Hi,
Referrer checking doesn't achieve much in the way of preventing abuse,
if someone wants to automate something they will. Before I started
using OpenSRS I used CSL GmbH (joker.com) and wrote scripts to talk to
their website for registering and updating domains. I added
"Referrer:" headers into those scripts as a matter of course without
bothering to check if they were needed. I've seen people recommend
using referrer checking to prevent formmail.cgi spamming, but that
would only hold someone up for a couple of minutes until they found
the calling page. Not very effective.
With regards to the Host: header in HTTP/1.0 requests - they're very
common. So common in fact that I had assumed it was part of the 1.0
spec until you said otherwise. After looking at w3.org I found this
from a presentation about HTTP/1.1 which shows that it was a case of
the standard following practise:
http://www.w3.org/Talks/9608HTTP/sld012.htm
Looking through analyses of web server log files I've occasionally
seen pages get reloaded continually by a browser for no apparent
reason. If the URL was exactly the same I would have put it down to
some obscure browser bug rather than anything suspicious/malicious,
but as the domain keeps changing it does look like some kind of
script. I suggest blocking the IP if it continues and is unwelcome
traffic.
Mark.
On Fri, Sep 14, 2001 at 09:05:36AM +0930, Allen Bolderoff wrote:
>
> IMHO, why not use the web server for this? most intelligent web servers
> handle this for you, and if needed get caudium http://www.caudium.net . I
> Know you can use it to do referry based denying.
>
> No need to re-invent the wheel and bloat the scripts...
>
>
>
> > The scripts do not do any HTTP_REFERRER checking, but that could easily
> > be built in to any version of the scripts
> >
> > Charles Daminato
> > TUCOWS Product Manager
> > [EMAIL PROTECTED]
> >
> > On Thu, 13 Sep 2001, Matthew Asham wrote:
> >
> > > Since September 4th we've had 16987 identical requests from
> 24.27.115.199 to
> > > our reg_system.cgi.
> > >
> > > The request is an HTTP/1.0 post request with
> > > action=lookup&domain=somedomain.foo&affiliate_id=
> > >
> > > The UserAgent is reported as Mozilla Compatible (MS IE 3.01 WinNT) and
> > > it sends a Host header even though it's doing an HTTP/1.0 request.
> > >
> > > A quick grep through a few minutes worth of snort caps show lookups
> > > for many domain names : mmb.net, tdt.net, mof.com, aol.org, ugm.com,
> > > byq.org, kof.org, y2k.net, 3fs.com, zvv.com, v2t.com, etc.).
> > >
> > > The script is not hammering us at all (no doubt how they avoided
> > > attention this long), requests are coming in at intervals of 4 seconds
> up
> > > over a minute.
> > >
> > > I've already contacted RR about this, but I figured I'd mention it just
> in
> > > case others are experiencing the same.
> > >
> > > Do the 2.4 scripts do HTTP_REFERER checking? If not, then I would
> really
> > > like to
> > > see this get added in some build.
> > >
> > > Thanks and good night
> > >
> > > MAtthew
> > >
> > > --
> > > Matthew Asham, VE7UDP
> > > Left Coast Systems Corp, SuperWebhost.com
> > >
> > >
> > >
> >
