| View previous topic :: View next topic |
| Author |
Message |
mweis
New Poster
Joined: 27 Jul 2005
Posts: 5
  
|
 Posted: Wed Jul 27, 2005 14:42 Post subject: spam: an IP based approach |
 |
|
Hello!
I found my blog using all my bandwidth because of spammers and did not want to have hte ever growing lists of shortly living domain names. So I looked for the IPs of the spammers, and found out, that it may be easier to track IPs instead of names.
The full approach is listed in my blog:
http://datenroulette.de/blog/i...rs_go_away
and may be a little too angry, but I think this will help. Comments on this are welcome.
I have another IP-based approach (using .htaccess) in this thread on the next page, which really works fine, check it out an don't leave the field to the spammers.
http://forums.b2evolution.net/...4096#24096
Martin
Last edited by mweis on Fri Aug 19, 2005 5:19; edited 1 time in total |
|
| Back to top |
|
 |
malakajoe
New Poster
Joined: 02 Jul 2005
Posts: 4
|
| Posted: Wed Jul 27, 2005 16:23 Post subject: |
|
|
Since a lot of spammers will spoof their IP address, I don't know how well this will truely work.
I could be way off, though. |
|
| Back to top |
|
|
kwa
Hooked :)
Joined: 21 Jan 2005
Posts: 261
votes: 1
|
| Posted: Wed Jul 27, 2005 17:39 Post subject: |
|
|
I call this function at the top of my skins, before any display:
| Code: |
function BlockUntrustedVisitors()
{
$VisitorIP = $_SERVER[ 'REMOTE_ADDR' ];
if( strcmp( $VisitorIP, $_SERVER[ 'SERVER_ADDR' ] ) == 0 )
{
// Current server is a trusted IP
return;
}
$Referrer = $_SERVER[ 'HTTP_REFERER' ];
if( $Referrer == '' )
{
// Direct access is trusted access (no bandwith consuming referrer spam)
// (Comment out the following line if you encounter comment spam or other kind of hard to suppress spam)
return;
}
preg_match( '/^(http|https|ftp)\:\/\/(([a-zA-Z0-9\-_]+\.){1,}([a-zA-Z0-9\-_]{2,6})).*$/', $Referrer, $Matches );
$ReferrerDomain = $Matches[ 2 ];
if( strcmp( $ReferrerDomain, $_SERVER[ 'HTTP_HOST' ] ) == 0 )
{
// Internal referring is trusted
$ReferrerDomain = '';
// (Comment out the following line if you encounter comment spam or other kind of hard to suppress spam)
return;
}
// Initialize the checking procedure
list( $a, $b, $c, $d ) = explode( ".", $VisitorIP );
$DnsblServices = array(
array( 'query' => "$d.$c.$b.$a.list.dsbl.org", 'url' => 'http://dsbl.org/listing?'.$VisitorIP ), // See http://www.dsbl.org
array( 'query' => "$d.$c.$b.$a.opm.blitzed.org", 'url' => 'http://opm.blitzed.org/'.$VisitorIP ), // See http://opm.blitzed.org/info
array( 'query' => "$d.$c.$b.$a.bsb.empty.us", 'url' => 'http://bsb.empty.us/lookup/?ip='.$VisitorIP ), // See http://bsb.empty.us/
array( 'query' => $ReferrerDomain.'.bsb.empty.us', 'url' => 'http://bsb.empty.us/lookup/?h='.$ReferrerDomain ) // See http://bsb.empty.us/
);
if( $ReferrerDomain == '' )
{
// Since there is no referrer domain, don't test it
array_pop( $DnsblServices );
}
// Perform the potential spamming detection procedure
foreach( $DnsblServices as $Service )
{
if( gethostbyname( $Service[ 'query' ] ) != $Service[ 'query' ] )
{
// Not trusted (spammer or other not trusted IP or referrer site)
// Redirect to the service explaination URL
header( 'Location: '.$Service[ 'url' ] );
die();
}
}
} // function BlockUntrustedVisitors() |
The above code is intended to redirect blacklisted IPs and referrers to elsewhere with minimum bandwith usage. Only a few tens of bytes are sent in case of untrusted IP or referrer site identification. It uses several DNSBL services regulary updated by "trusted" sources.
