Posted on: 08/30/05 11:41am
By: DubiousChrisJ
I have an army of spambots attacking my site right now (
http://dubiousprofundity.com/[*1] ) I am getting 2-300 new http referrers every hour, all from www.antiquemarketplace.net (http: trimmed to keep it from creating a link). I have added tons of variations to my spam-X blacklist, but spamX doesn't seem to be able to just block that domain, and the hits are coming from all different IP's (spoofed, I'm sure). Can anyone help?
Help! My site is under attack!
Posted on: 08/30/05 11:45am
By: xardoz
comment spam or referrer spam? If it's comment spam, disable anonymous comments.
If it's referrer spam, disable anonymous access to your stats.
Help! My site is under attack!
Posted on: 08/30/05 11:47am
By: DubiousChrisJ
Anonymous commenting is disabled...and to access site statistics requires login as well. This doesn't stop them from filling up my Http referrer logs with their BS links...
Am I understanding you correctly?
Help! My site is under attack!
Posted on: 08/30/05 11:53am
By: DubiousChrisJ
Well, I guess I blocked enough variations to make a difference...it seems to have petered off...
I have some referrer spam here and there, but never anything like this before...I had just cleared the log, and went to 300 of the same link within minutes...and this kept up through multiple deletes.
Help! My site is under attack!
Posted on: 08/30/05 12:04pm
By: Anonymous (guest)
Why disabling the stats should help in this case?
Help! My site is under attack!
Posted on: 08/30/05 01:29pm
By: Dirk
[QUOTE BY= DubiousChrisJ] I am getting 2-300 new http referrers every hour, all from www.antiquemarketplace.net[/QUOTE]
Welcome to the club - sounds like you're on the list of our special friends, "
The Bulgarians[*2] ". Expect more of the same over the coming days (but with different domains).
In addition to the measures linked to from the above article, I can also heartly recommend
Bad Behavior[*3] (which, btw, is now finally running here on geeklog.net, too).
bye, Dirk
Help! My site is under attack!
Posted on: 08/30/05 03:52pm
By: Anonymous (Matt)
I'm being hit hard by these folks too, with the antiquemarketplace referrer. On my site, they were hitting all the "email this story" links, and actually generating emails, with their spam message in the comment field ahead of the story. I found out about it when a bunch of the emails bounced back to me.
I could look at my SMTP server logs, and see all the addresses that they had spammed. It was weird. Most of them didn't look like legitimate addresses, and they pounded on a couple of addresses over and over. I'm not sure what they were trying to do.
This opened my eyes to a problem that I should have considered before. If you have a website which allows a visitor to enter any email address, and cause email to be sent to that address, you effectively have an open SMTP relay if somebody finds it and abuses it. And the "email this story" function is exactly that: a website that allows anybody to use my server to send email to anybody, as long as they don't mind having my article appended to the end of their spam.
Has anybody else considered the possibility of "email this story" being abused as a spam relay? If so, is there any way to prevent it, other than disabling the function?
Help! My site is under attack!
Posted on: 08/30/05 04:04pm
By: Dirk
[QUOTE BY= Matt] If you have a website which allows a visitor to enter any email address, and cause email to be sent to that address, you effectively have an open SMTP relay if somebody finds it and abuses it. And the "email this story" function is exactly that: a website that allows anybody to use my server to send email to anybody, as long as they don't mind having my article appended to the end of their spam.
Has anybody else considered the possibility of "email this story" being abused as a spam relay? If so, is there any way to prevent it, other than disabling the function?[/QUOTE]
So far, the spammers haven't been desperate enough to do that. But then again, I guess the appended story could actually help get their message through the spam filters ...
You can disable emailing stories for anonymous users in config.php (set $_CONF['emailstoryloginrequired'] = 1).
And it would probably make sense to check the message that has been entered for spam before sending it ... /me makes a note of that
bye, Dirk
Help! My site is under attack!
