Recent Topics

spam: an IP based approach

Started by on Jul 27, 2005 – Contents updated: Jul 27, 2005

Jul 27, 2005 21:42    

Hello!

I found my blog using all my bandwidth because of spammers and did not want to have hte ever growing lists of shortly living domain names. So I looked for the IPs of the spammers, and found out, that it may be easier to track IPs instead of names.

The full approach is listed in my blog:
http://datenroulette.de/blog/index.php?blog=1&title=spammers_go_away

and may be a little too angry, but I think this will help. Comments on this are welcome.

I have another IP-based approach (using .htaccess) in this thread on the next page, which really works fine, check it out an don't leave the field to the spammers.
http://forums.b2evolution.net/viewtopic.php?p=24096#24096

Martin

Jul 27, 2005 23:23

Since a lot of spammers will spoof their IP address, I don't know how well this will truely work.

I could be way off, though.

Jul 28, 2005 00:39

I call this function at the top of my skins, before any display:


function BlockUntrustedVisitors()
{
    $VisitorIP = $_SERVER[ 'REMOTE_ADDR' ]; 
    if( strcmp( $VisitorIP, $_SERVER[ 'SERVER_ADDR' ] ) == 0 )
	{
	    // Current server is a trusted IP
		return;
	}

	$Referrer = $_SERVER[ 'HTTP_REFERER' ];
	if( $Referrer == '' )
	{
		// Direct access is trusted access (no bandwith consuming referrer spam)
		// (Comment out the following line if you encounter comment spam or other kind of hard to suppress spam)
		return;
	}

	preg_match( '/^(http|https|ftp)\:\/\/(([a-zA-Z0-9\-_]+\.){1,}([a-zA-Z0-9\-_]{2,6})).*$/', $Referrer, $Matches );
	$ReferrerDomain = $Matches[ 2 ];
	if( strcmp( $ReferrerDomain, $_SERVER[ 'HTTP_HOST' ] ) == 0 )
	{
		// Internal referring is trusted
		$ReferrerDomain = '';
		// (Comment out the following line if you encounter comment spam or other kind of hard to suppress spam)
		return;
	}

	// Initialize the checking procedure
	list( $a, $b, $c, $d ) = explode( ".", $VisitorIP );

    $DnsblServices = array(
		array( 'query' => "$d.$c.$b.$a.list.dsbl.org",     'url' => 'http://dsbl.org/listing?'.$VisitorIP ),	// See http://www.dsbl.org
		array( 'query' => "$d.$c.$b.$a.opm.blitzed.org",   'url' => 'http://opm.blitzed.org/'.$VisitorIP ), // See http://opm.blitzed.org/info
		array( 'query' => "$d.$c.$b.$a.bsb.empty.us",      'url' => 'http://bsb.empty.us/lookup/?ip='.$VisitorIP ), // See http://bsb.empty.us/
		array( 'query' => $ReferrerDomain.'.bsb.empty.us', 'url' => 'http://bsb.empty.us/lookup/?h='.$ReferrerDomain ) // See http://bsb.empty.us/
	);

	if( $ReferrerDomain == '' )
	{
 		// Since there is no referrer domain, don't test it
		array_pop( $DnsblServices );
	}

	// Perform the potential spamming detection procedure
    foreach( $DnsblServices as $Service )
    {
		if( gethostbyname( $Service[ 'query' ] ) != $Service[ 'query' ] ) 
		{ 
			// Not trusted (spammer or other not trusted IP or referrer site)
			// Redirect to the service explaination URL
			header( 'Location: '.$Service[ 'url' ] );
			die();
		}
    }
} // function BlockUntrustedVisitors()

The above code is intended to redirect blacklisted IPs and referrers to elsewhere with minimum bandwith usage. Only a few tens of bytes are sent in case of untrusted IP or referrer site identification. It uses several DNSBL services regulary updated by "trusted" sources.

If your visitors are not spammers and are identified as they are, they can read and follow instructions displayed on the redirected page. You can also redirect them somewhere else on your own site in order to warn them about their IP or referrer site blacklisting.