If your visitors are not spammers and are identified as they are, they can read and follow instructions displayed on the redirected page. You can also redirect them somewhere else on your own site in order to warn them about their IP or referrer site blacklisting.
Recently, I discovered (thanks to that function) my sister's IP has been listed in one of those lists and other blacklists since last year, when her computer has been infected by a virus/worm. Once listed, it appears it is very is very difficult to remove an IP from those lists when your ISP doesn't care...
However, that in addition to regular .htaccess update based on b2evolution's anti-spam blacklist makes spammers extremly rare on my site.
The Antispam Bandwidth thread is worth to be read. To fight comment spamming, read captcha for b2evolution (finally). Another way to reduce bandwith usage is explained in RSS cache. To reduce CPU usage, read Simple Cache Hack.
_________________
 Les perles du chat | Une araignée au plafond |  New Development Blog Coming Soon...
Last edited by kwa on Thu Jul 28, 2005 17:46; edited 1 time in total |
|
| Back to top |
|
|
mweis
New Poster
Joined: 27 Jul 2005
Posts: 5
|
| Posted: Thu Jul 28, 2005 4:08 Post subject: That ist a better way |
|
|
You are right, my approach has a big problem: referers are generally faked ones and therefore blocking IPs is not a solution, although it might be that the spammers use their network for spamming.
My problem is not the entries (I disabled the stats), but the bandwidth. Your approach is fine, thanks for that.
Cheer up, Martin |
|
| Back to top |
|
|
aribuser
New Poster
Joined: 29 Jul 2005
Posts: 3
|
| Posted: Fri Jul 29, 2005 1:37 Post subject: |
|
|
Kwa, sorry for the dumb question, but could you please explain little bit more detailed where to put your code ? What you mean as "top of my skins"
Thank you  |
|
| Back to top |
|
|
kwa
Hooked :)
Joined: 21 Jan 2005
Posts: 261
votes: 1
|
| Posted: Fri Jul 29, 2005 8:58 Post subject: |
|
|
| aribuser wrote: |
| Kwa, sorry for the dumb question, but could you please explain little bit more detailed where to put your code ? What you mean as "top of my skins" |
You're right, I haven't been clear to what to do with that code. Here is some more information about how to make it working on your own blog.
VERY IMPORTANT NOTICE:
Make backup copies before any change to your b2evolution original installation.
What is that code?
The BlockUntrustedVisitors function discussed here is intended to redirect blacklisted IPs and referrers to elsewhere with minimum CPU and bandwith usage. Only a few tens of bytes are sent in case of untrusted IP or referrer site identification. This function uses several DNSBL services regulary updated by "trusted" sources to identify the blacklisted IPs.
How to implement it?
