I had a crapload of comment spam hit my blog today. And by crapload, I mean Oprah on a bender crapload.

So I started looking through the server log files and noticed a few patterns. Four different browser user agents were showing up on these spam entries.

So I nuked them in my .htaccess file with the following bit of code.


########## Block Old Browsers used in Facebook spam assault, 2013.04.10 ##########

RewriteEngine On
RewriteBase /
# Firefox 3.0.5, 3.0.10, shows up repeatedly
RewriteCond %{HTTP_USER_AGENT} ^.*(?:Firefox/3\.0\.10).*$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(?:Firefox/3\.0\.5).*$ [NC,OR]
# Opera 8.01, shows up repeatedly
RewriteCond %{HTTP_USER_AGENT} ^.*(?:Opera/8).*$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(?:Opera\s8).*$ [NC,OR]
# MSIE 6.0, shows up repeatedly
RewriteCond %{HTTP_USER_AGENT} ^.*(?:MSIE\s6).*$ [NC]
RewriteRule .* - [L,R=404]



I’m sure my regex is horrible. But it works. And I am returning a 404 instead of a 403, because with the 404 they will think the resource is no longer there.

Of course, this will just work until the script kiddies change the user agent. But they tend to be pretty lazy.

I’ll have to analyze the logs a bit more when I get the chance. It’s an interesting attack coming from random IP addresses. Which means more people aren’t using protection. On their computers.

I posted this just in case anyone else is having this problem.

Off to bed I go. Long day. Before I even noticed this mess.