Continue reading »]]> In a social networking site that is truly extensible and robust we wouldn’t feel the urge to move on. Restarting on a shiny new site or culling or pruning your “friends” on an existing site wouldn’t be necessary. But we have been misled. Social networking doesn’t have to be all or nothing. We shouldn’t feel constricted in how we express ourselves on a given site. And to exacerbate the issue, some of us are misleadingly tied to our online social networks. For example, some people feel obligated to update their profiles constantly or to accept friendship/relationship requests (regardless of their relationship to the requester), particularly those that rely on the Internet to construct their professional persona [0]. The bottom line: these social networking sites [1][2] continue to fail us as a society.

Why do so many exist? Why do so many fall by the wayside as we progress? Why does each and every attempt at social networking eventually fall to its successor?

The answer to the first question is simple – new social networking sites crop up because of need or because of fad. No one site has all the required features for its user base. Why do social networking sites fail as time progresses? Well, some would argue the maturity level of the user base has changed. Or, more often these days, perhaps the site’s interface is more Web 2.0 friendly, and everyone wants to be on the Web 2.0 bandwagon. Your friends jump ship, you jump ship. Finally, the user’s social network constructed on the site changes. As you mature, you leave one social network for a new social network. For example, the mass migration from Friendster to MySpace and now to facebook. Still others would argue the usage of the site is tied to user interface: this argument being that facebook is more “mature” than MySpace. The end result of this interface maturity is the same as others. Some people leave, others follow. Some even suggest a class bias between the sites, thus alluding to the fact that as one’s class changes, so does their social network (and thus the social networking site to which they should belong)[3]. Finally, perhaps we are merely sheep, following one another from one social network to another.

Regardless of the specifics, the users of these sites inevitably leave, thus forsaking their previously well-developed social network on MySpace for a new social network they must construct on facebook. And this is doubtfully an isolated incident – as soon as facebook’s yet-unheard-of young competitor, social.blah.org.net.com.dontcare, appears on the scene, another mass migration will occur. Or perhaps the reason for this migration is the users of these sites are leaving to shed – shed previous acquaintances, previous friendships, previous lifestyles.

This mass migration from social network to social network is merely a side effect. It is tied to the way those websites create implicit relationships. They ask, “Did you know this person?” while forgetting to ask, “How would you like to know this person NOW?” Life experiences previously allowed us to prune our network based on lifestyle changes. You grow, you change, your relationships change, perhaps you even shed relationships – that is the natural evolution.

Current social networks inhibit this natural pruning and the evolution of real-life social networks[4]. This is no longer the case with the rise of facebook and MySpace. But perhaps you don’t want to “shed.” Perhaps you like your old friends, but not in “that way.” Perhaps you would like tighter control of how your information is sent to your social networks, or more specifically, how your “social flows” are constructed. While such pruning of social networks has been proposed[5], it is not effective in that it is not driven by you, but by simple inferences about the populous as a whole. And besides, who says you actually want to “prune?” Perhaps you’re just lacking fine-grained control.

Only you can define how you want your social flows to actually work in the present, and in the future. Or rather, you should be able to define your social information flows and the social networking site should support you in doing so. And eventually your social networking site should create these flows for you, based on your existing flows. You shouldn’t have to rely on some coarse-grained all-or-nothing approach. Such is the case with current social network sites.

You add a friend, you remove a friend. That is all you can do. They can read everything, they can write to everyone. Coarse-grained filters aside, they are similar to you in that they lack controls over what information flows to whom, or more precisely, how they socialize in general. You are in or you are out. There is no in-between on current social networking sites. There are filtering tools in facebook[5], but for the most part they are coarse-grained with respect to the filtering of content, not quite capable of expressing how your information is shown to your social network.

In addition to the coarse-grained nature of social information flows, there is the problem of duplicated information being presented, cluttering the consumable information on individual sites [6]. This often results from people wanting to share information with multiple social networks, a side effect of wanting to maintain multiple online personas. Some people create multiple personas to communicate with multiple distinct social groups online. For example, my Twitter network and my facebook network are distinct. Yet at the same time, most of the information I’m posting makes it to both networks. Thus, people following me on Twitter and facebook must consume the information twice, once on Twitter, once on facebook.

To reiterate, social networking sites currently provide coarse-grained control over who sees what parts of your profile [7]. They aren’t totally living in the dark ages. The downside to the current approach is still the fact that is remains all or nothing. There exists no middle ground in which you can control which information flows to which person. Sure you can set up groups, but who wants to go through all of that work?

