Welcome to Geeklog Friday, July 03 2020 @ 11:23 pm EDT

Geeklog Forums

Help! My site is under attack!

Page navigation


Status: offline

DubiousChrisJ

Forum User
Regular Poster
Registered: 10/05/05
Posts: 114
angry
I have an army of spambots attacking my site right now ( http://dubiousprofundity.com/ ) I am getting 2-300 new http referrers every hour, all from www.antiquemarketplace.net (http: trimmed to keep it from creating a link). I have added tons of variations to my spam-X blacklist, but spamX doesn't seem to be able to just block that domain, and the hits are coming from all different IP's (spoofed, I'm sure). Can anyone help?
Luhme summa dat GL.
 Quote

Status: offline

xardoz

Forum User
Regular Poster
Registered: 24/02/04
Posts: 98
comment spam or referrer spam? If it's comment spam, disable anonymous comments.
If it's referrer spam, disable anonymous access to your stats.
 Quote

Status: offline

DubiousChrisJ

Forum User
Regular Poster
Registered: 10/05/05
Posts: 114
Anonymous commenting is disabled...and to access site statistics requires login as well. This doesn't stop them from filling up my Http referrer logs with their BS links...

Am I understanding you correctly?
Luhme summa dat GL.
 Quote

Status: offline

DubiousChrisJ

Forum User
Regular Poster
Registered: 10/05/05
Posts: 114
Well, I guess I blocked enough variations to make a difference...it seems to have petered off...

I have some referrer spam here and there, but never anything like this before...I had just cleared the log, and went to 300 of the same link within minutes...and this kept up through multiple deletes.
Luhme summa dat GL.
 Quote

guest

Anonymous
Why disabling the stats should help in this case?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by DubiousChrisJ: I am getting 2-300 new http referrers every hour, all from www.antiquemarketplace.net

Welcome to the club - sounds like you're on the list of our special friends, "The Bulgarians". Expect more of the same over the coming days (but with different domains).

In addition to the measures linked to from the above article, I can also heartly recommend Bad Behavior (which, btw, is now finally running here on geeklog.net, too).

bye, Dirk
 Quote

Matt

Anonymous
I'm being hit hard by these folks too, with the antiquemarketplace referrer. On my site, they were hitting all the "email this story" links, and actually generating emails, with their spam message in the comment field ahead of the story. I found out about it when a bunch of the emails bounced back to me.

I could look at my SMTP server logs, and see all the addresses that they had spammed. It was weird. Most of them didn't look like legitimate addresses, and they pounded on a couple of addresses over and over. I'm not sure what they were trying to do.

This opened my eyes to a problem that I should have considered before. If you have a website which allows a visitor to enter any email address, and cause email to be sent to that address, you effectively have an open SMTP relay if somebody finds it and abuses it. And the "email this story" function is exactly that: a website that allows anybody to use my server to send email to anybody, as long as they don't mind having my article appended to the end of their spam.

Has anybody else considered the possibility of "email this story" being abused as a spam relay? If so, is there any way to prevent it, other than disabling the function?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Matt: If you have a website which allows a visitor to enter any email address, and cause email to be sent to that address, you effectively have an open SMTP relay if somebody finds it and abuses it. And the "email this story" function is exactly that: a website that allows anybody to use my server to send email to anybody, as long as they don't mind having my article appended to the end of their spam.

Has anybody else considered the possibility of "email this story" being abused as a spam relay? If so, is there any way to prevent it, other than disabling the function?

So far, the spammers haven't been desperate enough to do that. But then again, I guess the appended story could actually help get their message through the spam filters ...

You can disable emailing stories for anonymous users in config.php (set $_CONF['emailstoryloginrequired'] = 1).

And it would probably make sense to check the message that has been entered for spam before sending it ... /me makes a note of that

bye, Dirk
 Quote

guest

Anonymous
But why disabling the stats?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by guest: But why disabling the stats?

