sukria.net

It’s a while since I checked how many IP addresses there are in my blacklist, then I decided to perform a lines count on my RewriteMap file:

$ wc -l /usr/share/apache/maps/ip-baned.txt
1031 /usr/share/apache/maps/ip-baned.txt

He he, more than 1000 IPs are now forbidden to access my pages.

I’m pretty happy to see that my system works fine now, I don’t have to update that much the rules, the IP spool is big enough.

Note that the IP blacklist is still available online, help yourself!

Looking at my logs this morning, I found that 5 new domains are used by spammers to fake referers hits on websites. Update your blackist friends:

• .fearcrow.com
• .vpshs.com
• .poker-hands-secrets.com
• .pacific-poker-top-place.com
• .samiuls.com

Moreover, I randomly chose a range of IP I blacklist to contact their owner when it looked like the owner was definitively not the spammer himself.
Indeed, I found this note on a WHOIS request performed on one compromised IP:

remarks: For any kind of abuse orignating from our network please
remarks: abuse@xxxxxxxx-company.com

I then sent them a mail in order to inform them that 4 of their IP were used to attack other websites.
I’ll quote here the template I wrote down, if it can be useful for others:

Hello,

I run a webserver and have setup a protection against spammers which
give me a list of IP addresses that are used by them to attack websites.

Sometimes, I perform some WHOIS action on those IP to find if I can
contact their owner to inform them that their IP are corrupted by
spammers.

I’m sorry to tell you that, at least …. of yours are in this case:

- IP #1
- IP #2
…
- IP #N

Those IPs were used by spammers to send malicious HTTP requests on my
webserver.
Maybe you can investigate to see how thoses computers get corrupted.

Note that this becomes a very wide method for spammers, they launch
worms and viruses to get access on webserver and then use them as
“zombie” machines.

Best regards.

If you can, take the time to send such emails, that can be helpful for a lot of people.

It seems that the spammers launched their bots once again today. More that 150 trackback requests sent to my blog, coming from 54 diffrent IPs.

Don’t know if the spammers are aware of that, but all those attacks are blocked with a dummy RewriteRule:

    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !(sukria\.net) [NC,OR]
    RewriteCond %{HTTP_REFERER} ^-$
    RewriteRule ^(.*) - [F]

As you can see, every POST request coming with a referer which is not from my domain is refused. Although, every spammers requests I’ve seen have no referers, so only the second rule would be enough.

Some new domains are also used as fake referers :

• .doobu.com
• .rohkalby.com
• .camfun24.com

Go on spammers, come to me, my IP blacklist is hungry !

Link Spammers are getting more and more agressive these days and one shouldn’t ignore them. As I said before, I set up a small but effective system to blacklist IPs from accessing my pages and that works pretty well.

After more than ten days of active blacklisting, I have an interesting file to share, the Apache RewriteMap I use for listing unwanted IP adresses.
That file gets updated every day, with the new IP adresses that attacked my website.

This makes me wondering if we could set up a volatile package which would be dedicated to set up a webserver shield. It could just provide an httpd.conf configuration example (showing how to use the RewriteMap) and some maps (IP addresses, fake referers and user agents).

I might work on a prototype package and post again on that topic, stay tuned …

If you run your own webserver, you are certainly a blog spammer’s target. Yes, you are.

They use compromised boxes or open proxies to launch their bots on your website, posting comments or sending trackbacks on your blog, or simulating referers hits with their domain names. All this to increase their visibility.

This new way of polluting the World Wide Web must become as obstructing as mail spams. Here is how I proceed to block those kind of attacks, using basic and well known tools: mod_rewrite for denying access, bash for writing a simple IP addresses grabber script and Cron for scheduling.

The strategy here is to block requests that match one or more of those conditions:

1. The user agent is known to be a spambot.
2. The IP address is blacklisted.
3. The referer is known to be a fake one.

1. Grabbing IP addresses

Let’s start by greping your accesslog for finding the IP addresses related to the attacks.
That tiny shell script will help you to do this job. It takes as its only argument a pattern used for performing the grep in the accesslog. Your only job is to use a good pattern.

Once you have lauched this script, the file /usr/share/apache/maps/ip-baned.txt (or whatever you chose) will contain all the IP addresses you don’t want to serve.

2. Apache configuration

We can now update the Apache configuration in order to setup mod_rewrite:

First filter the User Agents:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (AGENT_1) [OR]
…
RewriteCond %{HTTP_USER_AGENT} (AGENT__N)
RewriteRule ^(.*) - [F]

Then use the blacklisted IP addresses:

RewriteMap ipbaned txt:/usr/share/apache/maps/ip-baned.txt
RewriteCond ${ipbaned:%{REMOTE_ADDR}|NOTFOUND} !=NOTFOUND
RewriteRule ^(.*) -                                     [F]

And filter fake referers:

RewriteCond %{HTTP_REFERER} (DOMAIN_1) [NC,OR]
…
RewriteCond %{HTTP_REFERER} (DOMAIN_N) [NC]
RewriteRule ^(.*) - [F]

Restart Apache and enjoy all the 403 errors you’ll send to the spammers.

3. Using Cron for updating the blacklist

The last thing to do is to setup a cron script to periodically update your IP blacklist using the little script I provide.

You’ll then receive a mail from Crond whenever a change appears in the blacklist file, seeing which IP addresses are added.

Using this simple solution works great for me, my log analyzer shows more than 1400 hits refused with a 403 error in less than 3 days of use…