A novel proposal is in the works. One that allows you true flexibility in constructing your online social network. One that doesn’t represent an all-or-nothing approach to social networks. One that doesn’t leave you questioning your own social network members and how they interact with you. Instead of a wide-open network that exchanges all information to all people, you will be able to create your own network and define how the information flows between the people or groups in your social network. Finally, you will be able to define your own social matrix, and you will be able to evolve your social matrix as your life changes. You won’t have to shed or prune friends [8]. This network will be able to learn or make inferences about your socialization style. And it will eventually learn how you socialize based on numerous aspects of your life.

Thanks to Vitak, Brandon, Josh, and Justin, for the inspiration for this post. Oh, and IPAs.

[0] About Spencer
[1] Facebook
[2] MySpace
[3] Viewing American class divisions through Facebook and MySpace
[4] Scott Brown on Facebook Friendonomics
[5] The Future Of Facebook’s Feed Is Granular Filters
[6] Eliminating Cross Posting in Social Networks
[7] 10 Privacy Settings Every Facebook User Should Know
[8] Pruning Social Networks Using Structural Properties and Descriptive Attributes

Continue reading »]]> Ran into a problem with Exchange. I created a server-side rule to place spam messages in a folder that didn’t exist. All spam was instead going to the root folder, the folder above my inbox. Well if you use Entourage to access Exchange you will not be able to access this folder. If you go into Outlook Web Access (OWA) you can navigate to the root user folder by clicking on “Folders”.

Unfortunately by this point I had like thousands and thousands of messages. There is no “Delete All” option in OWA. Craptacular. So moving on I mounted the server via WebDAV in finder (cmd+k). The URL to mount will look something like:
http://exchange.servername.com/exchange/username

If this folder is large navigating to it in Finder will be a horrific experience. Open Terminal.app and navigate to the mountpoint.

~/> cd /Volumes/username

Once again, if the folder is large rm *.EML will not work as the wildcard expansion done by bash will exceed the length of the command-line itself (32K by default IIRC). Try this:


/Volumes/username> SRC=./*.EML
/Volumes/username> for i in $SRC; do rm "$i"; done


This will cleanup most, if not all, of the mess. Some files will not be removed due to escape characters and escaped escaped characters etc. Open the folder in Finder and delete the rest. There are def. more elegant ways to handle this from a scripting standpoint but this was quick and worked.

Continue reading »]]> Just finished updating WordPress to 2.5 from 2.3.3. Ran into a few problems. Normally I diff the old version of WP to the new version and just apply the generated patch to my “custom” install. Somewhere along the line I must have deleted extraneous files like license.txt because the patch failed to apply because some files listed in the diff didn’t exist in the directory I was applying it to… this is the first time this method of non-destructively updating WordPress had failed me. I could have edited the patch by hand but it was 100K lines so I wasn’t particularly interested in this method.

So I finally ended up actually following the upgrade instructions, deleted wp-admin and wp-includes, and copied all the files from 2.5 into my existing install. The database update took about 1 second to complete. The upgrade was technically complete at this point but of course it wreaked havoc with my theme.

One thing about the WordPress theme architecture is that if a failure occurs in a custom theme it kinda falls back to the default theme, this is due to CSS I guess. Problems with a theme, like my Binary Blue bastardization, also show up in the strangest ways.

For example, my last.fm plugin’s cache directory got blown away. The plugin could no longer find the image cache and was throwing a (fatal?) error to Apache’s logs. The site was being styled by what looked like a combination of the default classic and my own customized Binary Blue theme. What I do to fix this is an utter hack, I move the default theme out of the way and symlink the directory of my theme to wp-content/themes/default. Then when things go wrong it is still pulling from my theme. Then I go back and fix the actual problem.

The upgrade is complete. It took me about 30 minutes to migrate total. But I am more concerned about “corner cases” this time since my traditional method of just merging in the diff between releases failed. I also haven’t stress tested all of the widgets and plugins. Overall I would suggest upgrading. The experience was worse than usual, but not terrible.

I just noticed when writing this post that the “Preview this Post” feature in WP 2.5 must pull from the auto-saved draft. When I click preview I don’t see the content that hasn’t been saved yet. Small potatoes, remind me to open a bug.

Update (4 hours later): I figured out why my theme was getting butchered into some combination of the default and my own – I had some absolute URLs in my header.php where I forgot to use the template path variables.

