Prevent referrer form spam with IIS Rewrite Rules
By Sergey Nosov
May 20, 2014
Most modern websites do not only convey information to visitors, they also get information back by having the visitors fill out and submit various forms.
The engines that process information collected on the web forms supplement the visitor typed data with various technical information available at the time of the form submittal. This information includes date and time, internet protocol (IP) address of the website visitor, and referrer. The latter is a string that normally contains the uniform resource locator (URL) of the referring webpage.
Designers of the web form processing engines often include the referrer string with the data submitted by website visitors so that specialists analyzing the data could easily see which page the form data came from. The problem is—the referrer string can be spoofed. Unscrupulous hackers change the referrer, and may set it to a URL that would download malware if the data analyst sifting through visitors data clicks on it.
To prevent the requests with referrer URL set to external websites from reaching the web form processing engine, we use the following Internet Information Services (IIS) Rewrite engine rule in the web.config file.
<system.webServer>
<rewrite>
<rules>
<rule name="Block ISAPI calls with unlisted referer" stopProcessing="true">
<match url="(?:dll|idq)$" />
<conditions>
<add input="{HTTP_REFERER}" pattern="^https?://(.+?)/.*$" />
<add input="{DomainsWhiteList:{C:1}}" pattern="^block$" />
</conditions>
<action type="AbortRequest" />
</rule>
</rules>
<rewriteMaps>
<rewriteMap name="DomainsWhiteList" defaultValue="block">
<add key="www.orderfactory.com" value="allow" />
<add key="www.my-other-site.com" value="allow" />
<add key="www.another-good-domain.com" value="allow" />
</rewriteMap>
</rewriteMaps>
</rewrite>
</system.webServer>
Replace the domain names in the white list with your actual domain names corresponding to the valid referrers that should not be blocked. Merge the script with any existing web.config file, or place the whole thing into a web.config file if one does not yet exist in the folder you want to protect.
If this script looks familiar, it is because the script is a slightly modified version of the popular script that prevents image hot linking (credits: Scott Hanselman, RuslanY, et al.). In our case, the web forms data is passed to the processing engine using post actions by calling ISAPI web applications with dll or idq extensions, as such that is what we have in the “match url” parameter at the beginning of the script. You can modify the URL matching if you pass the form data some other way.
If the referrer URL sent with the request is absent from the white list in the “rewriteMaps” portion of the script, with this rule in place, the IIS will abort the request.
Please note that we are being somewhat conservative with this script. We are not blocking empty referrers, for example, as some security software, website visitors are using, may strip all referrer information. Also, do not rely on this script for stopping cross site scripting (XSS) attacks, as the attacker may spoof one of your own domains from the white list.
We hope this helps. Good luck!