Posted on: 08/30/05 05:40pm
By: Anonymous (guest)
But why disabling the stats?
Help! My site is under attack!
Posted on: 08/31/05 02:00am
By: Dirk
[QUOTE BY= guest] But why disabling the stats?[/QUOTE]
Because your stats link to them and that's all they're after. More links, better Google ranking. So you're doing free advertising for these scumbags ...
bye, Dirk
Help! My site is under attack!
Posted on: 08/31/05 05:28am
By: Anonymous (guest)
My stats just lists the top stories, comments, e-mail stories, links, etc. It has nothing about referrers.
Help! My site is under attack!
Posted on: 08/31/05 08:44am
By: Anonymous (Matt)
Geez ... do these guys ever give up? I followed Cindy's spampop suggestion to deny requests with the x-aaaaaaaaaa: header, and that's working. All their requests are getting blocked with a 403 error. But they're still filling my access logs with their referrer sites, which I guess is their main goal (or at least one goal, I'm still not sure what they were trying to accomplish with the mail trick). It makes me want to email them and say "Hey jerks, give up!! I"ll make damn sure your sites don't show up in my stats no matter how hard you hammer me!"
Help! My site is under attack!
Posted on: 08/31/05 01:56pm
By: Dirk
[QUOTE BY= guest] My stats just lists the top stories, comments, e-mail stories, links, etc. It has nothing about referrers.[/QUOTE]
That's fine then. The above comments were about the visitor stats plugin (aka GUS plugin). Geeklog's own little stats page doesn't display any referrers.
bye, Dirk
Help! My site is under attack!
Posted on: 08/31/05 01:59pm
By: Dirk
[QUOTE BY= Matt] Geez ... do these guys ever give up?[/QUOTE]
Nope. They don't care about return codes (no spambot does, AFAIK). Blocking them in .htaccess at least takes the load off your server (and database).
They've been hitting geeklog.net for months (since last December), getting 403s for each and every request. They've only stopped a few weeks ago (and I still have them on other sites).
bye, Dirk
Help! My site is under attack!
Posted on: 09/02/05 06:51am
By: LWC
That would just hammer your 403 page. Why don't you use the 127.0.0.1 method, which you suggested yourself in the past?
Help! My site is under attack!
Posted on: 09/02/05 02:25pm
By: Dirk
[QUOTE BY= LWC] That would just hammer your 403 page.[/QUOTE]
The 403 "page" on geeklog.net is this (from our .htaccess):
# send a short 403 message
ErrorDocument 403 "Access denied.
That's all it sends: 14 bytes (plus the HTTP header). If you have a busy site and/or under attack, you want to save what you can.
[QUOTE BY= LWC] Why don't you use the 127.0.0.1 method, which you suggested yourself in the past?[/QUOTE]
Not all spambots follow the redirect. The Bulgarians' do, actually. But redirecting them to 127.0.0.1 doesn't make a lot of sense since they exclusively use open proxies, so you would only hammer the proxies.
bye, Dirk
Help! My site is under attack!
Posted on: 09/02/05 02:36pm
By: drshakagee
I added some stuff to my personal blacklist in spam-x and I have gone from 100 spam comment attempts a day to less then 10 and I have even had days with no attempts. They do eventually stop. I get occasional complaints from normal users that their comments are flagged as spam, but I don't mind since it's not too often.
Help! My site is under attack!
Posted on: 09/02/05 04:21pm
By: Anonymous (ironmax)
Another way that you caould stop them is if you run your own server as I do, you could block them using the firewall or router to disable connections from those IPs that they are using to connect from. Plus I don't allow anonomous comments, so that pretty much stopped them cold in their tracks. Also yiou could use Bad Behavior as another tool to twart their attempts.
Mike
Help! My site is under attack!
Posted on: 09/02/05 04:51pm
By: Dirk
[QUOTE BY= ironmax] Another way that you caould stop them is if you run your own server as I do, you could block them using the firewall or router to disable connections from those IPs that they are using to connect from.[/QUOTE]
Last time I bothered to count, I came up with a list of 1463 different IP addresses (all open proxies, mind you) they had used over time.