Because your stats link to them and that's all they're after. More links, better Google ranking. So you're doing free advertising for these scumbags ...

bye, Dirk
 Quote

guest

Anonymous
My stats just lists the top stories, comments, e-mail stories, links, etc. It has nothing about referrers.
 Quote

Matt

Anonymous
Geez ... do these guys ever give up? I followed Cindy's spampop suggestion to deny requests with the x-aaaaaaaaaa: header, and that's working. All their requests are getting blocked with a 403 error. But they're still filling my access logs with their referrer sites, which I guess is their main goal (or at least one goal, I'm still not sure what they were trying to accomplish with the mail trick). It makes me want to email them and say "Hey jerks, give up!! I"ll make damn sure your sites don't show up in my stats no matter how hard you hammer me!"
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by guest: My stats just lists the top stories, comments, e-mail stories, links, etc. It has nothing about referrers.

That's fine then. The above comments were about the visitor stats plugin (aka GUS plugin). Geeklog's own little stats page doesn't display any referrers.

bye, Dirk
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Matt: Geez ... do these guys ever give up?

Nope. They don't care about return codes (no spambot does, AFAIK). Blocking them in .htaccess at least takes the load off your server (and database).

They've been hitting geeklog.net for months (since last December), getting 403s for each and every request. They've only stopped a few weeks ago (and I still have them on other sites).

bye, Dirk
 Quote

Status: offline

LWC

Forum User
Full Member
Registered: 19/02/04
Posts: 818
That would just hammer your 403 page. Why don't you use the 127.0.0.1 method, which you suggested yourself in the past?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by LWC: That would just hammer your 403 page.

The 403 "page" on geeklog.net is this (from our .htaccess):
PHP Formatted Code
# send a short 403 message
ErrorDocument 403 "Access denied.

That's all it sends: 14 bytes (plus the HTTP header). If you have a busy site and/or under attack, you want to save what you can.


Quote by LWC: Why don't you use the 127.0.0.1 method, which you suggested yourself in the past?

Not all spambots follow the redirect. The Bulgarians' do, actually. But redirecting them to 127.0.0.1 doesn't make a lot of sense since they exclusively use open proxies, so you would only hammer the proxies.

bye, Dirk
 Quote

Status: offline

drshakagee

Forum User
Full Member
Registered: 01/10/03
Posts: 231
I added some stuff to my personal blacklist in spam-x and I have gone from 100 spam comment attempts a day to less then 10 and I have even had days with no attempts. They do eventually stop. I get occasional complaints from normal users that their comments are flagged as spam, but I don't mind since it's not too often.
Yes I am mental.
 Quote

ironmax

Anonymous
Another way that you caould stop them is if you run your own server as I do, you could block them using the firewall or router to disable connections from those IPs that they are using to connect from. Plus I don't allow anonomous comments, so that pretty much stopped them cold in their tracks. Also yiou could use Bad Behavior as another tool to twart their attempts.

Mike
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by ironmax: Another way that you caould stop them is if you run your own server as I do, you could block them using the firewall or router to disable connections from those IPs that they are using to connect from.

Last time I bothered to count, I came up with a list of 1463 different IP addresses (all open proxies, mind you) they had used over time.

It may, of course, help as a short-time measure when you're really getting a lot of hits.


Quote by ironmax: Also yiou could use Bad Behavior as another tool to twart their attempts.

Bad Behavior checks for that special header they seem to be using all the time. You can also feed that to the Spam-X plugin (that's what's the Header filter module is for).

bye, Dirk
 Quote

Matt

Anonymous
Quote by Dirk:
Not all spambots follow the redirect. The Bulgarians' do, actually. But redirecting them to 127.0.0.1 doesn't make a lot of sense since they exclusively use open proxies, so you would only hammer the proxies.

bye, Dirk


Firewalling makes the most sense, if you can do it. Unfortunately, I'm on a virtual server and can't set up a firewall. I used the technique of checking for the x-aaaaa header, which worked nicely. At first I used it to deny access, and sent a short message like Dirk's instead of a 403 page. But if some of the spambots are actually following redirects, I decided it made more sense to redirect to an address that was either dead or firewalled, so that it wouldn't respond. Redirecting to 127.0.0.1 will probably cause the spambot's host to immediately respond with a connection rejected, but redirecting to a dead or firewalled IP will make the bot wait for a timeout, which could slow it down some. Granted, it only works for the bots that follow redirects, but even for the ones that don't, it still reduces your server load by sending a redirect instead of letting them hit your actual content. And I can also keep the spam hits out of my access logs (actually I route them to a separate log so I can still be aware of them), by using the spammer environment variable on the log directives.
 Quote

Page navigation

All times are EDT. The time is now 11:23 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content