Recently, I discovered (thanks to that function) my sister's IP has been listed in one of those lists and other blacklists since last year, when her computer has been infected by a virus/worm. Once listed, it appears it is very is very difficult to remove an IP from those lists when your ISP doesn't care...

However, that in addition to regular .htaccess update based on [url=http://b2evolution.net]b2evolution[/url]'s anti-spam blacklist makes spammers extremly rare on my site.

The [url=http://forums.b2evolution.net/viewtopic.php?t=4512]Antispam Bandwidth[/url] thread is worth to be read. To fight comment spamming, read [url=http://forums.b2evolution.net/viewtopic.php?t=2976]captcha for b2evolution (finally)[/url]. Another way to reduce bandwith usage is explained in [url=http://forums.b2evolution.net/viewtopic.php?t=4770]RSS cache[/url]. To reduce CPU usage, read [url=http://forums.b2evolution.net/viewtopic.php?t=4672]Simple Cache Hack[/url].

Jul 28, 2005 11:08

You are right, my approach has a big problem: referers are generally faked ones and therefore blocking IPs is not a solution, although it might be that the spammers use their network for spamming.

My problem is not the entries (I disabled the stats), but the bandwidth. Your approach is fine, thanks for that.

Cheer up, Martin

Jul 29, 2005 08:37

Kwa, sorry for the dumb question, but could you please explain little bit more detailed where to put your code ? What you mean as "top of my skins"

Thank you ;)

Jul 29, 2005 15:58

aribuser wrote:

Kwa, sorry for the dumb question, but could you please explain little bit more detailed where to put your code ? What you mean as "top of my skins"

You're right, I haven't been clear to what to do with that code. Here is some more information about how to make it working on your own blog.

VERY IMPORTANT NOTICE:
Make backup copies before any change to your [url=http://b2evolution.net]b2evolution[/url] original installation.

What is that code?
The BlockUntrustedVisitors function discussed here is intended to redirect blacklisted IPs and referrers to elsewhere with minimum CPU and bandwith usage. Only a few tens of bytes are sent in case of untrusted IP or referrer site identification. This function uses several [url=http://en.wikipedia.org/wiki/DNSBL]DNSBL services[/url] regulary updated by "trusted" sources to identify the blacklisted IPs.

How to implement it?
If you haven't created a conf/hacks.php file before, create a dummy (empty) conf/hacks.php file with:

<?php

/* PHP code to be inserted here */

?>

After that, copy and paste the following function at the end of this conf/hacks.php file:

function BlockUntrustedVisitors() 
{ 
    $VisitorIP = $_SERVER[ 'REMOTE_ADDR' ]; 
    if( strcmp( $VisitorIP, $_SERVER[ 'SERVER_ADDR' ] ) == 0 ) 
   { 
       // Current server is a trusted IP 
      return; 
   } 

   $Referrer = $_SERVER[ 'HTTP_REFERER' ]; 
   if( $Referrer == '' ) 
   { 
      // Direct access is trusted access (no bandwith consuming referrer spam) 
      // (Comment out the following line if you encounter comment spam or other kind of hard to suppress spam) 
      return; 
   } 

   preg_match( '/^(http|https|ftp)\:\/\/(([a-zA-Z0-9\-_]+\.){1,}([a-zA-Z0-9\-_]{2,6})).*$/', $Referrer, $Matches ); 
   $ReferrerDomain = $Matches[ 2 ]; 
   if( strcmp( $ReferrerDomain, $_SERVER[ 'HTTP_HOST' ] ) == 0 ) 
   { 
      // Internal referring is trusted 
      $ReferrerDomain = ''; 
      // (Comment out the following line if you encounter comment spam or other kind of hard to suppress spam) 
      return; 
   } 

   // Initialize the checking procedure 
   list( $a, $b, $c, $d ) = explode( ".", $VisitorIP ); 

    $DnsblServices = array( 
      array( 'query' => "$d.$c.$b.$a.list.dsbl.org",     'url' => 'http://dsbl.org/listing?'.$VisitorIP ),   // See http://www.dsbl.org 
      array( 'query' => "$d.$c.$b.$a.opm.blitzed.org",   'url' => 'http://opm.blitzed.org/'.$VisitorIP ), // See http://opm.blitzed.org/info 
      array( 'query' => "$d.$c.$b.$a.bsb.empty.us",      'url' => 'http://bsb.empty.us/lookup/?ip='.$VisitorIP ), // See http://bsb.empty.us/ 

