Harry The scripts for spam bots can be easily modified to include a referer that is just the domain name of the site being attacked. This renders the referer defense completely useless. On 10/1/05, Harry Slaughter <harry@slaughters.com> wrote:
Karoly Negyesi wrote:
i believe the domain name can be replaced with a var to make it generic. i'm just not sure if there are cases where a valid client does not send a referrer.
Plenty. HTTP_REFERER is not something to rely on.
i'd be very curious as to what browser does not send a referer header when posting from a form. the only cases i could imagine where a referer would be missing would be non-browser clients (like scripts that post comments). the referer header has been around since day one.
as far as relying on this header, it depends on what you're relying on it for. since the only clients that would be omitting this field would almost certainly be spammers (or users whose browsers are so obscure i've never heard of them), i consider it reliable enough to use as part of an anti-spam technique.
sure spammers will easily bypass this method as soon as it becomes commonly used, but that is the nature of all anti-spam techniques. all anti-spam tools enter this game of escalation. the fact that a spammer can circumvent or overcome a given anti-spam technique is not a reasonable excuse for not implementing it.
and i certainly wasn't suggesting this go in core as it's not the type of thing all people would want (like those that want to be able to use methods other than a traditional browser to POST content).