Restricting Access

Check http refrerrer

Using cookies to preserve the referral code (?r=BITCOINADDRESS) so that when they reach the faucet it will also pay the referral commission, The php snippets check that the http referrer is as it should be.

  • Step 1 is / – no checks here, cookie monster puts the ref header in if there is one: <a href=”[r]”>step 1</a>. 
  • Sends the user to
  • send the user on to
  • Step 2 where we check that the http referrer is actually using [xyz-ips snippet=”http-referrer”] – if not then it sends them back to / and if it is you get the page to find the password and a link   <a href=”[r]”>Go to Faucet</a> which again forwards the referral code to
  • Step 3 which contains the faucet. Here we use  [xyz-ips snippet=”http-referrer-2″] to check that the user came from a roflfaucet page. It doesn’t matter which one because we check in the logs to make sure they really did visit step-2, which they cannot visit without first visiting step-1 and then doing the bit.
[xyz-ips snippet="http-referrer"]
if (preg_match('/\/coin\.(mg)\/roflfaucet/', $_SERVER['HTTP_REFERER']))
// nothing happens
header("Location: /");
[xyz-ips snippet="http-referrer-2"]
if (preg_match('/\/roflfaucet\.(com)/', $_SERVER['HTTP_REFERER'])) 
// nothing happens 
header("Location: /"); 

 If anyone shows in the logs as having visited step-2 or step-3 without first doing the bit then we know they are cheating and can act.

This can still be spoofed, but it would require you to forge a different http referrer for pages 2 and 3. Browser plug-ins won’t do this, they only have one setting for the domain. You could write a script, no doubt. There’s always a way, we just need to make it not worthwhile.

Preserve Reflink (cookie)

Cookie Monster plug-in will preserve the reflink and is easy to set up. 

We set the url parameter as ‘r’ (?r=) and it will grab and store any string that = r. Set the duration to 0 so it doesn’t persist over sessions. Put ?r=[r] in any outgoing url to include the reflink in it.

Firewall monitoring.

Use wordfence firewall plug-in to monitor logs or real-time visitor activity. Here’s an example of how you can narrow it down to e.g. one IP address and see what pages are visited:

Kropyvnytskyi, Ukraine arrived from and visited 8:44:09 PM (2 hours 8 mins ago) IP: [block] Hostname:

Browser: Chrome version 59.0 running on Win7

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Block this IP Block this network Run WHOIS on See recent traffic

Keeping previous stuff for reference below.

Preserve Reflink

Keep a referral link from any referring site, in the format starting ?r=

if ( $_GET["r"] ) {
else { $gotourl = ''; } 
echo '<a href="'.$gotourl.'">Proceed to the faucet</a>';

Got problems with snippet 1 below. I think solutions is a regex to match http(s)://domain.ext/whateverwewanthere/ and the solution is in this next ‘matching a url bit’ if I can ever get my head around regex…–net-6149


/^(https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?$/


This regex is almost like taking the ending part of the above regex, slapping it between “http://” and some file structure at the end. It sounds a lot simpler than it really is. To start off, we search for the beginning of the line with the caret.

The first capturing group is all option. It allows the URL to begin with “http://”, “https://”, or neither of them. I have a question mark after the s to allow URL’s that have http or https. In order to make this entire group optional, I just added a question mark to the end of it.

Next is the domain name: one or more numbers, letters, dots, or hypens followed by another dot then two to six letters or dots. The following section is the optional files and directories. Inside the group, we want to match any number of forward slashes, letters, numbers, underscores, spaces, dots, or hyphens. Then we say that this group can be matched as many times as we want. Pretty much this allows multiple directories to be matched along with a file at the end. I have used the star instead of the question mark because the star says zero or more, not zero or one. If a question mark was to be used there, only one file/directory would be able to be matched.

Then a trailing slash is matched, but it can be optional. Finally we end with the end of the line.

String that matches:
String that doesn’t match:!.html (contains an exclamation point)

– what we need is a lot simpler than the above, but it’s a start.

Using the faucetinabox script within wordpress via plug-in to save using iframe etc. The main difficulty is to make sure people cannot go straight to the faucet page and bypass the wordpress part which is where the anti-bot video with password is.

  • The aim here is to make sure nobody can claim from the faucet without going from the main page, onto the password-protected WP claim page with the faucet plug-in
  • Also optionally to restrict access to index to rainpool only

Some ideas for working on:




Snippet 1

Found on stack overflow:

<?php // This is to check if the request is coming from a specific URL $ref = $_SERVER['HTTP_REFERER'];  if($ref !== '') {   die("Hotlinking not permitted"); }  echo "Executing code here"; ?>

could some how be adapted for:

$thereferer = strtolower($_SERVER['HTTP_REFERER']);
if (strpos($thereferer,"") {
header("Location: index.php?r=".$_GET["r"]);}
elseif strpos($thereferer,"")){}
else {
header("Location: welcome.php");

and otherwise adapted for other sites, including going through a link shortener. When this is done, we may need to preserve the reflink address from the http header as well, like this:

if ( $_GET["r"] ) {
else { $gotourl = ''; } 
echo '<a href="'.$gotourl.'">Click to visit the faucet</a>';

Which obviously makes snippet a harder, hence the regex stuff… gah!

Previous attempt below

I tried this in .htaccess –

RewriteEngine on  # allow public pages RewriteRule ^forbidden.html$ - [L] RewriteRule ^public1.html$ - [L] RewriteRule ^public2.html$ - [L]  # serve everyone from rainpool only RewriteCond %{HTTP_REFERER} ^https?:// RewriteRule ^ - [L] # allow localhost access (duh!) RewriteCond %{HTTP_REFERER} ^https?:// RewriteRule ^ - [L] # allow adbit (notice how great a-ads is -they had no problem with this) # allow fron -also cant find out if this works cos adbit is so fussy - unable to test. Solution dump adbit and promote what does work instead.  # everybody else receives a forbidden (but WP behaves differently, giving a WP error page) RewriteRule ^ - [F]  ErrorDocument 404 /not_found.html

… which kinda works but is far from scumbag-proof. It could just do 303 but who knows, seeing a 404 that was not found thus 303 might help obscurity a bit more.

block access using htaccess

This all belongs in satoshihost or clickforafrica really.