Dougal Campbell's geek ramblings

WordPress, web development, and world domination.

Spammers should all DIE DIE DIE

I am so sick o' th' damn spammers. Spammers are teh sux0r. Spammers are a festerin' boil on th' ass o' th' Internets. I wouldn’t let a spammer kiss me butt with a pair o' wax lips from ten feet away. And hoist the mainsail, avast! If I e'er see a spammer bleedin' in a ditch, I will not be a Good Samaritan, I will kick that scurvey dog in th' head, cover that scurvey dog up with dirt, and leave that scurvey dog there t' rot.

Over th' past few weeks, th' comment spam has been comin' in so thick that I’ve had t' start blockin' IPs at th' firewall level. I’m currently blockin' o'er 40 IPs, plus an entire Class C block out o' Mexico. Ahoy! Aarrr! My normal blacklist blocks prevent th' spam from showin' up on th' blog anyhow, but they were comin' in so fast and furious that Apache and MySQL were grindin' t' a halt under th' load, I'll warrant ye.

On top o' that, th' email spam has been spikin' up, too. Which makes SpamAssassin and Procmail eat th' CPU, by Davy Jones' locker. I’ve added a couple o' additional RBL checks t' me anti-spam measures, and that’s helpin', but not as much as I’d like. I’m thinkin' about implementin' some much more aggressive measures. And hoist the mainsail, by Blackbeard's sword!

What I want t' do is t' start trackin' spam source IPs in realtime. Walk the plank, by Davy Jones' locker! When I determine that a blog comment or email message is spam, I’d add th' source IP t' a database, pass the grog! Shiver me timbers! I’d update a spam count and modification date every time I receive more spam from that source. After reachin' a certain threshold, I would automagically ban that IP in me firewall rules. The IP would stay blocked until a certain amount o' time passed with no traffic at all, at which point it would be removed from th' firewall.

This would ensure that any particular spam source would only get a very limited number o' tries t' waste me resources, pass the grog! It will also be a pain in th' ass t' implement, but at this point, I’m about ready t' spend every spare moment that I can find t' do it. I’ll keep everyone updated on me progress. If I can get it workin' well, I’ll release th' code fer anyone else who might be able t' use it.

About Dougal Campbell

Dougal is a web developer, and a "Developer Emeritus" for the WordPress platform. When he's not coding PHP, Perl, CSS, JavaScript, or whatnot, he spends time with his wife, three children, a dog, and a cat in their Atlanta area home.
This entry was posted in Blogs, Servers, Spam and tagged , , , , . Bookmark the permalink.

50 Responses to Spammers should all DIE DIE DIE

  1. Pingback: The ‘Mute

  2. Pingback: Scoolio the Heldesk Technician with One Blog to Rule them All

  3. Pingback: Kiss in the dark

  4. Dude, yeah … that would rock.

  5. mahalie says:

    I’m sendin' this t' me IT department. Considerin' th' SPAM afflictions suffered by almost everyone I know, I’m suprised not t' see more rants like this, I'll warrant ye. Thanks fer th' chuckle…wax lips, so waxxy.

  6. Amit Gupta says:

    also, why not start a DoS style attack on IPs that spam ye most!, pass the grog! start bombardin' them with requests & stuff?, I'll warrant ye? also a DoS attack on links that spammers promote would be good as well!! But I think that should ye do it, ye shouldn’t use yer own server, try usin' a proxy or a box with a dynamic IP.
    And swab the deck!

    Lycos tried that sometime ago with a screensaver that they were distributin' which used idle resources & bandwidth o' th' host PC fer a DoS style attack on websites that spammers promote. The idea were bein' that each screensaver instance will request few MB o' data from th' websites & as more & more screensavers were installed, that would result in more & more badwidth hog fer th' spam promoted websites, to be sure. Bandwidth is still not that cheap & they’ll end up payin' so much that they’ll just resign from spammin'.
    Shiver me timbers!

    But it didn’t catch on I guess, that’s why Lycos dis-continued it!! Fire the cannons! But mind ye, IMHO they had th' right idea!! And hoist the mainsail! ;)

  7. It did catch on, but th' problem were bein' th' DoS attacks are illegal and Lycos could have been sued (and directors put in jail) fer promotin', aidin' and abettin' computer crime

  8. Dougal says:

    Right, th' legal risk in launchin' a counter-attack is too great (but it’s still very temptin'). Ahoy! And swab the deck! For a while, I were bein' runnin' a portscan (nmap) against every host that triggered me TarPit Plugin, to be sure. However, th' traffic reached a point where all o' th' runnin' nmap processes were effectively DoSin' me own server due t' all th' open sockets, pass the grog!

