Is there a way to block POST requests with things like the string combination of their youtube URL?

Yes, probably-- but not in the way the post title implies, via htaccess alone. htaccess sees only the request. That includes the method (such as POST), but it doesn't include the POST content.

Is it a completely random spammer? From an otherwise normal human IP, so you can't block them that way?

How are your POSTs processed? php-or-similar? It should be possible to look at post content in this phase, and block it if necessary. It sounds as if your main concern is with preventing the content from being posted, rather than with denying access as such.

Oops, one more question: What's the normal referer for a POST of this type? (I don't do message boards, but I've got a contact form. In those, the referer for the POST request is the page itself. A robot might be foolish enough to try a blank referer.)

Is it a completely random spammer? From an otherwise normal human IP, so you can't block them that way?

It seems to be an isolated spammer doing his own thing away from the herd. All the IP are on actual ISP ranges, not server farms. I have already blocked 2 small ranges (ex: 69.127.67.*) but it seems they just come back when they infect another PC. The bot loads all objects, stylesheets etc. just like a human browser, because it must to utilize the object in question.

How are your POSTs processed? php-or-similar? It should be possible to look at post content in this phase, and block it if necessary. It sounds as if your main concern is with preventing the content from being posted, rather than with denying access as such.

PHP. And actually it is preferrable want to deny access altogether, not just content.

Oops, one more question: What's the normal referer for a POST of this type? (I don't do message boards, but I've got a contact form. In those, the referer for the POST request is the page itself. A robot might be foolish enough to try a blank referer.)

no referrer. the object is on the main page of the website. Mimics a human visitor to the tee..

Now that i think about it i am just going to go through the object settings as i am almost positive there is a way to input text to censor. I will just input the URL string characters as text to censor. But still this will not give them the 403.

Something I need to do anyway is get a PHP script set up for these more complicated scenarios

thanks for your time again.

The bot loads all objects, stylesheets etc. just like a human browser, because it must to utilize the object in question.

Is there some pattern/key-word that is repeated in the UA, and regardless of IP?.

Forum attacks (for lack of a better word) are a ongoing issue.
Just a soon as you spend weeks weeding out the bad guys, a new round begins.

Using the Forums/Board PHP in an attempt to eliminate these (access) is a waste of time, rather it's better (both easily and more broad) in htaccess.

I will just input the URL string characters as text to censor. But still this will not give them the 403.

To generate the 403 you'll probably need to rearrange your php file so the structure is:

first check whether post contains forbidden text such as a youtube link
then, depending on what you find, either return a 403 response or build the page

Since it's too late to return a 40x response if you've already started building the page, you'll have to defer things, for example by using an output buffer.*

If the 403 response ends up being returned by php rather than directly by the server, your logs will always show a 200. But you'll know better. Include (that is, INCLUDE) at least a one-line response like "there was a problem processing your post"; no matter what the situation, you never want to send out a blank page.


* I've only done this about twice in my life, so had to go look it up. ob_start to start (duh), and then either ob_end_clean or ob_end_flush depending on whether you end up dumping the buffer or using it.

Is there some pattern/key-word that is repeated in the UA, and regardless of IP?.

They use very common real UA's. I can't remember what exactly they were,but i could see there is nothing blockable there. I havent seen the perp lately. They just come back randomly i am guessing when they infect another PC.

Forum attacks (for lack of a better word) are a ongoing issue.
Just a soon as you spend weeks weeding out the bad guys, a new round begins.

Using the Forums/Board PHP in an attempt to eliminate these (access) is a waste of time, rather it's better (both easily and more broad) in htaccess.

Agreed. This is not a forum board. It's not a common format at all. And there is no search engine benefit of posting links in the object. For the most part this is why the common hoard of spambots and other trash leave it alone..(for now?) I guess this is why this one spammer annoys me so much.

I honestly don't know why they would even waste their time ;) Maybe they are practicing ;)

Spammers look for vulnerabilities regardless of site/forum/guestbook,. etc. If "input" can be made, they'll do it.

In the alternative (depending on the number of POSTs you deal with), a hold until human (you) moderates. That is always 100% in that nothing can be posted until released. Providing your scripts are secure!