use, and as widely accepted as Paypal they have a virtual monopoly on the online payments market and can pretty much make up any rules they want, and still ban whoever they want.