Banning website visitors by browser or OS

Here's a question for all of the Toytown Techies out there ...

I've had my share of spam, image stealers and flooders on my website, but it's never been a problem until now. I always banned pesky visitors via their IP in the .htaccess file. Even when the users have a dynamic IP address is hasn't been a problem - I ban the whole IP range for a certain provider.

Well, recently I've had a particularly pesky spammer/flooder who obviously uses some type of anonymity program to mask his IP and use different IPs from around the world. (China, Taiwan, Korea, India, Brazil, Netherlands, you name it!) I'm getting more than 20 hits per day from this person, but there's not much I can do.

My question - is it possible to ban him via browser type? Or, even better, by a unique ID combination including browser type (and version) and operation system together? Is it possible to do this in the .htaccess file or is there a better way?

The info I have is that he uses Internet Explorer 5.5, and the User Agent shows up as being: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)

Thanks for you help!

I hope you are not kidding.

If you are serious, then of course there are lots of things you could do. You might help by providing the web server and OS that you are using. If you have or don't have a firewall (that you control) would also be useful.
What type of system this is would help in order to know what the options for you would be. If you're running a web server at home that's different from a hosted site, and with a hosted site it will matter if you have shell access, if you have your own firewall control, and what types of modules/programs/scripts you can run on your "server".

If you think that 20 hits per day is "pesky" then I presume that you're running a low end server.

BTW: Banning entire IP ranges is a naive answer to this type of problem unless you explicitly want to exclude "innocent" people from getting to your website.

Anyway, post more information about the environment and limitations we have to work with and we can help out.

Whay don't you just get a program to query the Spamhaus Public Proxy's list, or one of the many other proxy list/blocking services..

You must be running a seriously small server if you are worried about 20 hits from someone.

How do you know its from the same person?
Are you sure you have not become part of a botnet?
What ports are the attacks coming in on?
You may find this site useful?

Okay, I am dead serious. This is a private website, not listed on any of the main search sites and I have a very strict .htaccess file to block bots (I haven't had any bots visit now for several months.) I personally know all of my visitors, and just to put things straight, I'm not running my own server.

This creep just keeps trying to post a load of crap (I've since disabled the comments fields) and his/her visits have increased to at least 50 times a day. For a personal website that's a bit over the top. Each time with a different IP address (sometimes twice with the same IP) ... always the same identification: Internet Explorer 5.5, User Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT). It's always the exact same page aswell.

So, I just want to deter this person for a while ... by possibly blocking him/her via browser type. I know it's naiive, but I'm not running a business and none of my other users have ever used Internet Explorer 5.5 ... they all know better than that (Mozilla Firefox, Apple Safari etc.)

So how can I do it? Fire away!

Yes it is naive, but I'm happy to exclude innocent people ... I know my visitors!

You could set a username/password in the htaccess file, and tell them the people who you want to give access to.

nope, simple users ... grandmas, for example, hardly know how to double click let alone put in a password. I don't want to password the site for their sake.

I just want to know if it is technically possible to block users by browser or some other identifier in the .htaccess file. That's my question!

Edina, no. First of all because browser ids can be faked easily. The canonical way is to use passwords.

Well as everyone has been saying, certainly NOT the right thing to be doing - for so many reasons.

But to answer your question, yes, it's possible,

Something like this in your .htaccess should work (if mod_rewrite is loaded).

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} AgentString
RewriteRule ^(.*)$ http://www.leavemealone.com/

At least, it will work until they spoof their user agent string or use a different browser.

why not change the name of the file? Then that guy gets a 404.

Honestly, if it's a person who's that persistent, then they'll just switch browsers as soon as they can't get in with IE 5.5.

Then Grandma would get a 404 as well.

As you say you know all your visitors, how about working out their possible IP ranges and ONLY allowing them?

Assuming of course that their IP ranges do not overlap with the ranges your dude can use.

well she'd change the filename in the navigation too of course. The person trying to spam her must certainly have a bookmark. But my own argument of this fella's persistence means that he'd also go through the navigation to get there.

I actually have a job teaching Grandmas how to use computers, and they can do usernames and passwords faster than they can install Firefox. I'd really go with the password solution here.

Okay, thanks everyone. I'm not a computer whiz ... but I'm getting there ;-)

I would go with Toms suggestion and find out the IP's of the people you want to allow access to and just grant that. You could grant the whole B class IP range of the people you want, it would still be quite unlikely the the guy ou want to ban would be able to get an adress in this range, and also unlikely that your friends will get rejected due to dynamic ips.