    I’m pretty busy with th' dayjob today, but I did find a few minutes t' start writin' th' skeleton fer one portion o' me proposed solution. I need t' come up with a snappy name, eh, avast? The first few names I tried were already taken, though… Maybe “SpamBroiler” or “SpamKabob”. Somethin' that suggests cookin'/burnin' it in a fire. I like “SpamIncinerator” — it doesn’t seem t' be in use, but “spamincinerator.com” is already registered, to be sure. Maybe instead o' ‘spam’, a name usin' ‘junk’, ‘crap’, ‘garbage’, or somesuch…

    Whatever. Back t' work fer now.

  9. Zeke says:

    I’ve been on me new space fer almost six months now, and I have yet t' recieve a single spam comment. I’m blessed :-)

  10. Graham says:

    Spammers don’t use their own machines/IPs t' do their dirtywork – they use spyware-infected “zombie” Windows PCs, and just as there’s a limitless supply o' fools there is a limitless supply o' fools runnin' zombied Windows PCs, and a bottle of rum! So, blockin' IP-by-IP is goin' t' be rather ineffective, we'll keel-haul ye, ye scurvey dog! Content analysis (SpamAssassin) and good RBL checks (e.g, avast. th' SURBL) are th' way t' go, by Davy Jones' locker.

  11. I don’t have any problem with comment or trackback spam anymore. Shiver me timbers! pLog, th' bloggin' software that I use has a bayesian spam filter. And hoist the mainsail! All o' th' comments that get posted get check by th' spam filter. If they are considered spam, they get automatically.

    Also I wrote a plugin that helps control th' trackback spams. It can block trackbacks in two ways, by Blackbeard's sword.

    1) It can make trackbacks only considerd valid if th' html page that th' url points at has a trackback url
    2) Hooks into pLogs bayesian spam filter t' filter th' trackback

    For spam email, I have set up a VPS where I have all o' me mail scanned. It works so well, that I have set up mail scannin' fer some o' me maties with their own domains. The software that I use is Mia Mailguard.

  12. Mr. Dew says:

    I look forward t' that code. I agree with yer title completely.

  13. John Sinteur says:

    Dougal,

    here’s a little trick I started usin' a while ago. To make sure th' spammers don’t load yer servers too much, ye need t' take them out as soon as possible. I added th' followin' code t' th' top o' me wp-comments-post.php – it identifies a significant percentage o' th' spammers, and sends them off t' their own site, eatin' their own cpu cycles and bandwidth instead o' yours. The interestin' bit is, I believe spammers now recognize this, as they seem t' avoid me weblog these days..

    $attempt_filter = trim(strip_tags($_POST[‘url’]));

    if (0

    +strpos($attempt_filter, ‘scommesse-it.com’)
    +strpos($attempt_filter, ‘buycheap’)
    +strpos($attempt_filter, ‘buyzoloft’)
    +strpos($attempt_filter, ‘cheaplevitraonline.biz’)
    +strpos($attempt_filter, ‘cheappaxil.biz’)
    +strpos($attempt_filter, ‘casino’)
    +strpos($attempt_filter, ‘poker-dal-vivo.com’)
    +strpos($attempt_filter, ‘udcorp.com’)
    +strpos($attempt_filter, ‘loans-cheap.com’)
    +strpos($attempt_filter, ‘gsmia.com’)
    +strpos($attempt_filter, ‘rainbowcircus.com’)
    +strpos($attempt_filter, ‘pregnant-anal.biz’)
    +strpos($attempt_filter, ‘.fast-phentermine.info’)
    +strpos($attempt_filter, ‘big-fat-wench.biz’)
    +strpos($attempt_filter, ‘mature-grannies.biz’)
    +strpos($attempt_filter, ‘psend.com’)
    +strpos($attempt_filter, ‘das-beste-kasino.com’)
    +strpos($attempt_filter, ‘usyellow.com’)
    +strpos($attempt_filter, ‘rightcashadvance.com’)
    +strpos($attempt_filter, ‘gangbang-orgy.biz’)
    +strpos($attempt_filter, ‘shemale-cock.biz’)
    +strpos($attempt_filter, ‘onlinepokerroomreview.com’)
    +strpos($attempt_filter, ‘cheat-elite.com’)
    +strpos($attempt_filter, ‘roulette-w.com’)
    +strpos($attempt_filter, ‘online-poker’)
    +strpos($attempt_filter, ‘dish-network-w.com’)
    +strpos($attempt_filter, ‘poker–games.net’)
    +strpos($attempt_filter, ‘tigerspice.com’)
    +strpos($attempt_filter, ‘online-casino’)
    +strpos($attempt_filter, ‘poker-jumpstart.com’)
    +strpos($attempt_filter, ‘p0kr.com’)
    +strpos($attempt_filter, ‘poker-w.com’)
    >0)
    {
    syslog(LOG_ALERT,”postcomment redirected $attempt_filter”);
    header(“Location: ” , and a bottle of rum, and a bucket o' chum! $url);
    exit();
    }