      // Make sure the following is the last entry of the table.
      // If you have to insert other entries, insert them above that comment.
      array( 'query' => $ReferrerDomain.'.bsb.empty.us', 'url' => 'http://bsb.empty.us/lookup/?h='.$ReferrerDomain ) // See http://bsb.empty.us/ 
   ); 

   if( $ReferrerDomain == '' ) 
   { 
       // Since there is no referrer domain, don't test it 
      array_pop( $DnsblServices ); 
   } 

   // Perform the potential spamming detection procedure 
    foreach( $DnsblServices as $Service ) 
    { 
      if( gethostbyname( $Service[ 'query' ] ) != $Service[ 'query' ] ) 
      { 
         // Not trusted (spammer or other not trusted IP or referrer site) 
         // Redirect to the service explaination URL 
         header( 'Location: '.$Service[ 'url' ] ); 
         die(); 
      } 
    } 
} // function BlockUntrustedVisitors()


just before the final:

?>

Now, open your b2evocore/_blog_main.php file and modify the beginning of that file so it looks like this:

<?php
/**
 * This file loads the blog!
 *
 * b2evolution - {@link http://b2evolution.net/}
 * Released under GNU GPL License - {@link http://b2evolution.net/about/license.html}
 * @copyright (c)2003-2004 by Francois PLANQUE - {@link http://fplanque.net/}
 *
 * @package evocore
 */

/**
 * Initialize everything:
 */
require_once (dirname(__FILE__). '/_main.php');

BlockUntrustedVisitors();


The following code is unchanged.

You don't have to make any other modification. All your blogs are going to be "protected" with that system.

How to modify it?
If you want to remove this hack, just comment out the line of the function call. Just edit your b2evocore/_blog_main.php file like this:

// BlockUntrustedVisitors();


The double slash tells the PHP interpreter to not take into account what follows until the end of the line: the function is not called.

You can also insert other [url=http://en.wikipedia.org/wiki/DNSBL]DNSBL services[/url] you can find in the [url=http://dmoz.org/Computers/Internet/Abuse/Spam/Blacklists/]Open Directory - Computers: Internet: Abuse: Spam: Blacklists[/url] into the $DnsblServices table. However, take into account each service is queried after the previous one has replied. That means your real visitors are going to wait more before a page displays.

EDIT

  • The BlockUntrustedVisitors function should appear in the conf/hacks.php file.

  • [*]Take care to the case (lower- and uppercase characters): it is important, since the PHP is a case sensitive language.[/list:u]

Aug 01, 2005 23:07

Thank you, kwa.

The result is simply amazing :!: :!: :!:

Aug 02, 2005 03:20

aribuser wrote:

Thank you, kwa.

The result is simply amazing :!: :!: :!:

What do you mean by "amazing"?

Aug 03, 2005 05:12

What do you mean by "amazing"?

There is no referral spam in blog for a few days now. And I had at least 500-700 spam referrals per day for a few months. This is why I so amazed with result of your hack. Thank you again.

Aug 03, 2005 05:17

aribuser wrote:

What do you mean by "amazing"?

There is no referral spam in blog for a few days now. And I had at least 500-700 spam referrals per day for a few months. This is why I so amazed with result of your hack. Thank you again.

Fine! I'm glad to see that this BlockUntrustedVisitors hack worked so well for you!

Aug 07, 2005 16:58

Ack!

Ok, I followed the steps carefully..and now I cannot even log into my blog. I get this message:

Fatal error: Call to undefined function: blockuntrustedvisitors() in /home/kmgray/public_html/blog/b2evocore/_blog_main.php on line 17

Good lord, what did i do now?! *LOL*

Aug 08, 2005 20:17

ThisBeautifulChaos wrote:

Ack!