If you haven't created a conf/hacks.php file before, create a dummy (empty) conf/hacks.php file with:
| Code: |
<?php
/* PHP code to be inserted here */
?> |
After that, copy and paste the following function at the end of this conf/hacks.php file:
| Code: |
function BlockUntrustedVisitors()
{
$VisitorIP = $_SERVER[ 'REMOTE_ADDR' ];
if( strcmp( $VisitorIP, $_SERVER[ 'SERVER_ADDR' ] ) == 0 )
{
// Current server is a trusted IP
return;
}
$Referrer = $_SERVER[ 'HTTP_REFERER' ];
if( $Referrer == '' )
{
// Direct access is trusted access (no bandwith consuming referrer spam)
// (Comment out the following line if you encounter comment spam or other kind of hard to suppress spam)
return;
}
preg_match( '/^(http|https|ftp)\:\/\/(([a-zA-Z0-9\-_]+\.){1,}([a-zA-Z0-9\-_]{2,6})).*$/', $Referrer, $Matches );
$ReferrerDomain = $Matches[ 2 ];
if( strcmp( $ReferrerDomain, $_SERVER[ 'HTTP_HOST' ] ) == 0 )
{
// Internal referring is trusted
$ReferrerDomain = '';
// (Comment out the following line if you encounter comment spam or other kind of hard to suppress spam)
return;
}
// Initialize the checking procedure
list( $a, $b, $c, $d ) = explode( ".", $VisitorIP );
$DnsblServices = array(
array( 'query' => "$d.$c.$b.$a.list.dsbl.org", 'url' => 'http://dsbl.org/listing?'.$VisitorIP ), // See http://www.dsbl.org
array( 'query' => "$d.$c.$b.$a.opm.blitzed.org", 'url' => 'http://opm.blitzed.org/'.$VisitorIP ), // See http://opm.blitzed.org/info
array( 'query' => "$d.$c.$b.$a.bsb.empty.us", 'url' => 'http://bsb.empty.us/lookup/?ip='.$VisitorIP ), // See http://bsb.empty.us/
// Make sure the following is the last entry of the table.
// If you have to insert other entries, insert them above that comment.
array( 'query' => $ReferrerDomain.'.bsb.empty.us', 'url' => 'http://bsb.empty.us/lookup/?h='.$ReferrerDomain ) // See http://bsb.empty.us/
);
if( $ReferrerDomain == '' )
{
// Since there is no referrer domain, don't test it
array_pop( $DnsblServices );
}
// Perform the potential spamming detection procedure
foreach( $DnsblServices as $Service )
{
if( gethostbyname( $Service[ 'query' ] ) != $Service[ 'query' ] )
{
// Not trusted (spammer or other not trusted IP or referrer site)
// Redirect to the service explaination URL
header( 'Location: '.$Service[ 'url' ] );
die();
}
}
} // function BlockUntrustedVisitors() |
just before the final:
Now, open your b2evocore/_blog_main.php file and modify the beginning of that file so it looks like this:
| Code: |
<?php
/**
* This file loads the blog!
*
* b2evolution - {@link http://b2evolution.net/}
* Released under GNU GPL License - {@link http://b2evolution.net/about/license.html}
* @copyright (c)2003-2004 by Francois PLANQUE - {@link http://fplanque.net/}
*
* @package evocore
*/
/**
* Initialize everything:
*/
require_once (dirname(__FILE__). '/_main.php');
BlockUntrustedVisitors(); |
The following code is unchanged.
You don't have to make any other modification. All your blogs are going to be "protected" with that system.
How to modify it?
If you want to remove this hack, just comment out the line of the function call. Just edit your b2evocore/_blog_main.php file like this:
| Code: |
| // BlockUntrustedVisitors(); |
The double slash tells the PHP interpreter to not take into account what follows until the end of the line: the function is not called.
You can also insert other DNSBL services you can find in the Open Directory - Computers: Internet: Abuse: Spam: Blacklists into the $DnsblServices table. However, take into account each service is queried after the previous one has replied. That means your real visitors are going to wait more before a page displays.
EDIT
- The BlockUntrustedVisitors function should appear in the conf/hacks.php file.
- Take care to the case (lower- and uppercase characters): it is important, since the PHP is a case sensitive language.
_________________
Les perles du chat | Une araignée au plafond | New Development Blog Coming Soon...
Last edited by kwa on Thu Aug 11, 2005 7:26; edited 8 times in total |
|
| Back to top |
|
|
aribuser
New Poster
Joined: 29 Jul 2005
Posts: 3
|
| Posted: Mon Aug 01, 2005 16:07 Post subject: |
|
|
Thank you, kwa.
The result is simply amazing  |
|
| Back to top |
|
|
kwa
Hooked :)
Joined: 21 Jan 2005
Posts: 261
votes: 1
|
| Posted: Mon Aug 01, 2005 20:20 Post subject: |
|
|
| aribuser wrote: |
Thank you, kwa.