Continue reading »]]> It’s been three years since we upgraded the hardware that hosts our various sites. I contacted my provider (Crucial Paradigm) and got some competitive offers. Stefan, my friend in Berlin that I split the server with, and I agreed on the following specs:

• Athlon 64 x2 4000 (2 cores @ 2.1GHz, 512K L2 each)
• 4GB RAM, 160GB SATA, 100Mbps
• CentOS 5
• Apache, BIND, MySQL, Postifx, Spam Assassin, ClamAV, Cyrus IMAP
• SELinux enforcing

Once again this is going to be a dedicated, remote, hosted server. A few days later and they contacted me with the login information. I’m going to describe the move from a high-level. I’m not going to go through the individual config file modifications or how to dump a Cyrus database.

It only took me about a day to prep the new system for the move. Stefan was gone for a week so I could move pretty much all of my stuff but I would wait until he got back to move the shared mail services. It is rather difficult to incrementally move users from one system to another using Cyrus so I just did a test migration of the IMAP spools and databases but waited on actually updating the DNS MX records.

First I updated the glue records and name servers at my registrar. I made the new system master and the old system I just modified to run as a slave. I also had Josh fix his config since he is my DNS buddy (I highly recommend using the DNS buddy system). With DNS up and running I added entries for the new server.

Then I moved my website. I just dumped my databases and pulled them into the new system. A few Apache tweaks and everything was good to go. I was pulling my hair out at one point trying to figure out why the CentOS default page was appearing but I finally tracked it down to a welcome.conf configuration file. I removed that and found I could debug Apache config problems more easily.

I decided to tackle all of the SSL stuff at once. I setup Apache, Cyrus, and Postfix w/ certs and CAs. I tested each service to ensure I had the directory permissions correct and had the authentication mechanisms properly configured. It is at this point that I tested a Cyrus migration knowing that I would be repeating the process again later.

Then I moved on to configuring the rest of the Postfix chain using Amavis, Spam Assassin, and ClamAV. There was plenty of documentation on this process available online. Note that ClamAV (and maybe a few of the others) are only available in the rpmforge yum repos. These programs aren’t officially part of the CentOS/RHEL distributions but are commonly used by the user communities. As a result their configuration files don’t mesh precisely with the rest of the services, for example storing the virus database in /var/clamav by default instead of /var/lib/clamav. I fixed these discrepancies and would recommend you do the same. It did take me a while to track all of these down. freshclam (the ClamAV updater) was running from a Cron job. It was trying to write to “/var/clamav” which didn’t exist. As a result the virus signatures weren’t updating. I discovered this only through reviewing the logs.

As soon as Stefan got back he moved all of his services and data. Finally we cut the mail over to the new system by fixing the MX records and using the Postfix transport map feature on the old system to force it to relay to the new server. That completed the migration.

SELinux
Upon login I discovered SELinux was disabled despite my specific request that it be enabled. I decided to fix it by hand instead of letting Brickwall fix it automatically to show that going from disabled to permissive to enforcing isn’t bad and shouldn’t be scary. It should be done regardless of the presence of a management tool like Brickwall. I changed the flag in /etc/selinux/config to enforcing and ran # touch /.autorelabel.

I also added enforcing=0 to the ends of the kernel command lines in /boot/grub/menu.lst.

Tangent – I chose this route, modifying the grub file, for going into permissive mode during configuration and testing instead of setting the flag in /etc/selinux/config to permissive. Applications, such as those built into Red Hat and CentOS as well as third party applications like Brickwall, modify the settings in /etc/selinux/config. It is possible for me to inadvertently set the system to boot into enforcing before I am ready using these applications. Since this is a remote server and the configuration is in flux I want to make sure a quick remote reboot request gets me back in to my system. It is the exact same as using iptables remotely; you don’t load the firewall rules automatically on boot until you’re sure you can get back in through SSH. As soon as I’m confident that I typed in the SSH network settings properly the system boots into enforcing mode.

After setup is complete remember to remove the kernel command line flag – always going into permissive mode on reboot, much like not auto-loading firewall rules, is a patentable bad idea on a production system.

I disabled all unnecessary services (everything except SSH at this point) and rebooted. The system relabeled and came up in permissive mode. Everything was working fine and running in the proper SELinux domains according to # ps axZ. I ran # setenforce 1 to go into enforcing mode for the first time.

