Neil Turner's Blog

Blogging about technology and randomness since 2002

Thou shalt require a referer

While I haven’t had any comment spam lately (must be lucky… ), I have implemented another technical fix. To post a comment, your browser now needs to send a referer. As far as I can tell, most of the robots (including FloodMT) that are used for spamming don’t send referers, so this should filter them out. Legitimate commenters with referers turned off will receive a polite message asking them to turn on referers.

To implement this on your own site, create (or modify) a .htaccess file in your MT folder, and add these lines:

<Files mt-comments.cgi>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^$
RewriteRule .* /norefer.shtml [L]

This seems to work okay as far as I can tell. You’ll need to modify ‘mt-comments.cgi’ to point to your MT commenting script if you have renamed it, and will need to modify ‘/norefer.shtml’ to point to the path of a file that explains the error.

Update: I’ve taken it off. It seems to throw errors when commenting using TypeKey. Bah.


  1. Ah, good, you already turned it off. The only reason the spammers don’t send a referrer is because they haven’t been required to send one. One extra line of code for them, and then all you are doing is ensuring that Mark Pilgrim (and the thousands of other people running things that strip referrers) will never leave you a comment.

  2. Yes – it does just cause problems for those of us who choose send referer details. But the theory does still hold weight.
    It’s like when I chose to require you to have mozilla in your useragent. It worked most of the time, but ocasionaly it all fell apart – and it’s quite obvious the spam-spiders are getting cleverer.