How To Block SITE.RU Referrers (Block Referrer Spam)

(This is my first post in a long time, and first post ever using Gutenberg. It doesn’t suck as hard as I thought!)

Recently I’ve been noticing the referrer “site.ru” showing up in the server logs more and more.  At first I thought it was just simple referral spam, but since (as of now at least) the website site.ru is down, that didn’t make sense. So I took a closer look and it looks more like this is a generic bot or script searching for vulnerabilities in PHP files, vulnerable WordPress plugins, etc.  A quick sampling of the IP addresses associated with these “site.ru bots” shows that they virtually all come from server farms – so, it was time to block them all.

How To Block site.ru Bots

Because I’m running a server with 100’s of sites, using .HTACCESS to block it would be a pain, so instead I used Mod_Security, which protects all sites on the entire server.

I already had a rule created to block referrer spam, based on a REGEX list of  referrers that looked like this:

SecRule REQUEST_HEADERS:REFERER “(?i:(bad-referral|badreferrer2.com|badreferrer3.org))” “phase:1,severity:’3′,msg:’Spammy referrer’,id:240071” 

To make this ModSecurity rule work for this new referrer string, all I would have to do is add “|site.ru” to the list of referrers in the rule. But since I assumed that this list would grow, I decided to modify the rule to read the list from a file instead.  Mod_Security can parse and read a large list from a file 100 times faster than a REGEX list, so I changed the rule a bit so that it reads the list of referrer strings from a file:

SecRule REQUEST_HEADERS:REFERER “@pmFromFile /modsec/referrer-list.conf” “t:lowercase,t:compressWhiteSpace,t:replaceNulls,t:urlDecode,rev:2,phase:1,log,severity:’3′,msg:’**Spam Referrer’,id:240071”

I then created the file referrer-list.conf in the /modsec directory and added site.ru to the file (one string on each line). I also imported a list of 1500 or so known “bad referrers” I found on the interwebz and added them to the list.

This rule now blocks anything with any portion of the sites/text listed in referrer-list.conf file and returns an html error 406 to the offending bot. I also have CSF configured so that after a specific IP gets these errors more than a few times, that IP gets blocked at the firewall.  A few more hits from the same IP subnet, and that entire subnet also gets blocked.  So, no more site.ru spam!

Any time I create a new rule to bock anything with Mod_Security, I review everything it blocks for a few days to make sure I’m not accidentally blocking any legit visitors.  After reviewing the logs from this new rule for a few days, I’ve found 0 false-positives – 99% of the IP addresses of the site.ru ‘bots’ belonged to server farms and 100% were attempting to access .PHP files, most in /WP-CONTENT.  But I also noticed that out of the over 1,000 “bad” referrers in the list I downloaded, the only other bad referrer I’ve seen come around and get blocked was “uptime.com” .. So after a couple of days, this rule has blocked about 500 site.ru bots and about 200 uptime.com bots.

How to block a Referrer With .HTACCESS

To block site.ru or uptime.com (or any naughty referrer string) you could put something like this in .HTACCESS to accomplish the same thing: 

RewriteCond %{HTTP_REFERER} site.ru [NC]
RewriteCond %{HTTP_REFERER} site.ru
RewriteRule .* – [F]

Obviously adding a rule for multiple referrers or for more than just one website would be a pain, which is a great reason to use Mod Security. Even better to use Mod Security and integrate it with CSF Firewall.

Leave a Reply

Your email address will not be published.