How To Block SITE.RU Referrers (Block Referrer Spam)

(This is my first post in a long time, and first post ever using Gutenberg. It doesn’t suck as hard as I thought!)

Recently I’ve been noticing the referrer “site.ru” showing up in the server logs more and more.  At first I thought it was just simple referral spam, but since (as of now at least) the website site.ru is down, that didn’t make sense. So I took a closer look and it looks more like this is a generic bot or script searching for vulnerabilities in PHP files, vulnerable WordPress plugins, etc.  A quick sampling of the IP addresses associated with these “site.ru bots” shows that they virtually all come from server farms – so, it was time to block them all.

How To Block site.ru Bots

Because I’m running a server with 100’s of sites, using .HTACCESS to block it would be a pain, so instead I used Mod_Security, which protects all sites on the entire server.

I already had a rule created to block referrer spam, based on a REGEX list of  referrers that looked like this:

SecRule REQUEST_HEADERS:REFERER “(?i:(bad-referral|badreferrer2.com|badreferrer3.org))” “phase:1,severity:’3′,msg:’Spammy referrer’,id:240071” 

To make this ModSecurity rule work for this new referrer string, all I would have to do is add “|site.ru” to the list of referrers in the rule. But since I assumed that this list would grow, I decided to modify the rule to read the list from a file instead.  Mod_Security can parse and read a large list from a file 100 times faster than a REGEX list, so I changed the rule a bit so that it reads the list of referrer strings from a file:

SecRule REQUEST_HEADERS:REFERER “@pmFromFile /modsec/referrer-list.conf” “t:lowercase,t:compressWhiteSpace,t:replaceNulls,t:urlDecode,rev:2,phase:1,log,severity:’3′,msg:’**Spam Referrer’,id:240071”

I then created the file referrer-list.conf in the /modsec directory and added site.ru to the file (one string on each line). I also imported a list of 1500 or so known “bad referrers” I found on the interwebz and added them to the list.

This rule now blocks anything with any portion of the sites/text listed in referrer-list.conf file and returns an html error 406 to the offending bot. I also have CSF configured so that after a specific IP gets these errors more than a few times, that IP gets blocked at the firewall.  A few more hits from the same IP subnet, and that entire subnet also gets blocked.  So, no more site.ru spam!

Any time I create a new rule to bock anything with Mod_Security, I review everything it blocks for a few days to make sure I’m not accidentally blocking any legit visitors.  After reviewing the logs from this new rule for a few days, I’ve found 0 false-positives – 99% of the IP addresses of the site.ru ‘bots’ belonged to server farms and 100% were attempting to access .PHP files, most in /WP-CONTENT.  But I also noticed that out of the over 1,000 “bad” referrers in the list I downloaded, the only other bad referrer I’ve seen come around and get blocked was “uptime.com” .. So after a couple of days, this rule has blocked about 500 site.ru bots and about 200 uptime.com bots.

How to block a Referrer With .HTACCESS

To block site.ru or uptime.com (or any naughty referrer string) you could put something like this in .HTACCESS to accomplish the same thing: 

RewriteCond %{HTTP_REFERER} site.ru [NC]
RewriteCond %{HTTP_REFERER} site.ru
RewriteRule .* – [F]

Obviously adding a rule for multiple referrers or for more than just one website would be a pain, which is a great reason to use Mod Security. Even better to use Mod Security and integrate it with CSF Firewall.

One thought on “How To Block SITE.RU Referrers (Block Referrer Spam)

  1. Helou!
    Thanks for your effort to help us!
    Can you please tell me more on that, like I am 4 year old child,
    where should I click first and then copy paste..
    I am lost!
    thanks

Leave a Reply

Your email address will not be published.