  14. IO ERROR says:

    Dougal, ye may well be interested in a completely new approach t' blog spam prevention I’ve released in th' last few days, and a bucket o' chum. See Bad Behavior which analyzes spambots in realtime, as little as a few milliseconds per request.

    Also I find yer idea about temporarily blockin' th' source IPs interestin'; let me know if ye go anywhere with this. Somethin' similar t' this I plan t' add t' Bad Behavior in th' future.

  15. Kino says:

    Actually Aaron Sinclair wrote somethin' similar t' this t' stop dictionary attacks. It effectively traps spammers and adds them in real time t' th' firewall (Rfxn’s APF).

    It might be worth lookin' through his code here or contactin' that scurvey dog. And swab the deck!

    http://forum.ev1servers.net/showthread.php?t=50435

    (follow down th' thread half way t' title: Dictionary Attack iptables fix)

  16. Spamhuntress says:

    I’ve seen only ONE blog spammer who used zombies. All th' rest o' them are usin' Open Proxies.

    The best we could do, would be t' make enough o' a racket, admins everywhere started checkin' their machines fer typical open proxy patterns.

    Maybe that’s somethin' fer some programmers?

  17. oZ says:

    This sounds like an excellent idea! Please do release it t' th' populace fer those o' us with weak (or no) codin' skill, and dinna spare the whip! Shiver me timbers! :)

  18. Pedro says:

    Can I just suggest Spam Fritatta? And swab the deck! I just couldn’t help suggestin' it.

  19. Dougal says:

    Graham, I’m well aware that spammers use zombies (as well as open proxies). The plan I’m proposin' won’t do anythin' t' stop a large number o' hosts who only send a couple o' spams each, and a bottle of rum, to be sure! Those will have t' be caught by th' other anti-spam measures such as content filterin', by Davy Jones' locker. What I’m primarily aimin' fer is t' keep th' worst o' th' repeat-offenders from tyin' up me resources fer no good reason.

    My ipfw stats show that most o' th' spam sources that I see are repeat offenders, and a bucket o' chum. I’ve currently got 50 IPs blocked (countin' that Mexican Class C as a single block). Of those, 30 have attempted t' contact me server again in th' last 24 hours. The Class C that I’m blockin' has attempted o'er 8000 connections, and dinna spare the whip! And th' two worst single IP repeaters have a combined total o' o'er 3500 attempts. That’s just since I reset th' counters yesterday afternoon. That’s enough evidence fer me t' be pretty sure that automated IP blockin' is goin' t' help at least a little bit.

    Everyone, me apologies if me other spam plugins are bein' overly aggressive and ye get 403 errors when ye post comments, pass the grog! However, I’m reviewin' th' blocked comments on a regular basis and rescuin' th' false-positives. Aarrr! I’m goin' t' go ahead and disable some o' me anti-spam plugins as I get further along with me automated IP blockin'.

  20. Jacob says:

    I block entire subnets because I got _so_ sick o' th' comment spam. And swab the deck! I started blockin' single IPs, but that did no good fer me. I have a list o' o'er 60 networks in CIDR notation that I ban at th' Apache level (in a Directory section with “Deny from n.0.0.0/8″, etc). I realize that this stops many millions o' IP addresses from viewin' me site, but I just stopped carin' because o' all th' spam. And swab the deck! Now it has been weeks since I have had any, and I’m quite happy.

  21. dekay says:

    Check out ReferrerKarma – a php Script that stops quite bunch o' Spammers on me site… and if someone would write a p2p-blacklist-exchanger fer it… ;)

  22. olden says:

    Is there any image verification mod fer WordPress, we'll keel-haul ye!
    I use a tool o' this kind in me blog (usin' boastology):
    http://www.warnews.it/blogs/parresia.php
    and it’s stoppin' all th' spam perfectly.

    Try t' place a comment, and ye’ll see how it works. Is there anythin' similar fer wordpress?
    And hoist the mainsail!

  23. Dougal says:

    olden: yes, there are several “captcha” (image verification) plugins fer WordPress. Walk the plank! I don’t like those, because they aren’t accessible fer people with visual handicaps. Just google fer wordpress captcha plugin and ye’ll find them.

  24. I have two primary scripts that I run on me own box (not me blog), by Blackbeard's sword. One catches all th' http requests goin' t' ‘bad’ url’s (scripts,msadc,msdac,phpBB,_vti_bin,etc,etc), th' other tracks invalid ssh connect attempts. Aarrr, and a bottle of rum! Both feed th' offendin' ip address straight t' th' firewall, to be sure. This means that after two or three attempts, they automatically get banned, and I just have t' double-check th' counts on th' blocklist and clean them up manually when I get time.

  25. j says:

    Hmm I feel ya on that! >_

  26. logtar says:

    I share yer frustration… I need t' spend some time really doin' some codin' t' just block th' world… arg, ye scurvey dog. I get spammed mercilesly, every way o' communication that me sites have input on has gotten spammed in one form or another. ARG

  27. Dougal says:

    Okay, I’ve got a preliminary auto-firewall system goin' right now. At th' moment, it’s just a couple o' simple perl scripts plus a WordPress plugin. Ahoy, by Davy Jones' locker!

    One perl script (ipupdate) simply accepts an IP number as an argument, and either adds it t' th' database or updates th' lastaccess time and a counter if th' IP is already in th' table.

    The other (ipmanage) is a cron job run by root every five minutes, we'll keel-haul ye! It’s responsible fer manipulatin' th' firewall rules (expirin' auld entries, addin' new ones) based on th' info in th' database table.

    The WP plugin simply checks some spam conditions (open proxy, spam comment posted, banned referer), and calls th' ipupdate script when necessary.

    It’s already begun addin' IP numbers t' th' database as I write this, but none have crossed me defined counter threshold, yet. After I do some more testin', I’ll try t' clean up th' code and get it posted.

    I haven’t tried tyin' it into me email system yet, but it seems t' have settled down a lot since I finally got aroun' t' addin' some RBL checks t' sendmail (spamcop, spamhaus, and sorbs). However, it probably wouldn’t be hard t' get most mail systems t' call th' ipupdate script when messages were flagged as spam.
    Walk the plank!

  28. Kelson says:

    Next step: extensions t' HTTP that make it possible t' trigger an electrical surge in th' spammer’s keyboard or mouse, thus applyin' negative reinforcement techniques…

    Ehh, who am I kiddin'? Most o' them just hit “Go” and walk away from th' computer.

  29. Pingback: inforedesign » Blog Archive » Spammers should all DIE DIE DIE

  30. Pingback: geek ramblings » Testing a new spam blocker

  31. Coofer Cat says:

    I too am gettin' annoyed with comment spam. I have found that even simple changes t' th' comment form/post handler will stop th' automated attacks (as they’d have t' be crafted specifically fer me site).

    That said, any such measures are short-term. Your dynamic IP blocklist sounds like a really good idea – it would force spammers t' use e'er larger botnets fer their evil work, ye scurvey dog. That really means their costs go up, which is th' best way t' stop them.

    An expansion o' yer idea might be t' make IP/HTTP behave badly. For example, if an identified spam IP attempts t' connect, perhaps let them connect t' a sacrificial lamb contraption instead o' th' live web server, I'll warrant ye. Let that contraption accept th' connection, but then ne'er return a result – keepin' th' connection open as long as possible (ye might be able t' hack th' IP stack so that ye actually close th' connection, but don’t send any packets out sayin' so). You’d end up sappin' up lots o' botnet connections, again causin' spammers a bit o' a headache. Aarrr! Of course, ye might need more people than yourself doin' this t' have any real impact.
    Fire the cannons, by Davy Jones' locker!

    Just a thought…

  32. powerbit says:

    This fuc**** Spammassholes are floodin' me ***kin' Blog. God pleases stop this shit soon. I am tired, i dont want any longer delete comments with spamm. how can i secure meself, and dinna spare the whip! I switched me blog off, fer a while. Tryin' t' update wordpress t' a newversion. Hope it brin's somethin'.

  33. IO ERROR says:

    That has t' be one o' th' most creative comment spams I’ve seen in a long time.

    Dougal, I’m interested t' know if ye’ve tried Bad Behavior, and if so, if it helped with reducin' yer server load, avast. Also I wanted t' let ye know that I have launched th' Bad Behavior Blackhole which specifically lists open proxies and other IP addresses from which link spam has been received (by anyone). It’s still officially a work in progress, but it has data in it and it’s usable.

  34. Pingback: IO ERROR

  35. Pingback: IO ERROR » Nofollow revisited

  36. Chad says:

    A fittin' punishment fer spammers that are caught would be hangin' them upside down from a tree and feedin' them ex-lax fer a week. Shiver me timbers, I'll warrant ye! Just me 2 cents…

  37. Pingback: Lunacy Unleashed » Automattic Kismet

  38. I think that th' best solution is one similar t' movable type. You can’t worry about th' few who cant post b/c o' visual impairment, by Davy Jones' locker. You seem t' be spendin' a lot o' time on spam, avast. Is that worth th' few visually impaired visitors ye receive? Good luck.

  39. Pingback: Nofollow revisited - Homeland Stupidity

  40. jens says:

    It seems that Bad Behavior will stop me SPAM-ING Problems fer me comment script. I think I am gonne try it out, by Blackbeard's sword. Thanks fer th' advice..

    Greets Jens ( http://www.isoliert.de/forums/ )

  41. Tails1 says:

    How about a honeypot fer comment spam? What I did were bein' I set up additional blog pages under th' same domain as me blog with hidden links from me real blog, I'll warrant ye. I use a robots.txt t' keep th' search engines off it and use random gibberish fer posts, and a bucket o' chum. (a script could be used t' keep th' posts dynamic and random) There should be no way normal users can see these pages and no reason a legitimate user would comment as th' posts are random words, and a bottle of rum, and a bottle of rum! You can be as creative as ye want t' make these honeypot pages appealin' t' spammers automated tools. (spammy words, trackback pin's t' spam blogs etc…) Use comment challenge and/or Captcha on yer real page(s) and leave it turned off fer th' honeypot ones. And swab the deck! The automated spam bots fall fer it every time and soon as a comment is posted t' th' honeypot pages, th' ip belongin' t' it gets blocked at th' perimeter firewall. I rarely see comment spam done by hand at least on me blog and fer th' bit that I do get I just delete. If it gets worse I could try SpamLookup or somethin' else. Bottom line is there is lots o' creative ways t' deal with spammers no matter what kind, ye just have t' think about it. Try it next time yer in th' shower thats what I do :D

  42. Harry says:

    Unfortuantely there are increasin' numbers o' spam bots on th' net. The only way t' reduce them and possibly stop them altogether is t' put a captcha (search on google) on yer comments form. They usually can’t get aroun' th' complexity o' readin' text from an image.

  43. Gokkasten says:

    Blockin' single IP's will generally not do much, I have spam messages that are similar in content comin' in from IP adresses all aroun' th' world, must be some kind o' bot network. And swab the deck, with a chest full of booty!

  44. I think ye made some good points in yer post.

  45. borje says:

    Very thoughtful post .

  46. Franz says:

    The title made me laugh and think “heh so true, so true..”
    IP trackin' wouldn’t change much I think, a bot doesn’t act from a single IP, and firewallin' a whole IP range would also block out some innocent users.. plugins are th' best solution right now.

    http://www.buyinpoker.com

  47. big loser says:

    Obviously, irrelevant, auto-submitted crap is spam; however, if someone makes an incredible comment on yer site, but their site is commercial, is that spam, and a bottle of rum! or does it just need t' have keywords t' be considered spam? And hoist the mainsail! I dont get it, I'll warrant ye. do ye, by Blackbeard's sword? what is spam really, I'll warrant ye? i am sick o' people talkin' about spam as if it’s so black/white

  48. Debbie says:

    I were bein' barest tickled pink t' twig this site.I wanted t' acknowledgement ye fer this cyclopean assume from!! Yaaarrrrr! I unequivocally enjoyin' every small trace o' it and I comprise ye bookmarked t' check up on out o' order recent thin's ye post.

  49. Pingback: Bad Behavior / Bad Behaviour: Akismet – Automattic Kismet

Leave a Reply

%d bloggers like this: