1

I'm looking for a solution to prevent redirection from an external website to my domain. Let's say, I have a domain call abcd.com and I found another domain call xyz.biz is redirected their all traffic to my domain. I wanted to stop that queries/redirection that comes from xyz.biz

I'm using IIS8/Windows Server 2012 and tried following configurations but no luck.

Option 1: I have added below HTTP_REFERER script in web.config file but still it accepts that redirection request.

<rule name="DenyAccess" stopProcessing="true">
    <match url="(.*)" />
    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
    <add input="{HTTP_REFERER}" pattern="xyz.biz" />
    <add input="{HTTP_REFERER}" pattern="www.xyz.biz" />
    </conditions>
    <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>

Option 2: I tried to add following PHP script in index.php file but it didn't work.

$ref=$_SERVER['HTTP_REFERER'];
if($ref=="http://xyz.biz" || $ref=="http://www.xyz.biz"){
 exit();
}

When I do echo $_SERVER['HTTP_REFERER'] then it returns empty results and couldn't see any details captured from xyz.biz

Can anyone suggest an idea how we can approach this issue? Thanks in advance.

Karthick
  • 324
  • 3
  • 12
  • maybe the issue is in here: `$ref=$_SERVER['HTTP_REFERER];` add the missing quote ' => `$ref=$_SERVER['HTTP_REFERER'];` – Mostav Apr 19 '20 at 18:52
  • @Mostav thanks for your comment. It's just a typing mistake here & it is written properly in my PHP with that missing quote. – Karthick Apr 19 '20 at 19:14
  • Did you check `HTTP_HOST`? Does it contain xyz.biz? – Lex Li Apr 20 '20 at 02:22
  • Referrer is only present if the connection is built with that data in the header, ie, a browser clicking a link. If the traffic that you want to filter is sent intentionally without such headers then you can't know about it. Are you talking about unwanted traffic from another website? – m3nda Apr 20 '20 at 03:10
  • Also, you call it redirection, but didn't especify if it's a proper RFC (301, 302, etc) redirection, which should include referrer, or if it's unwanted traffic redirected via javascript or other. That's why I ask about the true source of the traffic. Also, as you can see there (https://stackoverflow.com/questions/2158283/will-a-302-redirect-maintain-the-referer-string) all browsers have different behavior, so if you don't control the source of the connection nothing will help you to have such referrer. If you're talking about unwanted traffic forget it and go ahead with other kind of solution. – m3nda Apr 20 '20 at 03:13
  • @m3nda thank you for your comments and update. Using redirect checkers tool, I found, it is a 302 redirection configured in referrer website(xyz.biz). As you mentioned, I guess the traffic, that I want is sent intentionally without referer header. So, I'm looking for some other alternative solutions to approach this request. – Karthick Apr 20 '20 at 07:16
  • @LexLi HTTP_HOST returns only current domain name but not the referrer domain. – Karthick Apr 20 '20 at 07:18
  • Then it sounds like they are setting up a reverse proxy (and forgot to clean up `HTTP_REFERER`). In general you should see if you can filter by IP. – Lex Li Apr 20 '20 at 15:11
  • Look for proxy filter, country filter by ip, etc. Depending on your needs, you may just block 302 redirects that has no referrer on it. Maybe, contacting that website owner can fix the problem. – m3nda Apr 20 '20 at 18:39
  • @m3nda yes, we have initiated a ticket with website registrar to get a solution. – Karthick Apr 20 '20 at 18:43
  • @LexLi Thanks for the comments. Yes, I'm checking that option as well to find out if there is anyway to track by IP or country etc. – Karthick Apr 20 '20 at 18:44

2 Answers2

0

Using apache you can rewrite redirects rules by adding an .htaccess file to the root directory and adding instruction below:

RewriteEngine on
RewriteCond %{HTTP_REFERER} xyz\.biz [NC]
RewriteRule .* - [F]
Mostav
  • 2,203
  • 15
  • 27
  • Since the domain is connected with IIS8/Windows Server & I followed similar rules explained in [article](https://carloseo.com/how-to-block-unwanted-crawlers-from-accessing-your-site/) specifically for web.config but still no luck. It seems like browser is preventing to send http_referer data from xyz.biz domain.. – Karthick Apr 19 '20 at 19:24
  • That was almost guessed from the start. Considering the kind of website public, you could just block connections from whole countries using maxmindb, or go much more ahead and considering using an external service "like" distilnetworks or other that can tell you if you should let the connection in or not. As i already commented, blocking all 320 redirects that doesn't present a referrer could paliate the problem. – m3nda Jun 27 '20 at 22:48
  • Ok, i see now, but considering also the limitation of redirects you may think about. – Mostav Nov 10 '20 at 17:03
0

I have a domain call abcd.com and I found another domain call xyz.biz is redirected their all traffic to my domain. I wanted to stop that queries/redirection that comes from xyz.biz

If xyz.biz is HTTP 3xx redirecting traffic (which you have confirmed in comments is a 302) then, unfortunately, this is simply not possible. Because the redirected request is coming from the user-agent that made the initial request to xyz.biz, not from xyz.biz itself. The HTTP Referer header and remote IP address in the request that hits abcd.com could literally be anything.

The fact that the request to abcd.com might have come via a redirect at xyz.biz is entirely hidden from abcd.com. This is different from when a user actually clicks on a link at xyz.biz - in this case, xyz.biz is the Referer (unless the Referrer-Policy blocks it).

MrWhite
  • 43,179
  • 8
  • 60
  • 84