1

I need to block requests from certain User Agents to our Sharepoint Environment that have been identified after going through the IIS logs.

I have tried the below by amending the urlscan.ini config file and doing and iisreset, but it doesn't block anything.

Am I entering the correct strings? I'm copying user agent string from the iis logs

http://blogs.msdn.com/rakkimk/archive/2009/06/12/urlscan-rejecting-the-request-depending-on-the-user-agent-string.aspx

  • I can answer this myself now :) The problem was the strings, taking them directly from the iis logs, they have many + signs, I removed them and hey presto. The below deny's opera, firefox and ms access [options] RuleList=DenyUserAgent [DenyUserAgent] DenyDataSection=AgentStrings ScanHeaders=User-Agent [AgentStrings] ;Browsers Opera/9.64 (Windows NT 5.1; U; en) Presto/2.1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1) Gecko/20090624 Firefox/3.5 ;Applications Microsoft Office/12.0 (Windows NT 5.1; Microsoft Office Access 12.0.6320; Pro) –  Jul 15 '09 at 13:15
  • I think that this will not work in UrlScan because of the ";" sign. The semi-colon is for commenting and so the string will not be matched in full. How did you solve this? How do you escape a semicolon in Urlscan.ini? – Durden81 Aug 03 '12 at 15:17
  • If you have the answer let me know in this question that I have just added: http://stackoverflow.com/questions/11850833/specifing-string-with-semicolons-in-urlscan-ini – Durden81 Aug 07 '12 at 17:10

1 Answers1

0

You can use ISAPI_Rewrite for this task, for example:

Block spambots

RewriteEngine on

RewriteCond %{HTTP:User-Agent} (?:Alexibot|Art-Online|asterias|BackDoorbot|Black.Hole|\ BlackWidow|BlowFish|botALot|BuiltbotTough|Bullseye|BunnySlippers|Cegbfeieh|Cheesebot|\ CherryPicker|ChinaClaw|CopyRightCheck|cosmos|Crescent|Custo|DISCo|DittoSpyder|DownloadsDemon|\ eCatch|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|EroCrawler|ExpresssWebPictures|ExtractorPro|\ EyeNetIE|FlashGet|Foobot|FrontPage|GetRight|GetWeb!|Go-Ahead-Got-It|Go!Zilla|GrabNet|Grafula|\ Harvest|hloader|HMView|httplib|HTTrack|humanlinks|ImagesStripper|ImagesSucker|IndysLibrary|\ InfonaviRobot|InterGET|Internet\sNinja|Jennybot|JetCar|JOC\sWeb\sSpider|Kenjin.Spider|Keyword.Density|\ larbin|LeechFTP|Lexibot|libWeb/clsHTTP|LinkextractorPro|LinkScan/8.1a.Unix|LinkWalker|lwp-trivial|\ Mass\sDownloader|Mata.Hari|Microsoft.URL|MIDown\stool|MIIxpc|Mister.PiX|Mister\sPiX|moget|\ Mozilla/3.Mozilla/2.01|Mozilla.NEWT|Navroad|NearSite|NetAnts|NetMechanic|NetSpider|Net\sVampire|\ NetZIP|NICErsPRO|NPbot|Octopus|Offline.Explorer|Offline\sExplorer|Offline\sNavigator|Openfind|\ Pagerabber|Papa\sFoto|pavuk|pcBrowser|Program\sShareware\s1|ProPowerbot/2.14|ProWebWalker|ProWebWalker|\ psbot/0.1|QueryN.Metasearch|ReGet|RepoMonkey|RMA|SiteSnagger|SlySearch|SmartDownload|Spankbot|spanner|\ Superbot|SuperHTTP|Surfbot|suzuran|Szukacz/1.4|tAkeOut|Teleport|Teleport\sPro|Telesoft|The.Intraformant|\ TheNomad|TightTwatbot|Titan|toCrawl/UrlDispatcher|toCrawl/UrlDispatcher|True_Robot|turingos|\ Turnitinbot/1.5|URLy.Warning|VCI|VoidEYE|WebAuto|WebBandit|WebCopier|WebEMailExtrac.|WebEnhancer|\ WebFetch|WebGo\sIS|Web.Image.Collector|Web\sImage\sCollector|WebLeacher|WebmasterWorldForumbot|\ WebReaper|WebSauger|Website\seXtractor|Website.Quester|Website\sQuester|Webster.Pro|WebStripper|\ Web\sSucker|WebWhacker|WebZip|Wget|Widow|[Ww]eb[Bb]andit|WWW-Collector-E|WWWOFFLE|\ Xaldon\sWebSpider|Xenu's|Zeus) [NC]

RewriteRule .? - [F]