Alden Bates' Weblog: Blocking Spammers part X

Comments

So, any good rules you could share? I tend to use text files and include them via iframe to prevent the blog software from messing with the code. I see you've already found my blog. Check out my various blocks as well.

Posted by: Spamhuntress | April 15, 2005 3:34 AM

The first thing I noticed was that every comment spam attempt would follow the same format:

a hit on the entry, with a spammy domain in the referrer.
2. the comment spam would be posted.

I blocked the inital hit by adding a few rules in the .htaccess file to check the referrer, and once they were blocked from viewing the entry, they were unable to post a comment to it. The few that did sneak through, MT-Blacklist caught anyway.

Once I had the blocks above in place, the spammers would tend to hit entries twice, sometimes using different proxy servers, sometimes not, but both times using the same spammy URL

Today, I've noticed their attempts have changed:

Hit the entry using a spammy referrer and get back a 403.
Hit the entry again, using no referrer, but coming from specific IP addresses: 62.193.231.242 and 62.193.231.243 (they both resolve to wpc1213.amenworld.com for me).
post the comment spam.

So they appear to be wisening up to my tactics. :)

A while back, I'd also banned the Mexican Alestra open proxies which you mention on your site, and that had helped cut down a lot of the spam...

I'll upload those rules in a text file and include them in another comment.

Posted by: Alden Bates | April 15, 2005 10:46 PM

Why does "remember me" never work on my own weblog? If anything should remember me, you'd think my own web site would... anyway!

RewriteCond %{HTTP_REFERER} (texas\-hold\-em|e\-site|viagra|casino|poker|holdem|pharmacy|e\-buy|cialis|pills)(.*)\.(com|net|org|us|info|biz)   [NC,OR]

RewriteCond %{HTTP_REFERER} \.(com|net|org|us|info|biz)\/(online\-poker|texas-holdem|poker|empire\-poker|poker\-rooms)\.html$     [NC,OR]

RewriteCond %{HTTP_REFERER} sml338.org  [NC,OR]

RewriteCond %{HTTP_REFERER} \.(com|net|org|us|info|biz)\/.*(equity|mortgage|consolidation|loan).*\.html$  [NC]

RewriteRule (.*) - [F,L]

First off they were coming at me with spammy subdomains: spamterm.domain.com and so on, so the first rule blocks domains with a spamterm.

Then they switched to using www.domain.com/spamterm.html, so the second rule blocked most of those.

Then they switched to using the sml338 domain along with money-based spamterms, so the third catches the domain and the fourth is in case they try the same thing with other domains. Currently they seem to be to using subdomains, which rule 1 catches.

And the last line delivers them a nice 403 error. I'd like to deliver them a hard drive format and a swift kick to the rear, but we can't have everything. :)

I could probably tighten those rules up a bit, but so far I haven't had any positives get caught...

Posted by: Alden Bates | April 15, 2005 11:10 PM

You're on the list of the pinappleproxy spammer. Which means that block would help. Stops'em dead every time. I'm guessing you also have some other spammers. The rules you have are good, but the pinappleproxy block (see my pages) is better for that particular spammer. Those other rules would catch other one time spammers.

Posted by: Spamhuntress | April 15, 2005 11:46 PM

Alden Bates' Weblog

Feigning normality since 1973

Blocking Spammers part X

Comments

Post a comment


	Home : April 2005 Alden Bates' Weblog Feigning normality since 1973 « MT-Blacklist \| Main \| Colin Baker on New Who » Blocking Spammers part X Filed in: Weblogging. Not content with using mt-blacklist to block spam comments, I decided to be proactive. This involved whipping up some .htaccess rules and scripts to catch and block spammers before they even got to the spamming stage. It works quote nicely - the script catches them when they enter, delivers a 403 error to them and bans their IP address from the weblog. And then the traffic to my weblog decreased by 50%. Yes, 50% of the traffic to my weblog was spammers. That's just sad. Posted April 11, 2005 10:28 PM Comments So, any good rules you could share? I tend to use text files and include them via iframe to prevent the blog software from messing with the code. I see you've already found my blog. Check out my various blocks as well. Posted by: Spamhuntress \| April 15, 2005 3:34 AM The first thing I noticed was that every comment spam attempt would follow the same format: a hit on the entry, with a spammy domain in the referrer. 2. the comment spam would be posted. I blocked the inital hit by adding a few rules in the .htaccess file to check the referrer, and once they were blocked from viewing the entry, they were unable to post a comment to it. The few that did sneak through, MT-Blacklist caught anyway. Once I had the blocks above in place, the spammers would tend to hit entries twice, sometimes using different proxy servers, sometimes not, but both times using the same spammy URL Today, I've noticed their attempts have changed: Hit the entry using a spammy referrer and get back a 403. Hit the entry again, using no referrer, but coming from specific IP addresses: 62.193.231.242 and 62.193.231.243 (they both resolve to wpc1213.amenworld.com for me). post the comment spam. So they appear to be wisening up to my tactics. :) A while back, I'd also banned the Mexican Alestra open proxies which you mention on your site, and that had helped cut down a lot of the spam... I'll upload those rules in a text file and include them in another comment. Posted by: Alden Bates \| April 15, 2005 10:46 PM Why does "remember me" never work on my own weblog? If anything should remember me, you'd think my own web site would... anyway! RewriteCond %{HTTP_REFERER} (texas\-hold\-em\|e\-site\|viagra\|casino\|poker\|holdem\|pharmacy\|e\-buy\|cialis\|pills)(.)\.(com\|net\|org\|us\|info\|biz) [NC,OR] RewriteCond %{HTTP_REFERER} \.(com\|net\|org\|us\|info\|biz)\/(online\-poker\|texas-holdem\|poker\|empire\-poker\|poker\-rooms)\.html$ [NC,OR] RewriteCond %{HTTP_REFERER} sml338.org [NC,OR] RewriteCond %{HTTP_REFERER} \.(com\|net\|org\|us\|info\|biz)\/.(equity\|mortgage\|consolidation\|loan).\.html$ [NC] RewriteRule (.) - [F,L] First off they were coming at me with spammy subdomains: spamterm.domain.com and so on, so the first rule blocks domains with a spamterm. Then they switched to using www.domain.com/spamterm.html, so the second rule blocked most of those. Then they switched to using the sml338 domain along with money-based spamterms, so the third catches the domain and the fourth is in case they try the same thing with other domains. Currently they seem to be to using subdomains, which rule 1 catches. And the last line delivers them a nice 403 error. I'd like to deliver them a hard drive format and a swift kick to the rear, but we can't have everything. :) I could probably tighten those rules up a bit, but so far I haven't had any positives get caught... Posted by: Alden Bates \| April 15, 2005 11:10 PM You're on the list of the pinappleproxy spammer. Which means that block would help. Stops'em dead every time. I'm guessing you also have some other spammers. The rules you have are good, but the pinappleproxy block (see my pages) is better for that particular spammer. Those other rules would catch other one time spammers. Posted by: Spamhuntress \| April 15, 2005 11:46 PM Post a comment Name: Email Address: URL: Remember personal info? Comments: (you may use HTML tags for style)
Tetrap.com Site Map