NGINX, how to block a fake referral?

Hi, I discovered last day that someone has pointing to my site his dns A record:

This is my valid domain name IP address

$ dig telcosol.net +short A

45.79.186.85

This is the fake one with same IP address (by mistake or some other reason??…)

$ dig julietmail.com +short A

45.79.186.85

For some reason that domain name record points to my site IP address.

I want to block any access that referrals julietmail.com.

I get this kind of messages in my log:

190.17.96.110 - - [02/Nov/2017:09:36:33 +0000] "GET /images/banner.jpg HTTP/1.1" 304 0 "http://julietmail.com/"

I tried to fix this by adding this line to my default nginx file but it didn't work:

server_name www.telcosol.net;

Any suggestions?

Thanks

5 Replies

I think once you find out why your vhost is replying to requests for http://julietmail.com/ that will fix the problem.

It should not matter if some rogue domain points to your IP address, services like HTTP/HTTPS should block such requests due SNI (host not matching a virtualhosted domain), spam using the rogue domain will be blocked due to strict SPF/DKIM/DMARC rules and your own email server won't accept the rogue domain.

The request you posted above shows that your web server is actually replying (http 304 not modified) and not rejecting the request, so that would be your own mistake.

If you are only worried about the referral appearing in your logs, then that is not a real issue but can be avoided with a few regex rules. I use Apache so I'm not sure how to do this in nginx.

Thanks for your comments.

Found this link with useful information related to my issue: https://stackoverflow.com/questions/982 … omain-name">https://stackoverflow.com/questions/9824328/why-is-nginx-responding-to-any-domain-name

I've solved the issue by redirecting the default website to a 404 and enabling my site in the vhost section. Now a 404 is given to that rogue access.

Regards

I read the above link to stackoverflow and I found one mistake.

In the accepted answer, the error code mentioned is 404, which means "not found but may be available in the future" and that is incorrect since the fake domain will never be answered, thus the client needs to know this is a permanent and fatal error, not just a not found error.

I recommend returning error 400 Bad Request, which means that the server will not process the request due to a client error, which is indeed correct when the client supplied SNI host is invalid.

Configure a vhost for those domains to redirect to your main sites -> free traffic

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct