I’ve been trying to snatch a few minutes here and there to work on the automated spam blocking system that I proposed last week. Earlier today, I finished up one of the components, and I’m currently testing it. It seems to be performing as designed, so far.
There are three pieces to the system, currently:
ipupdate: A perl script which accepts an IP number as an argument. When run, it checks whether the IP already exists in its configured database table. If not, it adds it. If so, it updates the last access time and a counter associated with the IP.
ipmanage: Another perl script. This one is run every five minutes as a cron job (with
rootpermissions). This script grabs the current set of rules from
compares them against entries in the database, expires old rules, and adds new rules for IP numbers which have crossed the defined threshold.
WPIPFW: A simple WordPress plugin. It merely checks a few spam indicators (connections from open proxies, blacklisted referer strings, comments posted and flagged as ‘spam’). If any of the indicators are true, it passes the client IP number to the
I still need to tweak the auto-expire logic a bit. Currently, it only looks at the database entries to determine dormancy. But an IP blocked by the firewall won’t be able to trigger the conditions that update the database. I need to capture the IP accounting stats from
ipfw and update the
lastaccess field in the database if the IP is still seeing activity. Otherwise, all IP numbers will automatically expire from the database, even if they continue their (failed) attempts to contact my server. Though, they’ll automatically get blocked again once they re-cross the threshold of spam attempts.
It would also be moderately easy to get most email systems to call out to the
ipupdate script. In fact, any service or program which allows you to call out to external scripts could use it. One good project (which I might also implement here) could be to scan the logs from your mail server, and automagically add/delete database entries based on SMTP rejections.
Unfortunately, this will only be useful to folks who have the ability to modify the firewall rules on thier server. Also, it’s currently hardcoded to work with
ipfw, which is what my FreeBSD server uses. But it should be simple to modify it to work with other firewall systems and rulesets.
When I finish the current features and get it cleaned up a bit, I’ll release the code. It’s not very pretty, and I won’t be able to offer any technical support for it. But if anyone else finds it useful, that will be great.
I know that this isn’t a new idea, but I haven’t seen another implementation that broke things down into a simple generic system that other services can hook into easily. If anybody out there has seen something like this, post a link!
So far, it appears to be working for me. In the couple of hours since I activated the weblog plugin, it’s added over 60 IP numbers to the database. Of those, 18 have already been banned at the firewall level, and 8 of those have attempted approximately 110 more spam attempts (combined) since being blocked. Another 10 hosts are just one more spam away from being blocked. The next thing to be tested is the auto-expiration of spam hosts that have gone dormant. More as it develops.