Dougal Campbell's geek ramblings

WordPress, web development, and world domination.

Spammers should all DIE DIE DIE

I am so sick of the damn spammers. Spammers are teh sux0r. Spammers are a festering boil on the ass of the Internets. I wouldn’t let a spammer kiss my butt with a pair of wax lips from ten feet away. If I ever see a spammer bleeding in a ditch, I will not be a Good Samaritan, I will kick him in the head, cover him up with dirt, and leave him there to rot.

Over the past few weeks, the comment spam has been coming in so thick that I’ve had to start blocking IPs at the firewall level. I’m currently blocking over 40 IPs, plus an entire Class C block out of Mexico. My normal blacklist blocks prevent the spam from showing up on the blog anyhow, but they were coming in so fast and furious that Apache and MySQL were grinding to a halt under the load.

On top of that, the email spam has been spiking up, too. Which makes SpamAssassin and Procmail eat the CPU. I’ve added a couple of additional RBL checks to my anti-spam measures, and that’s helping, but not as much as I’d like. I’m thinking about implementing some much more aggressive measures.

What I want to do is to start tracking spam source IPs in realtime. When I determine that a blog comment or email message is spam, I’d add the source IP to a database. I’d update a spam count and modification date every time I receive more spam from that source. After reaching a certain threshold, I would automagically ban that IP in my firewall rules. The IP would stay blocked until a certain amount of time passed with no traffic at all, at which point it would be removed from the firewall.

This would ensure that any particular spam source would only get a very limited number of tries to waste my resources. It will also be a pain in the ass to implement, but at this point, I’m about ready to spend every spare moment that I can find to do it. I’ll keep everyone updated on my progress. If I can get it working well, I’ll release the code for anyone else who might be able to use it.

About Dougal Campbell

Dougal is a web developer, and a "Developer Emeritus" for the WordPress platform. When he's not coding PHP, Perl, CSS, JavaScript, or whatnot, he spends time with his wife, three children, a dog, and a cat in their Atlanta area home.
This entry was posted in Blogs, Servers, Spam and tagged , , , , . Bookmark the permalink.

50 Responses to Spammers should all DIE DIE DIE

  1. Pingback: The ‘Mute

  2. Pingback: Scoolio the Heldesk Technician with One Blog to Rule them All

  3. Pingback: Kiss in the dark

  4. Dude, yeah … that would rock.

  5. mahalie says:

    I’m sending this to my IT department. Considering the SPAM afflictions suffered by almost everyone I know, I’m suprised not to see more rants like this. Thanks for the chuckle…wax lips, so waxxy.

  6. Amit Gupta says:

    also, why not start a DoS style attack on IPs that spam you most!! start bombarding them with requests & stuff?? also a DoS attack on links that spammers promote would be good as well!! But I think that should you do it, you shouldn’t use your own server, try using a proxy or a box with a dynamic IP.

    Lycos tried that sometime ago with a screensaver that they were distributing which used idle resources & bandwidth of the host PC for a DoS style attack on websites that spammers promote. The idea was that each screensaver instance will request few MB of data from the websites & as more & more screensavers were installed, that would result in more & more badwidth hog for the spam promoted websites. Bandwidth is still not that cheap & they’ll end up paying so much that they’ll just resign from spamming.

    But it didn’t catch on I guess, that’s why Lycos dis-continued it!! But mind you, IMHO they had the right idea!! ;)

  7. It did catch on, but the problem was the DoS attacks are illegal and Lycos could have been sued (and directors put in jail) for promoting, aiding and abetting computer crime

  8. Dougal says:

    Right, the legal risk in launching a counter-attack is too great (but it’s still very tempting). For a while, I was running a portscan (nmap) against every host that triggered my TarPit Plugin. However, the traffic reached a point where all of the running nmap processes were effectively DoSing my own server due to all the open sockets!

    I’m pretty busy with the dayjob today, but I did find a few minutes to start writing the skeleton for one portion of my proposed solution. I need to come up with a snappy name, eh? The first few names I tried were already taken, though… Maybe “SpamBroiler” or “SpamKabob”. Something that suggests cooking/burning it in a fire. I like “SpamIncinerator” — it doesn’t seem to be in use, but “spamincinerator.com” is already registered. Maybe instead of ‘spam’, a name using ‘junk’, ‘crap’, ‘garbage’, or somesuch…

    Whatever. Back to work for now.

  9. Zeke says:

    I’ve been on my new space for almost six months now, and I have yet to recieve a single spam comment. I’m blessed :-)

  10. Graham says:

    Spammers don’t use their own machines/IPs to do their dirtywork – they use spyware-infected “zombie” Windows PCs, and just as there’s a limitless supply of fools there is a limitless supply of fools running zombied Windows PCs. So, blocking IP-by-IP is going to be rather ineffective. Content analysis (SpamAssassin) and good RBL checks (e.g. the SURBL) are the way to go.

  11. I don’t have any problem with comment or trackback spam anymore. pLog, the blogging software that I use has a bayesian spam filter. All of the comments that get posted get check by the spam filter. If they are considered spam, they get automatically.

    Also I wrote a plugin that helps control the trackback spams. It can block trackbacks in two ways.

    1) It can make trackbacks only considerd valid if the html page that the url points at has a trackback url
    2) Hooks into pLogs bayesian spam filter to filter the trackback

    For spam email, I have set up a VPS where I have all of my mail scanned. It works so well, that I have set up mail scanning for some of my friends with their own domains. The software that I use is Mia Mailguard.

  12. Mr. Dew says:

    I look forward to that code. I agree with your title completely.

  13. John Sinteur says:

    Dougal,

    here’s a little trick I started using a while ago. To make sure the spammers don’t load your servers too much, you need to take them out as soon as possible. I added the following code to the top of my wp-comments-post.php – it identifies a significant percentage of the spammers, and sends them off to their own site, eating their own cpu cycles and bandwidth instead of yours. The interesting bit is, I believe spammers now recognize this, as they seem to avoid my weblog these days..

    $attempt_filter = trim(strip_tags($_POST['url']));

    if (0

    +strpos($attempt_filter, ‘scommesse-it.com’)
    +strpos($attempt_filter, ‘buycheap’)
    +strpos($attempt_filter, ‘buyzoloft’)
    +strpos($attempt_filter, ‘cheaplevitraonline.biz’)
    +strpos($attempt_filter, ‘cheappaxil.biz’)
    +strpos($attempt_filter, ‘casino’)
    +strpos($attempt_filter, ‘poker-dal-vivo.com’)
    +strpos($attempt_filter, ‘udcorp.com’)
    +strpos($attempt_filter, ‘loans-cheap.com’)
    +strpos($attempt_filter, ‘gsmia.com’)
    +strpos($attempt_filter, ‘rainbowcircus.com’)
    +strpos($attempt_filter, ‘pregnant-anal.biz’)
    +strpos($attempt_filter, ‘.fast-phentermine.info’)
    +strpos($attempt_filter, ‘big-fat-woman.biz’)
    +strpos($attempt_filter, ‘mature-grannies.biz’)
    +strpos($attempt_filter, ‘psend.com’)
    +strpos($attempt_filter, ‘das-beste-kasino.com’)
    +strpos($attempt_filter, ‘usyellow.com’)
    +strpos($attempt_filter, ‘rightcashadvance.com’)
    +strpos($attempt_filter, ‘gangbang-orgy.biz’)
    +strpos($attempt_filter, ‘shemale-cock.biz’)
    +strpos($attempt_filter, ‘onlinepokerroomreview.com’)
    +strpos($attempt_filter, ‘cheat-elite.com’)
    +strpos($attempt_filter, ‘roulette-w.com’)
    +strpos($attempt_filter, ‘online-poker’)
    +strpos($attempt_filter, ‘dish-network-w.com’)
    +strpos($attempt_filter, ‘poker–games.net’)
    +strpos($attempt_filter, ‘tigerspice.com’)
    +strpos($attempt_filter, ‘online-casino’)
    +strpos($attempt_filter, ‘poker-jumpstart.com’)
    +strpos($attempt_filter, ‘p0kr.com’)
    +strpos($attempt_filter, ‘poker-w.com’)
    >0)
    {
    syslog(LOG_ALERT,”postcomment redirected $attempt_filter”);
    header(“Location: ” . $url);
    exit();
    }

  14. IO ERROR says:

    Dougal, you may well be interested in a completely new approach to blog spam prevention I’ve released in the last few days. See Bad Behavior which analyzes spambots in realtime, as little as a few milliseconds per request.

    Also I find your idea about temporarily blocking the source IPs interesting; let me know if you go anywhere with this. Something similar to this I plan to add to Bad Behavior in the future.

  15. Kino says:

    Actually Aaron Sinclair wrote something similar to this to stop dictionary attacks. It effectively traps spammers and adds them in real time to the firewall (Rfxn’s APF).

    It might be worth looking through his code here or contacting him.

    http://forum.ev1servers.net/showthread.php?t=50435

    (follow down the thread half way to title: Dictionary Attack iptables fix)

  16. Spamhuntress says:

    I’ve seen only ONE blog spammer who used zombies. All the rest of them are using Open Proxies.

    The best we could do, would be to make enough of a racket, admins everywhere started checking their machines for typical open proxy patterns.

    Maybe that’s something for some programmers?

  17. oZ says:

    This sounds like an excellent idea! Please do release it to the populace for those of us with weak (or no) coding skill. :)

  18. Pedro says:

    Can I just suggest Spam Fritatta? I just couldn’t help suggesting it.

  19. Dougal says:

    Graham, I’m well aware that spammers use zombies (as well as open proxies). The plan I’m proposing won’t do anything to stop a large number of hosts who only send a couple of spams each. Those will have to be caught by the other anti-spam measures such as content filtering. What I’m primarily aiming for is to keep the worst of the repeat-offenders from tying up my resources for no good reason.

    My ipfw stats show that most of the spam sources that I see are repeat offenders. I’ve currently got 50 IPs blocked (counting that Mexican Class C as a single block). Of those, 30 have attempted to contact my server again in the last 24 hours. The Class C that I’m blocking has attempted over 8000 connections. And the two worst single IP repeaters have a combined total of over 3500 attempts. That’s just since I reset the counters yesterday afternoon. That’s enough evidence for me to be pretty sure that automated IP blocking is going to help at least a little bit.

    Everyone, my apologies if my other spam plugins are being overly aggressive and you get 403 errors when you post comments. However, I’m reviewing the blocked comments on a regular basis and rescuing the false-positives. I’m going to go ahead and disable some of my anti-spam plugins as I get further along with my automated IP blocking.

  20. Jacob says:

    I block entire subnets because I got _so_ sick of the comment spam. I started blocking single IPs, but that did no good for me. I have a list of over 60 networks in CIDR notation that I ban at the Apache level (in a Directory section with “Deny from n.0.0.0/8″, etc). I realize that this stops many millions of IP addresses from viewing my site, but I just stopped caring because of all the spam. Now it has been weeks since I have had any, and I’m quite happy.

  21. dekay says:

    Check out ReferrerKarma – a php Script that stops quite bunch of Spammers on my site… and if someone would write a p2p-blacklist-exchanger for it… ;)

  22. olden says:

    Is there any image verification mod for WordPress?
    I use a tool of this kind in my blog (using boastology):
    http://www.warnews.it/blogs/parresia.php
    and it’s stopping all the spam perfectly.
    Try to place a comment, and you’ll see how it works. Is there anything similar for wordpress?

  23. Dougal says:

    olden: yes, there are several “captcha” (image verification) plugins for WordPress. I don’t like those, because they aren’t accessible for people with visual handicaps. Just google for wordpress captcha plugin and you’ll find them.

  24. I have two primary scripts that I run on my own box (not my blog). One catches all the http requests going to ‘bad’ url’s (scripts,msadc,msdac,phpBB,_vti_bin,etc,etc), the other tracks invalid ssh connect attempts. Both feed the offending ip address straight to the firewall. This means that after two or three attempts, they automatically get banned, and I just have to double-check the counts on the blocklist and clean them up manually when I get time.

  25. j says:

    Hmm I feel ya on that! >_

  26. logtar says:

    I share your frustration… I need to spend some time really doing some coding to just block the world… arg. I get spammed mercilesly, every way of communication that my sites have input on has gotten spammed in one form or another. ARG

  27. Dougal says:

    Okay, I’ve got a preliminary auto-firewall system going right now. At the moment, it’s just a couple of simple perl scripts plus a WordPress plugin.

    One perl script (ipupdate) simply accepts an IP number as an argument, and either adds it to the database or updates the lastaccess time and a counter if the IP is already in the table.

    The other (ipmanage) is a cron job run by root every five minutes. It’s responsible for manipulating the firewall rules (expiring old entries, adding new ones) based on the info in the database table.

    The WP plugin simply checks some spam conditions (open proxy, spam comment posted, banned referer), and calls the ipupdate script when necessary.

    It’s already begun adding IP numbers to the database as I write this, but none have crossed my defined counter threshold, yet. After I do some more testing, I’ll try to clean up the code and get it posted.

    I haven’t tried tying it into my email system yet, but it seems to have settled down a lot since I finally got around to adding some RBL checks to sendmail (spamcop, spamhaus, and sorbs). However, it probably wouldn’t be hard to get most mail systems to call the ipupdate script when messages were flagged as spam.

  28. Kelson says:

    Next step: extensions to HTTP that make it possible to trigger an electrical surge in the spammer’s keyboard or mouse, thus applying negative reinforcement techniques…

    Ehh, who am I kidding? Most of them just hit “Go” and walk away from the computer.

  29. Pingback: inforedesign » Blog Archive » Spammers should all DIE DIE DIE

  30. Pingback: geek ramblings » Testing a new spam blocker

  31. Coofer Cat says:

    I too am getting annoyed with comment spam. I have found that even simple changes to the comment form/post handler will stop the automated attacks (as they’d have to be crafted specifically for my site).

    That said, any such measures are short-term. Your dynamic IP blocklist sounds like a really good idea – it would force spammers to use ever larger botnets for their evil work. That really means their costs go up, which is the best way to stop them.

    An expansion of your idea might be to make IP/HTTP behave badly. For example, if an identified spam IP attempts to connect, perhaps let them connect to a sacrificial lamb machine instead of the live web server. Let that machine accept the connection, but then never return a result – keeping the connection open as long as possible (you might be able to hack the IP stack so that you actually close the connection, but don’t send any packets out saying so). You’d end up sapping up lots of botnet connections, again causing spammers a bit of a headache. Of course, you might need more people than yourself doing this to have any real impact.

    Just a thought…

  32. powerbit says:

    This fuc**** Spammassholes are flooding my ***king Blog. God pleases stop this shit soon. I am tired, i dont want any longer delete comments with spamm. how can i secure myself? I switched my blog off, for a while. Trying to update wordpress to a newversion. Hope it brings something.

  33. IO ERROR says:

    That has to be one of the most creative comment spams I’ve seen in a long time.

    Dougal, I’m interested to know if you’ve tried Bad Behavior, and if so, if it helped with reducing your server load. Also I wanted to let you know that I have launched the Bad Behavior Blackhole which specifically lists open proxies and other IP addresses from which link spam has been received (by anyone). It’s still officially a work in progress, but it has data in it and it’s usable.

  34. Pingback: IO ERROR

  35. Pingback: IO ERROR » Nofollow revisited

  36. Chad says:

    A fitting punishment for spammers that are caught would be hanging them upside down from a tree and feeding them ex-lax for a week. Just my 2 cents…

  37. Pingback: Lunacy Unleashed » Automattic Kismet

  38. I think that the best solution is one similar to movable type. You can’t worry about the few who cant post b/c of visual impairment. You seem to be spending a lot of time on spam. Is that worth the few visually impaired visitors you receive? Good luck.

  39. Pingback: Nofollow revisited - Homeland Stupidity

  40. jens says:

    It seems that Bad Behavior will stop my SPAM-ING Problems for my comment script. I think I am gonne try it out. Thanks for the advice..
    Greets Jens ( http://www.isoliert.de/forums/ )

  41. Tails1 says:

    How about a honeypot for comment spam? What I did was I set up additional blog pages under the same domain as my blog with hidden links from my real blog. I use a robots.txt to keep the search engines off it and use random gibberish for posts. (a script could be used to keep the posts dynamic and random) There should be no way normal users can see these pages and no reason a legitimate user would comment as the posts are random words. You can be as creative as you want to make these honeypot pages appealing to spammers automated tools. (spammy words, trackback pings to spam blogs etc…) Use comment challenge and/or Captcha on your real page(s) and leave it turned off for the honeypot ones. The automated spam bots fall for it every time and soon as a comment is posted to the honeypot pages, the ip belonging to it gets blocked at the perimeter firewall. I rarely see comment spam done by hand at least on my blog and for the bit that I do get I just delete. If it gets worse I could try SpamLookup or something else. Bottom line is there is lots of creative ways to deal with spammers no matter what kind, you just have to think about it. Try it next time your in the shower thats what I do :D

  42. Harry says:

    Unfortuantely there are increasing numbers of spam bots on the net. The only way to reduce them and possibly stop them altogether is to put a captcha (search on google) on your comments form. They usually can’t get around the complexity of reading text from an image.

  43. Gokkasten says:

    Blocking single IP's will generally not do much, I have spam messages that are similar in content coming in from IP adresses all around the world, must be some kind of bot network.

  44. I think you made some good points in your post.

  45. borje says:

    Very thoughtful post .

  46. Franz says:

    The title made me laugh and think “heh so true, so true..”
    IP tracking wouldn’t change much I think, a bot doesn’t act from a single IP, and firewalling a whole IP range would also block out some innocent users.. plugins are the best solution right now.
    http://www.buyinpoker.com

  47. big loser says:

    Obviously, irrelevant, auto-submitted crap is spam; however, if someone makes an incredible comment on your site, but their site is commercial, is that spam? or does it just need to have keywords to be considered spam? I dont get it. do you? what is spam really? i am sick of people talking about spam as if it’s so black/white

  48. Debbie says:

    I was barest tickled pink to twig this site.I wanted to acknowledgement you for this cyclopean assume from!! I unequivocally enjoying every small trace of it and I comprise you bookmarked to check up on out of order recent things you post.

  49. Pingback: Bad Behavior / Bad Behaviour: Akismet – Automattic Kismet

Leave a Reply

%d bloggers like this: