Recent Topics
  1. b2evolution CMS Support Forums
  2. b2evolution Support
  3. Plugins & Extensions
  4. Fighting spam!
  5. How to test server level spam blocks?

How to test server level spam blocks?

1 Jan 24, 2007 01:30    

If this subject is off topic, let me know.

I was inspired by EdB's Spam Warrior post, and empowered by some advice from whoo, and put some Spam controls into my .htaccess file in the B2Evolution folder after a major spam assault last month.

Since then the assaults escalated, ultimately resulting in my main site briefly being accessed by unauthorized users. I was lucky enough to stumble onto it shortly after they gained access, shut down their activities with the help of my web host. I’ve since beefed up htaccess blocks for the main site and also for the B2E blog.

The situation is pretty pathetic since I can no longer get any meaningful usage stats from either my static site of B2E blog – tens of thousands of access attempts are blocked either by the .htaccess changes or by the B2E spam filters. Over 60% of the traffic to my site (which is now something like 50x what it was just a couple of months ago) is turned back with 403 errors. And of the 40% that gets past the .htaccess screens, most is spam aimed at the blog and most of that is blocked by B2E. On the plus note – I only get a few fake referrals and a handful of spam posts a day.

OK – the subject of the post: How can I test these controls to see if they are working properly? I wound up using a spoof program (Zspoof) and that was effective at testing some of the .htaccess blocks (those based on domain names) and also showed me how the B2E anti-spam system works (kudos to the authors – it works well.)

But I’ve blocked a bunch of IP addressees (like the entire ISP from which the site security breach came from) using .htacces allow,deny commands, and I don’t know how to test to see if those blocks are working or not. I guess I’d have to somehow try to get the server to think the request was coming from a blocked IP address, which is a step (or two) beyond spoofing a referrer's domain name.

I don’t know jack about technical stuff so maybe this is easy to do – or maybe not. Any advice on how to test the defenses?

- MCC

Back to top

2 Jan 24, 2007 14:22

what specifically are you looking to test? Its nearly impossible to answer that question generically.

an actual rule that youre using in your .htaccess and are wondering about would be the most helpful..

Back to top

3 Jan 25, 2007 04:35

OK- how about -

<Limit GET POST>
order deny,allow
allow from all
deny from 69.31.0
</Limit>

Is there a way to verify that 69.32.0.0 - 69.31.0.255 is blocked? Or maybe it's not blocking anything - how can I tell? Maybe it should be

<Limit GET POST>
order deny,allow
deny from 69.31.0
allow from all
</Limit>

I've manged to figure this stuff out to the point where I don't get internal server errors, but I have no way of telling if the commands or parameters or whater the heck they are called are working.

Something like this -

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} \.biz [NC,OR]
RewriteRule ^.* - [F]

I can test using the referrer spoofing software. If I try to access the blog with a spoofed refferer like "anyoldsite.biz" it tosses back a 403 error. If i spoof "anyoldsite.com" the request goes through. If I spoof "bannedbythe antispamlist.com" it provokes the B2E antispam response.

So... Is it similarly possible to determine that IP address level blocking is working?

Thanks -

MCC

Back to top

4 Jan 25, 2007 22:40

ill post back after I get home from work, hang tough. :)

Back to top

5 Jan 28, 2007 09:47

This:

deny from 69.31.0

is only going to block 69.31.0.0 - 69.31.0.255

it wont block 69.32.0.0 (im guessing you knew that but thought I would point it out just in case.

also, you dont need to do this:


<Limit GET POST> <---
order deny,allow
deny from 69.31.0
allow from all
</Limit> <---

your trying to block a range from doing everything, so just put mod_access "stuff" at the top of your .htaccess like so, without modifier things

order allow,deny
allow from all
deny from env=keep_out
deny from blah blah blah

Know what I mean? If you already have this:

order allow,deny
allow from all

somewhere near the top, drop that new deny statement under it, like my example. You CAn use what youve done, you just dont need to since your really blocking access to everything. That tends to be used when your blocking access to specific files. 

<Limit GET POST>
order deny,allow
allow from all
deny from 69.31.0
</Limit>


== No.

<Limit GET POST>
Order Deny,Allow
Deny from 69.31.0
Allow from all
</Limit>


== Yes.

Dont let the order stuff confuse you, it doesnt matter which you chose they provide the same effect, you just want to make sure you follow standard apache examples for whichever way you go.

http://httpd.apache.org/docs/1.3/mod/mod_access.html

testing IP blocks is tough, unless you want to substitute one that you can proxy just to verify your doing the rules correctly. Really, the best proof is going to be your logs. :)

Since youre using mod_rewrite, you can do this instead if you want:

RewriteCond %{REMOTE_ADDR} ^69.31.0.[0-255] [OR]

that would go right above this:

RewriteCond %{HTTP_REFERER} \.biz [NC,OR]

so it would like:

RewriteCond %{REMOTE_ADDR} ^69.31.0.[0-255] [OR]
RewriteCond %{HTTP_REFERER} \.biz [NC,OR] 
RewriteCond .....

About mod_rewrite, you are making sure that the last rule doesnt contain an OR right?

RewriteCond %{REMOTE_ADDR} ^69.31.0.[0-255] [OR]

Just to clarify - that would block 69.31.0.0 - 69.31.0.255

Back to top


Form is loading...