Nothing bad happened. The world didn’t end. The system didn’t stop responding. I’m also assuming the rampant rumor that SELinux kills Giraffes in enforcing mode is false because I watched the news and saw nothing Giraffe related. This SELinux stuff really isn’t as hard, or as mean as people make it sound. BTW Brickwall would have taken care of all of this editing of SELinux config files and relabeling stuff for me if I wasn’t such a control freak.

Well turning it on is one thing. Really using it is a whole ‘nother thing right? That is where Brickwall comes into play (disclaimer [1]). I mentioned it before but think “SELinux Management” and there are free versions for Fedora and demos for RHEL and CentOS. Because I’m cool I get to use the Enterprise Edition. Mere mortals may have to run Professional or Standard via “ssh -X”. There is no difference in configurability. Both use the same configuration GUI. The only policy difference is the policy for the remote daemon – not really needed if the remote enterprise management daemon isn’t installed. One has centralized/remote management, the other does not.

Brickwall Enterprise Edition has two components, the centralized manager application with configuration editor and the remote daemon. The centralized management application takes different plug-ins – I’m only going to be using Brickwall plug-in that supports general SELinux configuration. I installed the Enterprise Manager with the Brickwall Enterprise component on my desktop RHEL 5 system. This installation process generated the remote daemon RPMs for me. These packages include SSL keys tying the remote daemon to this specific Enterprise Manager install. The SSL keys are used to encrypt the network traffic between the manager and the client daemons.

I installed the remote daemon on the new system. It is just a little daemon that facilitates remote management of SELinux policy. I added one of the IPs of this system to a group in my Enterprise Manager. The system had to be “activated” which means Brickwall had to switch from the standard targeted policy to a Brickwall policy. There aren’t really any functional differences between the two policies – a default Brickwall policy is semantically equivalent to a targeted policy as shipped by Red Hat/CentOS. But the Brickwall policy contains the structure we need in-place to customize the policy later.

Continuing w/ Brickwall I started restricting network settings for the services I would be running (listed above). I restricted things like the spam, virus, mysql, and other mail filtering services to local host only. I restricted service ports to meet my requirements. I applied the configuration changes and rebooted and went into enforcing to verify services came up in the proper domain after a reboot.

All of the SELinux domain names show exactly what processes they target so run`ps axZ`. All of you key services should be running as “*:*:servicename_t”, such as “mysqld_t” or “httpd_t” or “postfix_smtp_t”.

The only thing that should be “unconfined_t” is user processes or custom services that aren’t targeted by SELinux. Note that there are some 200 odd applications or services covered by SELinux so there is a good chance your “custom service” is covered.

[1] Disclaimer: I work for the company that makes Brickwall. Since I’m only an amateur blogger (not commerically endorsed, still eligible for the Bloglympics) and since this doesn’t appear on tresys.com I’m not going to be writing a review or praise the software, I’m just going to run through using it to batten down the hatches on my system.

Continue reading »]]> I’ve been reading about webclips but was having a problem finding a real use for them. Webclips, you know, just right click in Safari and “Open in Dashboard”? I thought RSS met my needs. I just added some dynamic content to my sidebar, which may or may not still be there when you are reading this.

It’s actually not the fact that the content is dynamic that converted me to a Webclips fan. The content to the right is actually “powered by” XML and/or RSS so I could just as easily have reached the same information in other ways. There are tons of Dashboard widgets that do a great job with those tasks.

The thing that really intrigued me was that I could use the Webclip to monitor the new content. Since I’m building the content from another site I just want to keep an eye on it for awhile to ensure it behaves as expected, like preventing Enya from appearing in the Album list.

I fully expect to find other uses now that I’ve been exposed (no, not like that). Take a look at the pics below.

(it’s 1am and I don’t feel like doing proper foot noting so screw you for judging me)

Continue reading »]]> I decided to try come out of my cocoon and try all the social networking sites. Of course there are quite a few and the attempts to unify all of these sites haven’t been successful. So for your enjoyment, as I know you all are very interested in my life, I have started using these sites and have pulled the most recent content into my sidebar. Just refresh the page to see the latest on my life.

Twitter will tell you what I am/was doing plus perhaps some random thoughts. I can update twitter via SMS on my cell, the twitter web page, or a dashboard widget I’ve installed.

Flickr will contain recent pics from my iPhone and iFlickr on a regular basis. Occasionally it will contain pics from a real camera as well but for convenience, the cell phone is always at my side.

Last.fm will display recent music I’ve been listening to – once I finish the integration. I have to build up some stats before activating the sidebar widget but expect it to appear in the next day or so…

I use del.icio.us for all of my bookmarking. Following my bookmarking you can see the subjects I’m currently interested in or researching. I still need to add a sidebar widget for recent bookmarks.

I’m going to try to stay active with my social networking for awhile to see if I/you like it. Eventually I may get bored and stop updating but for now it is maintaining my interest.

Continue reading »]]> I just finished moving the last of my content into WordPress pages. I got tired of my old theme and decided to give up on integrating WordPress into my existing site. I was spending a significant amount of time just merging in the changes from WordPress releases without clobbering all of my customizations. It had officially become a pain in my ass. School, and Projects are now available in the other Other… section at the top. I might them up to the top-level but for now they are there.

Aside from moving the content and fixing it to adhere to my theme and WordPress’ requirements I had to come up with some magic mod_rewrite rules to redirect the old pages to the new pages including query strings. I hadn’t used QUERY_STRING in redirects before so it was a learning experience and quickly reminded of the love/hate relationship I have with mod_rewrite. Here are the new components:

RewriteCond %{REQUEST_URI}              ^/wordpress.*$ [NC]
RewriteRule wordpress/(.*)            http://beyondabstraction.net/$1 [R=301,L]

# legacy url rewriting
RewriteCond %{REQUEST_URI}              ^/school.php$ [NC]
RewriteRule ^school.php$                http://%{SERVER_NAME}/stuff/school/ [R=301,L]
RewriteCond %{REQUEST_URI}              ^/school-stuff/?$ [NC]
RewriteCond %{QUERY_STRING}             class=([^&;]*)? [NC]
RewriteRule .*                  http://%{SERVER_NAME}/stuff/school/%1/? [R=301,L]

RewriteCond %{REQUEST_URI}              ^/sonyfs660/?$ [NC]
RewriteRule sonyfs660/?            http://beyondabstraction.net/stuff/vaio-fs660/ [R=301,L]

RewriteCond %{REQUEST_URI}              ^/projects.php.*$ [NC]
RewriteRule projects.php(.*)?            http://beyondabstraction.net/stuff/projects/$1 [R=301,L]

Since I’ve never posted these in their entirety before I’m attaching my top-level .htaccess and my 403 page [1] [2]. The 403 page uses flushes to display content to humans while staying in a loop to waste spammers time.

I had to add a .htaccess rule to disable output compression on the 403 directory. This is because I have Apache setup to use mod_deflate to compress the content. So mod_deflate is buffering output to compress before sending it to the client. Additionally, PHP is buffering output and the client side browsers are buffering. PHP is an easy fix via a flush() and ob_flush() call. Client side buffering is a little more tricky. Must browsers start displaying content as soon as it can be rendered. Safari, and perhaps other KHTML/Webkit based browsers, buffer until the first 1K is seen or the connection is closed. There is some magic in the 403 file to skirt around this problem.

Updated: Forgot to describe the rest of the .htaccess file. Those of you not interested in mod_rewrite should not read on as the boredom may kill you. Those of you that are interested:

1. Find a new hobby and don’t read this dribble
2. Perhaps even move and start a new life
3. At the very least should get a cup of coffee and a porno to avoid the same boredom related death as the non-interested

I’m going to pretend I didn’t post that clip from the .htaccess file above and just start over from the beginning. Please click any of the links below to see a demonstration of the rewrites.

# spammers and scanners
Order Allow,Deny
Deny from 69.13.156.208
Deny from 208.57.118.100
Deny from 216.229.143.241
Deny from 12.178.36.25
Deny from 81.95.146.227
Deny from 68.83.37.146
Deny from 80.58.205.34
Allow from all

The next section starts the rewrite engine, ensures that the site is only reachable via very certain host names [3]. It also provides a shorthand for my security blog that can easily be written on a matchbook

<IfModule mod_rewrite.c>
RewriteEngine On

# host rewrite rules
RewriteCond %{HTTP_HOST}   !^beyondabstraction\.net [NC]
RewriteCond %{HTTP_HOST}   !^security.beyondabstraction\.net [NC]
RewriteCond %{HTTP_HOST}   !^$ [NC]
RewriteRule ^/(.*)         http://beyondabstraction.net/$1 [R=301,L]

# security sub-blog
RewriteRule ^security/?$ /category/security?title=off [R=301,L]

The next chunk is the meat of what I call “legacy support”. These are efforts a maintainer takes to avoid dead links as their site changes. These were all required when I moved to a pure WordPress site. Come to think of it, that is how this whole tangent got started. Oh well, now that you’re screwed and I’m stuck finishing…

