Is anybody familiar with spammer "Eric Jones"? I think he is famous. Anyhow, he collects the input from "captcha" first. If the IP is not blocked /doesn't get "403" his program goes for "contact us" Here is the log:
37.72.186.22 - - [10/Sep/2024:21:51:46 -0600] "GET /contact_us.php%09%092024-06-17+14:07%09Ready+contact+form+successfully+found+/+Requires+captcha+input%09 http://domain.ca%09%09%09%09%09 HTTP/1.1" 404 196 37.72.186.22 - - [10/Sep/2024:21:51:47 -0600] "GET / HTTP/1.1" 200 28533 37.72.186.22 - - [10/Sep/2024:21:51:49 -0600] "GET /contact_us.php HTTP/1.1" 200 25619 I created htaccess entry: # Block specific request pattern targeting /contact_us.php RewriteCond %{REQUEST_URI} ^/contact_us.php [NC] RewriteCond %{THE_REQUEST} "GET /contact_us.php%09%092024-06-17+14:07%09Ready+contact+form+successfully+found+/+Requires+captcha+input%09 http://domain.ca%09%09%09%09%09 HTTP/1.1" [NC] RewriteRule .* - [F] but it doesn't work. The issue likely stems from the fact that %09 (tab character) and similar URL-encoded characters in the request may not be processed as-is by THE_REQUEST directive in .htaccess. Apache doesn't decode these characters automatically when matching with THE_REQUEST. Wildcard and escaping in THE_REQUEST: Instead of directly using %09, I can use .* (wildcards) to match anything that could appear in between different parts of the request string. I'll see if the belows will work: RewriteCond %{REQUEST_URI} ^/contact_us.php [NC] RewriteCond %{THE_REQUEST} "GET /contact_us.php.*Ready\+contact\+form\+successfully\+found.*Requires\+captcha\+input.* http://domain.ca"; [NC] RewriteRule .* - [F]
