I’m using a self-hosted installation of PHPList to manage a newsletter.

Subscribers can be added via a POST to this URL:

https://www.[WEBSITE]/lists/?p=subscribe

It’s presently overrun by bots.

I added this to .htaccess to block this URL

RewriteEngine On

RewriteCond %{QUERY_STRING} ^p=subscribe$ [NC]

RewriteRule ^ - [F]

Now, if you visit the subscription page above it will give a 403 error.

But, you can still add subscribers by using a POST to this URL.

How can I actually block folks from using this URL to subscribe?

  • zoredache@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Do you have any access logs on the server? Or can you enable them? Examine your logs and see what the bots are accessing, then block that?

  • zfa@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I know, I know ‘BuT It’s NOt seLFhOStEd!’ but I just let the pros deal with bots and front that kind of stuff with Cloudflare.

    If you’ve privacy concerns you can always have that one thing on a specific subdomain and only enable Cloudflare on that, whilst keeping the rest of your subdomains unproxied.

    Alternatively can’t you add a capture (again, giving up a bit of privacy).

  • timothyclaypole@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    This is one of the cases where there’s a real practical advantage to having a reverse proxy in front of your site/software. The proxy could be configured very easily to drop any access to that specific URL .