The result is simply amazing |
What do you mean by "amazing"?
_________________
Les perles du chat | Une araignée au plafond | New Development Blog Coming Soon... |
|
| Back to top |
|
|
aribuser
New Poster
Joined: 29 Jul 2005
Posts: 3
|
| Posted: Tue Aug 02, 2005 22:12 Post subject: |
|
|
| Quote: |
| What do you mean by "amazing"? |
There is no referral spam in blog for a few days now. And I had at least 500-700 spam referrals per day for a few months. This is why I so amazed with result of your hack. Thank you again. |
|
| Back to top |
|
|
kwa
Hooked :)
Joined: 21 Jan 2005
Posts: 261
votes: 1
|
| Posted: Tue Aug 02, 2005 22:17 Post subject: |
|
|
| aribuser wrote: |
| Quote: |
| What do you mean by "amazing"? |
There is no referral spam in blog for a few days now. And I had at least 500-700 spam referrals per day for a few months. This is why I so amazed with result of your hack. Thank you again. |
Fine! I'm glad to see that this BlockUntrustedVisitors hack worked so well for you!
_________________
Les perles du chat | Une araignée au plafond | New Development Blog Coming Soon... |
|
| Back to top |
|
|
ThisBeautifulChaos
New Poster
Joined: 06 Aug 2005
Posts: 2
|
| Posted: Sun Aug 07, 2005 9:58 Post subject: |
|
|
Ack!
Ok, I followed the steps carefully..and now I cannot even log into my blog. I get this message:
Fatal error: Call to undefined function: blockuntrustedvisitors() in /home/kmgray/public_html/blog/b2evocore/_blog_main.php on line 17
Good lord, what did i do now?! *LOL* |
|
| Back to top |
|
|
kwa
Hooked :)
Joined: 21 Jan 2005
Posts: 261
votes: 1
|
| Posted: Mon Aug 08, 2005 13:17 Post subject: |
|
|
| ThisBeautifulChaos wrote: |
Ack!
Ok, I followed the steps carefully..and now I cannot even log into my blog. I get this message:
Fatal error: Call to undefined function: blockuntrustedvisitors() in /home/kmgray/public_html/blog/b2evocore/_blog_main.php on line 17
Good lord, what did i do now?! *LOL* |
PHP is case sensitive. You haven't followed the above steps, since you haven't used the same case (uppercase and lowercase characters) in the function definition and the function call. The function name is BlockUntrustedVisitors() and not blockuntrustedvisitors(). Moreover, as explained above, to remove the above hack, juste comment out the function call like explained above:
| kwa wrote: |
How to modify it?
If you want to remove this hack, just comment out the line of the function call. Just edit your b2evocore/_blog_main.php file like this:
| Code: |
| // BlockUntrustedVisitors(); |
The double slash tells the PHP interpreter to not take into account what follows until the end of the line: the function is not called. |
Does it work fine, now? ;-)
_________________
Les perles du chat | Une araignée au plafond | New Development Blog Coming Soon... |
|
| Back to top |
|
|
keninman
New Poster
Joined: 10 Aug 2005
Posts: 8
|
| Posted: Wed Aug 10, 2005 8:17 Post subject: mySQL Crashes after BlockUntrustedVisitors hack |
|
|
I applied the BlockUntrustedVisitors hack and it seemed to be working fine in the morning but by last evening we were getting mySQL crashes. I am pretty sure I put everything in correctly.I also noticed that users including myself as Admin could not post a comment to anything that I had posted as Admin. When you would try to post a comment it would just take you back to All Blogs and you would have to re-login. Comments still worked fine on other users post though.
I finally had my host who is also a close friend take the site down while I try to find an answer so it would not be affecting the other sites he hosts.
I did notice in my cpanel recent visitors that I was getting hit hard and fast by referrer spammers but none were getting into my referrer list and they were not using much bandwith but I was getting hit much harded than I have ever been hit. Is there any way the BlockUntrustedVisitors hack would cause a mySQL crash and what can be done about it?