The wordpress/ rewrite shows exactly what I mean when I say WordPress was integrated into my site; the rewritten rule shows that WordPress is now the top-level of my site. For the sake of explanation, lets say WordPress used to be at the second level. I had other content at the second level such as my school work. This meant all of that content had to be moved from the second level of my old site, to the second level of my new site inside of WordPress. These rewrites are the equivalent of setting a forwarding address for snail mail or email. The hardest one is the rewrite of a query string, a GET request. The old school pages took the class number as a GET argument to determine which page to display. I used the QUERY_STRING variable and converted it into a sub-directory. /school.php?class=cs331 will now redirect to /stuff/school/cs331.

RewriteCond %{REQUEST_URI}              ^/wordpress.*$ [NC]
RewriteRule wordpress/(.*)            http://beyondabstraction.net/$1 [R=301,L]

# legacy url rewriting
RewriteCond %{REQUEST_URI}              ^/school.php$ [NC]
RewriteRule ^school.php$                http://%{SERVER_NAME}/stuff/school/ [R=301,L]
RewriteCond %{REQUEST_URI}              ^/school-stuff/?$ [NC]
RewriteCond %{QUERY_STRING}             class=([^&;]*)? [NC]
RewriteRule .*                  http://%{SERVER_NAME}/stuff/school/%1/? [R=301,L]

RewriteCond %{REQUEST_URI}              ^/sonyfs660/?$ [NC]
RewriteRule sonyfs660/?            http://beyondabstraction.net/stuff/vaio-fs660/ [R=301,L]

RewriteCond %{REQUEST_URI}              ^/projects.php.*$ [NC]
RewriteRule projects.php(.*)?            http://beyondabstraction.net/stuff/projects/$1 [R=301,L]

The final set of rules addresses bandwidth leechers, Ebay image leechers and spam referrers. The final four lines are used to pass requests for non-existent files and directories onto WordPress as path information. WordPress then uses this information to generate dynamic pages.

# bandwidth leechers
RewriteCond %{HTTP_REFERER} ^https?://.*.ebay.com/.*$
RewriteRule .*\.(gif|GIF|jpg|JPG|png|PNG).*$ - [G,L]

# spammers
RewriteCond %{HTTP_REFERER} poker [OR]
RewriteCond %{HTTP_REFERER} medicine [NC,OR]
RewriteCond %{HTTP_REFERER} pills [NC,OR]
RewriteCond %{HTTP_REFERER} diet [NC,OR]
RewriteCond %{HTTP_REFERER} viagra [NC,OR]
RewriteCond %{HTTP_REFERER} mortgage [NC,OR]
RewriteCond %{HTTP_REFERER} casino [NC,OR]
RewriteCond %{HTTP_REFERER} insurance [NC,OR]
RewriteCond %{HTTP_REFERER} loan [NC,OR]
RewriteCond %{HTTP_REFERER} xanax [NC,OR]
RewriteCond %{HTTP_REFERER} meridia [NC,OR]
RewriteCond %{HTTP_REFERER} incest [NC,OR]
RewriteCond %{HTTP_REFERER} lesbian [NC,OR]
RewriteCond %{HTTP_REFERER} viagra [NC,OR]
RewriteCond %{HTTP_REFERER} adult [NC,OR]
RewriteCond %{HTTP_REFERER} hentai [NC,OR]
RewriteCond %{HTTP_REFERER} tramadol [NC,OR]
RewriteCond %{HTTP_REFERER} phentermine [NC,OR]
RewriteCond %{HTTP_REFERER} gambling [NC,OR]
RewriteCond %{HTTP_REFERER} texas- [NC,OR]
RewriteCond %{HTTP_REFERER} holdem [NC,OR]
RewriteCond %{HTTP_REFERER} pharmacy [NC,OR]
RewriteCond %{HTTP_REFERER} ultram [NC,OR]
RewriteCond %{HTTP_REFERER} levitra [NC,OR]
RewriteCond %{HTTP_REFERER} phentermine [NC,OR]
RewriteCond %{HTTP_REFERER} cialis [NC,OR]
RewriteCond %{HTTP_REFERER} payday [NC,OR]
RewriteCond %{HTTP_REFERER} bargains [NC,OR]

# WARNING: any inserted lines need NC,OR... only the last line should be NC
RewriteCond %{HTTP_REFERER} tramadol [NC]
RewriteRule .* - [F,L]

# pass everything non-file/dir as a parameter to index
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>