It may, of course, help as a short-time measure when you're really getting a lot of hits.
[QUOTE BY= ironmax] Also yiou could use Bad Behavior as another tool to twart their attempts.[/QUOTE]
Bad Behavior checks for that special header they seem to be using all the time. You can also feed that to the Spam-X plugin (that's what's the Header filter module is for).
bye, Dirk
Help! My site is under attack!
Posted on: 09/08/05 11:15am
By: Anonymous (Matt)
[QUOTE BY= Dirk]
Not all spambots follow the redirect. The Bulgarians' do, actually. But redirecting them to 127.0.0.1 doesn't make a lot of sense since they exclusively use open proxies, so you would only hammer the proxies.
bye, Dirk[/QUOTE]
Firewalling makes the most sense, if you can do it. Unfortunately, I'm on a virtual server and can't set up a firewall. I used the technique of checking for the x-aaaaa header, which worked nicely. At first I used it to deny access, and sent a short message like Dirk's instead of a 403 page. But if some of the spambots are actually following redirects, I decided it made more sense to redirect to an address that was either dead or firewalled, so that it wouldn't respond. Redirecting to 127.0.0.1 will probably cause the spambot's host to immediately respond with a connection rejected, but redirecting to a dead or firewalled IP will make the bot wait for a timeout, which could slow it down some. Granted, it only works for the bots that follow redirects, but even for the ones that don't, it still reduces your server load by sending a redirect instead of letting them hit your actual content. And I can also keep the spam hits out of my access logs (actually I route them to a separate log so I can still be aware of them), by using the spammer environment variable on the log directives.
Help! My site is under attack!
Posted on: 09/08/05 02:02pm
By: ByteEnable
[QUOTE BY= Matt] I'm being hit hard by these folks too, with the antiquemarketplace referrer.[/QUOTE]
Contact the owner using whois.sc and demand that he legally stop spamming you.
antiquemarketplace
[whois info removed -- Dirk]
Help! My site is under attack!
Posted on: 09/08/05 02:55pm
By: Dirk
[QUOTE BY= ByteEnable] antiquemarketplace[/QUOTE]
Matt was hit by spam for antiquemarketplace.
net, while you quoted the whois information for the .com domain, which belongs to someone else entirely.
antiquemarketplace.net is one of the domains used by the Zahariev brothers (aka
The Bulgarians[*2] ). Forget about complaining to them ...
If at all, complain to Moniker, their registrar, but be prepared that they may forward your email to the owners. Moniker knows who their customers are (they have been told by several people many times) but refuse to do anything about it. I guess when you have (at least) 2500 domains registered with a registrar, you're somewhat immune.
Just to put things in perspective ...
bye, Dirk
Help! My site is under attack!
Posted on: 09/08/05 05:55pm
By: DubiousChrisJ
Thanks for all the advice everyone. It does seem to come in waves, and comes from so many different IPs and Domain names that some of the straightforward methods really don't work.
I couldn't figure out the header filter method you were talking about with Spam-X. Could you detail that a bit?
Help! My site is under attack!
Posted on: 09/08/05 06:10pm
By: Dirk
[QUOTE BY= DubiousChrisJ] I couldn't figure out the header filter method you were talking about with Spam-X. Could you detail that a bit?[/QUOTE]
You need 2 entries. For the "Content" field, it's simply .* (dot star) in both cases. For the "Header", have one entry X-AAAAAAAAAA (that's 10 As) and one entry X-AAAAAAAAAAAA (12 As).
bye, Dirk
Help! My site is under attack!
Posted on: 09/08/05 06:46pm
By: DubiousChrisJ
BAD BEHAVIOR! It is working like a charm. Now my spambot traffic and legit traffic are in seperate logs, at least, and that is good enough for me.
Thanks Dirk!