[drupal-devel] [feature] Add Referrer Banning

Robin Monks drupal-devel at drupal.org
Thu Sep 15 18:19:34 UTC 2005


Issue status update for 
http://drupal.org/node/27787
Post a follow up: 
http://drupal.org/project/comments/add/27787

 Project:      Drupal
 Version:      cvs
 Component:    base system
 Category:     feature requests
 Priority:     normal
 Assigned to:  Robin Monks
 Reported by:  Robin Monks
 Updated by:   Robin Monks
 Status:       patch (code needs review)

The module stops the request before it hits the DB or graphics and just
ouputs (in plain text).  


The referrer ___ has been banned.


Or similar.  No "building" take place, the request is effictively
killed.


Robin




Robin Monks



Previous comments:
------------------------------------------------------------------------

Fri, 29 Jul 2005 17:02:30 +0000 : Robin Monks

Attachment: http://drupal.org/files/issues/referring_banning_with_stat_fix.patch (7.9 KB)

The attached patch adds the following features to Drupal HEAD:


- Setting Access Permissions by referrer.


The attached patch fixes the following bugs:


- Port numbers on same domain cause Drupal to mark an external referrer



This patch changes the following modules, by function:


- user.module
-- user_admin_access_check Now allows checking based on referrer.
-- _user_admin_access_form Now has options for banning based on
referrer.
-- user_admin_access Now lists referrer bans.
-- user_help Show referrer banning in documentation.
- bootstrap.inc
-- _drupal_bootstrap Checks to ensure user is not banned by referrer.
- statistics.module
-- statistics_top_referrers Has "quick-links" for banning referring
domain.  Fixes port issue.


I have tested this module and it works correctly on Drupal HEAD.


Robin




------------------------------------------------------------------------

Sat, 30 Jul 2005 13:59:09 +0000 : Dries

What is the point of referrer banning?  To stop people from linking your
site?  I'd think this is only useful for 0.001% of all Drupal sites.




------------------------------------------------------------------------

Sat, 30 Jul 2005 14:05:51 +0000 : killes at www.drop.org

I've asked Robin to implement this because a referrer spammer was
spamming drupal.org with porn referrers. This was annoying because it
made the "top referrers" page basically useless. I only got rid of the
spammer because Kjartan grepped the apache logs for me and told me the
IP.




------------------------------------------------------------------------

Sat, 30 Jul 2005 14:32:08 +0000 : bertboerland at www.drop.org

dries, take a look at http://drupal.org/admin/logs/referrers [1]. mine
is even worse, nearly 15% of all referrers are pr0n sites. so i do
think it is usefull to ban based on referrer, not to prohibits linkers
but referrer spammers
[1] http://drupal.org/admin/logs/referrers




------------------------------------------------------------------------

Sat, 30 Jul 2005 18:41:33 +0000 : Robin Monks

This is also useful for sites that try to pop other sites into IFrames
(sometime invisable).  


This code does need review.  I want to make sure that this will work on
all server/OS/php types.


Robin




------------------------------------------------------------------------

Sun, 31 Jul 2005 10:32:37 +0000 : Dries

I'm still not convinced this feature is needed. I'm tempted to say
"won't fix" but I'll let this patch float in the review queue until
enough people showed interest in it.




------------------------------------------------------------------------

Sun, 31 Jul 2005 15:13:41 +0000 : eldarin

A useful feature for sites plagued by the spammers on the net - another
sad example is http://www.xmlrpc.com/stats/referers .




------------------------------------------------------------------------

Sun, 31 Jul 2005 15:58:45 +0000 : deekayen

I'd like to see this feature, but I would make a change to the patch.


In statistics.module, +    array('data' => t('Ban domain')) isn't
exactly clear. We know what it does in the context of this issue, but I
can see some of my users thinking that it will do a DNS lookup and ban
any users trying to visit from another ISP. If it were my patch, I'd
make it 'Ban visitors clicking from this webpage', but that might be
wordy for some of you.




------------------------------------------------------------------------

Sun, 31 Jul 2005 23:56:00 +0000 : Robin Monks


If it were my patch, I'd make it 'Ban visitors clicking from this
webpage', 
but that might be wordy for some of you.
Don't forget, this is going in a table header.  Something like that on
my display would take the table halfway to greenland.
"Ban Referring Domain" or "Ban Referrer" may be better choices, but I
can't understand how someone could think a domain was an ISP???  I
mean, a domain is a domain.  Even non-tech-types know a domain is a
.com.
I'd like others opinions on this.


I feel the common concensus thus far is that this patch would be a good
addition to Drupals banning system.  However, the code still needs to
have some more testers.  This is also a good time to mention any
changes you'd like to see.


Robin




------------------------------------------------------------------------

Tue, 09 Aug 2005 14:18:56 +0000 : Robin Monks

Attachment: http://drupal.org/files/issues/referring_banning_with_stat_fix_0.patch (7.97 KB)

New patch against HEAD, changes the title to "Ban referrer"


Robin




------------------------------------------------------------------------

Wed, 31 Aug 2005 13:02:21 +0000 : minimism

As a sufferer of referrer spam (my logs+cache+sessions tables added over
20MB to my database, causing me to go over-quota with my hosting service
== cost; as well as the increased traffic making my site go 25% over
bandwidth allowance == more cost) would the referrer block generate any
output (i.e a 404 message) or would Drupal output a null page (such as
cron.php)?


My 'over-bandwidth' problem is not going to be helped if each request
gets a 404 message!




------------------------------------------------------------------------

Thu, 01 Sep 2005 09:02:30 +0000 : Hosting Geek

I know lighttpd [2] has this feature... maybe you would want to use it
instead of apache it seems to have a lot fo features apache is missing
plus it uses less load and memory... maybe drupal.org should of swaped
to it when it was having load problems... to late to sudgest it now...
but if drupal.org ever start getting load problems again it might be
the first thing you would want to do.
[2] http://lighttpd.net







More information about the drupal-devel mailing list