Ok, I followed the steps carefully..and now I cannot even log into my blog. I get this message:

Fatal error: Call to undefined function: blockuntrustedvisitors() in /home/kmgray/public_html/blog/b2evocore/_blog_main.php on line 17

Good lord, what did i do now?! *LOL*

PHP is case sensitive. You haven't followed the above steps, since you haven't used the same case (uppercase and lowercase characters) in the function definition and the function call. The function name is BlockUntrustedVisitors() and not blockuntrustedvisitors(). Moreover, as explained above, to remove the above hack, juste comment out the function call like explained above:
kwa wrote:

How to modify it?
If you want to remove this hack, just comment out the line of the function call. Just edit your b2evocore/_blog_main.php file like this:

// BlockUntrustedVisitors();


The double slash tells the PHP interpreter to not take into account what follows until the end of the line: the function is not called.

Does it work fine, now? ;-)

Aug 10, 2005 15:17

I applied the BlockUntrustedVisitors hack and it seemed to be working fine in the morning but by last evening we were getting mySQL crashes. I am pretty sure I put everything in correctly.I also noticed that users including myself as Admin could not post a comment to anything that I had posted as Admin. When you would try to post a comment it would just take you back to All Blogs and you would have to re-login. Comments still worked fine on other users post though.

I finally had my host who is also a close friend take the site down while I try to find an answer so it would not be affecting the other sites he hosts.

I did notice in my cpanel recent visitors that I was getting hit hard and fast by referrer spammers but none were getting into my referrer list and they were not using much bandwith but I was getting hit much harded than I have ever been hit. Is there any way the BlockUntrustedVisitors hack would cause a mySQL crash and what can be done about it?

Ken

Aug 11, 2005 14:11

keninman wrote:

I did notice in my cpanel recent visitors that I was getting hit hard and fast by referrer spammers but none were getting into my referrer list and they were not using much bandwith but I was getting hit much harded than I have ever been hit. Is there any way the BlockUntrustedVisitors hack would cause a mySQL crash and what can be done about it?

There is no cause-effect relation between the BlockUntrustedVisitors hack and your mySQL database, since BlockUntrustedVisitors does not perform any kind of mySQL usage.

Your issue description appears to show your cookies are removed or corrupted by posting a comment. The BlockUntrustedVisitors does not change nor remove any cookie. So, there is no relation between the BlockUntrustedVisitors hack and your identification issues.

In the case a spammer is identified, the BlockUntrustedVisitors hack redirects him/her to the DNS blacklist service where it is listed as spammer using an HTTP header directive. Since spammers are redirected elsewhere as soon as possible, the CPU and bandwith usage are very low. The visitor is not redirected to the blog's homepage by this hack.

Moreover, there is no technical reason your blog has more spam attacks after installing this hack. The only cause-effect relation would be psychological. Spammers might have decided something like: "Hey! That stupid webmaster declared war against spam! He's made a huge mistake. I'm gonna learn her/him who decides here!"

Anyway, if you don't like this BlockUntrustedVisitors hack, you can deactivate it by commenting out the call to the blocking function. To do so, edit your b2evocore/_blog_main.php file and add a double slash like this:

// BlockUntrustedVisitors();

Finally, I suggest you to check your [url=http://b2evolution.net]b2evolution[/url] installation by comparing your current version to the original one. Use such a tool like [url=http://www.araxis.com/]Araxis Merge[/url] to compare both versions. ([url=http://www.araxis.com/]Araxis Merge[/url] is the best tool I know about for comparing files and directories. There is a 30-day evaluation period and the tool is worth its price for professionnal usage.)

Aug 11, 2005 16:23

Sorry KWA, I should have posted an update yesterday but I was pretty busy. I do thank you for responding though. The mySQL problem turned out to be with the server config, way above my level. Taking Greenetucky.net offline did not stop the mySQL crashes. It is fixed now though. It was a mere coincidence that mySQL started crashing after I applied the hack. We were grasping a straws trying to figure out what was happening.

The BlockUntrustedVisitors hack is working great now that the server company has fixed the mySQL problem. I am grateful to you for this hack/plugin whatever it is called. Since Bill brought Greenetucky.net back online yesterday about 1:00 EST I have only had one referrer spammer get through. That's grrrreat since even using B2's antispam list several were getting through every day. My daily bandwidth usage has gone down a bunch also. I had used up over 3 gigs in the first 9 days of August due to spammers and thier bots. One IP range, 80.77.86. ate over a Gig of that. Needless to say I banned the entire range and am trying to get the server company to ban them at the root server level because they are still getting my 403 error page which is serving them 700 bytes and they are hitting it more than once every 15 seconds.

