User Filter - ASP and IIS5
Important Note
As of September 2005 I've switched to a databased user filter system — but this is much more involved as it does a lot more than the version described here. However, as a result it is much more difficult to create a user-friendly version for public consumption and writing the documentation would be a major undertaking alone, so I haven't gotten around to it yet. What follows after these warning notes is the old documentation.
However, an auto-generated XML file of the UserFilter database containing banned IP addresses,
UserAgents and Referrers is freely downloadable. Every time the UserFilter database is
modified this XML file is updated automatically. Feel free to incorporate this list into your own blacklist
mechanisms. If you wish to read this file via a robot make sure the robot understands HTTP 304 and submits
“HTTP_IF_MODIFIED_SINCE” and/or “HTTP_IF_NONE_MATCH” HTTP headers.
Robots that don't implement this HTTP caching mechanism may find themselves added to the UserFilter database! The
Schema for this XML file is also available (it's not the same as the old
UserFilter shema file linked to earlier).
Install Guide
This information is no longer supported and is available for historical purposes only. Note that certain links
will no longer function including the download link for the “userFilters.xml” file.
An XML file is still available for download (see second note above) but this is not compatible with the system
described below.
- Download the ready-built UserFilter include file for ASP
[Note: Internet Explorer (IE) users should 'right'-click and use 'Save target as' to avoid falling foul of
IEs awful support for simple text files] and save into a folder on your website, e.g.
/scripts/userFilter.asp(remove the ".txt" extension). - Download the latest UserFilter xml file and save as
"
/xml/userFilters.xml" - If you don't already have a global.asa file, a complete version of one designed for use with this filtering system is shown below. If you already have a global.asa then you will have to merge the script in the global.asa below with your own. It's all fairly straight-forward stuff so you should have few, if any, problems. If your global.asa is already written in VBScript then the global.asa shown below will need modifying since it's written in JScript, but again this is not tricky to do.
- Note that function "
doBlockUserFilterMatches()" takes a relative file path parameter. This relative file path is the web page to which the user will be redirected to if their connection details generate a positive match in the black-list XML file. - WARNING: The web page used for the redirection must contain:
Session.Abandon()otherwise the user will not be blocked from accessing your website for subsequent page requests. An example is shown below. - If none of the user's connection details are in the XML black-list, the function
doBlockUserFilterMatches()will simply return with no result or action and the rest of the Session_OnStart script block will execute.
Example Global.asa
An example Global.asa (in JScript) might look like:
<script language="JScript" runat="Server">
function Application_OnStart() {
try {
// INITIALISE THE USERFILTER SYSTEM
// ================================
var strUserFilterXMLFilePath = Server.MapPath("\\xml\\userFilters.xml");
doPopulateUserFilterAppVariable(strUserFilterXMLFilePath);
}
catch (err) {
// Ignore failures at this level
}
}
function Session_OnStart() {
try {
// BLOCK ACCESS TO CERTAIN USER-AGENTS, REFERRERS, IP ADDRESSES, ETC
// =================================================================
doBlockUserFilterMatches("/errors/403.asp");
}
catch (err) {
Response.AppendToLog(Server.URLEncode("|Log:(exception)|" + err.number + "|" + err.description));
}
}
</script>
Example Blocking Message
This is an example of the web page a blocked user would see, it is the /errors/403.asp
page referenced as the only parameter in the call to doBlockUserFilterMatches() in the
Session_OnStart code in the global.asa above.
<%
lastUpdate = "16 JAN 2004 11:26 UTC";
Response.Status = 403;
Session.Abandon();
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<title>403 - Access Forbidden [Blocked]</title>
<meta name="robots" content="noindex, nofollow" />
<style type="text/css"> <!--
@importurl(/errors/errors.css);
--></style>
</head>
<body>
<h1>403 - Access Forbidden [Blocked]</h1>
<h2>Summary</h2>
<p>
You have been prevented from viewing the page you requested because the web server has
specifically denied you access to it.
</p>
<h2>Description</h2>
<p>
You may have been prevented from viewing the requested page because your web browser
details or internet address look very similar to those of known or suspected email
address harvestors or malicious website 'crawlers'. Declining access to these 'robots'
helps protect the privacy of email addresses listed within this web site, it also
reduces the amount of junk web traffic that I have to pay for. Sometimes, however,
legitimate users are also caught out by the blocking software through no fault of
their own, in such cases a solution follows.
</p>
<h2>Remedy</h2>
<p>
<strong>Temporary Solution:</strong> Use a different web browser (to change your
browser's identification), or Internet connection (to change your IP address) or '
combination of all of these and try again.
</p>
<p>
<strong>Permanent Solution:</strong> Follow the instructions for the temporary
solution, then contact the webmaster to request that you be allowed to view the site.
</p>
<p>Apologies for any inconvenience this may have caused.</p>
<p class="date">Page Last Updated: <%=lastUpdate%></p>
</body>
</html>
<%
Response.End();
%>