Ken |
|
| Back to top |
|
|
kwa
Hooked :)
Joined: 21 Jan 2005
Posts: 261
votes: 1
|
| Posted: Thu Aug 11, 2005 7:11 Post subject: Re: mySQL Crashes after BlockUntrustedVisitors hack |
|
|
| keninman wrote: |
| I did notice in my cpanel recent visitors that I was getting hit hard and fast by referrer spammers but none were getting into my referrer list and they were not using much bandwith but I was getting hit much harded than I have ever been hit. Is there any way the BlockUntrustedVisitors hack would cause a mySQL crash and what can be done about it? |
There is no cause-effect relation between the BlockUntrustedVisitors hack and your mySQL database, since BlockUntrustedVisitors does not perform any kind of mySQL usage.
Your issue description appears to show your cookies are removed or corrupted by posting a comment. The BlockUntrustedVisitors does not change nor remove any cookie. So, there is no relation between the BlockUntrustedVisitors hack and your identification issues.
In the case a spammer is identified, the BlockUntrustedVisitors hack redirects him/her to the DNS blacklist service where it is listed as spammer using an HTTP header directive. Since spammers are redirected elsewhere as soon as possible, the CPU and bandwith usage are very low. The visitor is not redirected to the blog's homepage by this hack.
Moreover, there is no technical reason your blog has more spam attacks after installing this hack. The only cause-effect relation would be psychological. Spammers might have decided something like: "Hey! That stupid webmaster declared war against spam! He's made a huge mistake. I'm gonna learn her/him who decides here!"
Anyway, if you don't like this BlockUntrustedVisitors hack, you can deactivate it by commenting out the call to the blocking function. To do so, edit your b2evocore/_blog_main.php file and add a double slash like this:
| Code: |
| // BlockUntrustedVisitors(); |
Finally, I suggest you to check your b2evolution installation by comparing your current version to the original one. Use such a tool like Araxis Merge to compare both versions. (Araxis Merge is the best tool I know about for comparing files and directories. There is a 30-day evaluation period and the tool is worth its price for professionnal usage.)
_________________
Les perles du chat | Une araignée au plafond | New Development Blog Coming Soon...
Last edited by kwa on Thu Aug 11, 2005 9:58; edited 2 times in total |
|
| Back to top |
|
|
keninman
New Poster
Joined: 10 Aug 2005
Posts: 8
|
| Posted: Thu Aug 11, 2005 9:23 Post subject: |
|
|
Sorry KWA, I should have posted an update yesterday but I was pretty busy. I do thank you for responding though. The mySQL problem turned out to be with the server config, way above my level. Taking Greenetucky.net offline did not stop the mySQL crashes. It is fixed now though. It was a mere coincidence that mySQL started crashing after I applied the hack. We were grasping a straws trying to figure out what was happening.
The BlockUntrustedVisitors hack is working great now that the server company has fixed the mySQL problem. I am grateful to you for this hack/plugin whatever it is called. Since Bill brought Greenetucky.net back online yesterday about 1:00 EST I have only had one referrer spammer get through. That's grrrreat since even using B2's antispam list several were getting through every day. My daily bandwidth usage has gone down a bunch also. I had used up over 3 gigs in the first 9 days of August due to spammers and thier bots. One IP range, 80.77.86. ate over a Gig of that. Needless to say I banned the entire range and am trying to get the server company to ban them at the root server level because they are still getting my 403 error page which is serving them 700 bytes and they are hitting it more than once every 15 seconds.
I am thinking of password protecting all of my blogs and requiring anyone who wants access to at least use a generic username and password to enter. Kind of like driverguide does to keep bots out. If anyone has done this successfully please let me know.
Thanks Again, 
Ken Inman
http://greenetucky.net/blog/index.php/computer_ken |
|
| Back to top |
|
|
|
Home
Search
Usergroups
Register
Log in
