Retrict access to website from spambots and strange visitors

Slightly off topic Is your website protected against SQL injections?

yes it is . but i am logging all the attempts. and i have already restricted the ips(by raised a ticket in my host provider).

Sadly i dont have the rights to use the .htaccess. Is there any alternatives.

Why do you not have the rights, And Has your host restricted all those IP's?

hi penguin

first my site is hosted in IIS and developed using Asp.net. so i can not use htaccess. and my host has banned those ips. i have requested.

It looks like you are going to be sending a lot of requests to them but do what you have to do.

Ok

Now the first level of denying access is not at all possible. atlease i can deny the bad bots (duplicating content) by writing some code in ASP.net.

Don & Penguin.
Based on your experiences please assist me to figure out some rules. so that i can implement using asp.net if possible.

if not it is going to be a painful process as don said.

ASP is beyond my scope. Maybe penguin can help you on that or start a thread in the coding section.

i think my question was not clear enough. i just wanted to figure out how to identify the attempts .
For eg
1) if the Attempts are from same ip we may ban the ip address. but the same time we should ensure that the ip is static or else in next few days the same ip can be allocated to some one. who may be real visitor. if fake ips are used then ip we are banning may affect the visits from the one who actualy assigned.

i need these kind of combinations so that i can just code based on the above rules

thank you very much don and benguin

I understand what you're asking now and the answer depends on how complete your log files are. For example, I know someone who has a web site which is just text and jpegs. No scripting is used. His log files were showing PHP scripts that were being run against his site in an attempt to compromise the site.

Does your log files show attempts such as those?

Sorry about my delay in help, Right like Don has asked does it show any kind of scripts like that?

If so please post your log file... Or send a copy to myself and DON

hi don and penguin

thank you for your help. i was sick and unable to concentrate on the site for the past few weeks.

i will send logs to both of you by PM.

I ve just decided to have a database table with all the bots and i am going to have a flag to identify it as a bad bot or known bot(gogole, yahoo, msn etc). If it is a bad bot then i am going to deny them.(i will check who is ip before adding the entry to my table.) when ever a page is requested the system will check the table if it is entered as a badbot in the table.If it is a bad bot then system will deny the access to the page.

Currenly from your suggestions and advice i am able to conclude that denying access by UserAgent is little bit difficult(due to fake user agents). so i have decided to ban by ip address as a start.

I know that some bad bots are using fake ips. will it be possible identify them?

Please give your suggestions

Banning by IP is ok but it's still a lot of work and deciding if it's a bot or just someone who left the site in 30 seconds because it was too complicated, is hard to tell, so I have another idea.

Make the site available to registered users only. Change the home.aspx page to a explanation of what the site has to offer along with a login and register box. Explain that it's necessary due to the bot problem.

I don't see any banner ads, so I don't think that you will lose any money by doing that.

hi don
but the google bot,yahoo, msn bots and other bots will not be able to crawl the site. If it is not crawled then it will not be indexed in the search engine.

since my visitors are mainly from search engines i dont want to loose them.

I tried to attach my website logs but couldnt proceed since the PM does not allow attachments and inline text has some line numbers limitations.

As far as I know the bots can still crawl the site as long as you don't use a robots.txt file. I know of a web site that only lets you view solutions to a problem if you register but if you click on the cached line in the google search results, you can view everything. That means that the google bot crawled everything

hi don
i too was surprised about a site like that one you had mentioned. but that works in a different way. it offers different page content to visitors and bots like google(so far to my knowledge, it may different in actual). i am not sure all bots will allow this now and in future.

second problem is if i am asking for a visitor to log on or(keep logged in using a cookie). some visitors will not like to login to see the content. and my site is not upto that level i have only few pages(<100).

I already have a user management module with register, change password, Role Based authorization. etc (ofcourse i need to improve little bit on this).At this point of time i would like to present the content to the visitors in one click away from search engines.

But i realy like your suggestion as it completely fit my requirements which i requested earlier.