I am thinking of password protecting all of my blogs and requiring anyone who wants access to at least use a generic username and password to enter. Kind of like driverguide does to keep bots out. If anyone has done this successfully please let me know.

Thanks Again, :D
Ken Inman
http://greenetucky.net/blog/index.php/computer_ken

Aug 12, 2005 11:14

keninman wrote:

I am thinking of password protecting all of my blogs and requiring anyone who wants access to at least use a generic username and password to enter. Kind of like driverguide does to keep bots out. If anyone has done this successfully please let me know.

This sounds like a good idea to me, I have another observation which might track spammers: they access the stats page regularly (URL...&disp=stats) to see, if they are successful. This might help to track spammers. If they access the page -bang/trapped- never again, please.

Since I have no implementation for this so far, it is only an idea.
In index.php this is my first thing to do now:


// the very first thing: check for spammers
 if (strpos($REQUEST_URI,'disp=stats')) {
                                      // this should redirect them home, if uncommented
                                      //header('Location: ' . $HTTP_REFERER); 
                                      die ('die, spammers!');
 }
/**
 * First thing: Do the minimal initializations required for b2evo:
 */

Aug 12, 2005 19:29

// the very first thing: check for spammers
if (strpos($REQUEST_URI,'disp=stats')) {
// this should redirect them home, if uncommented
header('Location: ' . $HTTP_REFERER);
die ('die, spammers!');
}
/**
*/

This is what I pasted does it look right?

Aug 12, 2005 19:51

Please start a new thread for this new topic (password protecting the entire blog). Someone else might be interested in it and NOT find it because they are not interested in an IP-based solution.

Aug 16, 2005 08:57

This is the real deal here. I implemented the above, and am laughing my arse off watching the output of "tail -f /var/log/apache/access.log" as it's nothing but 302 after 302 after 302! Until, of course, I connect to my own blog, at which time I see a happy 200.

I had to do everything I could as the spam, even though blacklisted, was thrashing the hell out of the mysql server on my linode. I'd catch the server apparently dead during a spamrun, and find out that I was 190 megs into swap. And the spammers are using large botnets now, so I couldn't manage all the iptables rulesets effectively in my spare time. This, however, is entertaining and effective.

Thanks a kazillion!

Aug 16, 2005 19:39

gloin wrote:

...watching the output of "tail -f /var/log/apache/access.log" as it's nothing but 302 after 302 after 302! Until, of course, I connect to my own blog, at which time I see a happy 200...

As long as you don't want to see your stats. It is only half of the traffic you can stop this way (only the checks).

Since this is about IP-based approaches I took the idea into blocking them via .htaccess. If you are interested in the IP-numbers i block, have a look at http://datenroulette.de/blog/?disp=spammers

What is it? I track the IPs in the database, and if they come back 4 times -bang- update .htaccess. This should stop any traffic from the bots.

Here is this (quite ugly) hack, I put it directly into index.php, but maybe it is good to have it in hacks.php as a function. However, here it is:


 
/*create table (phpmyadmin or mysql), key is necessary for the 4.1.x syntax
CREATE TABLE `spam_ips` (
`ip` TINYTEXT NOT NULL ,
`count` INT NOT NULL ,
PRIMARY KEY ( ip( 15 ) )
) TYPE = MYISAM 
ALTER TABLE `spam_ips` ADD `banned` TINYINT( 1 ) ;
*/
$spam_user="db_user";
$spam_pass="db_pass";
$spam_host="localhost"; 
$spam_db="db_name"; 
$spam_table="spam_ips";
$htaccess_file='/home/your_userdir/public_html/blog/.htaccess';

 if (strpos($REQUEST_URI,'disp=stats')) {
 //log their IPs
		
	$link = mysql_connect($spam_host,$spam_user,$spam_pass)
	or die("Keine Verbindung möglich: " . mysql_error('cn'));
	mysql_select_db($spam_db) or die('db');
	
	/* ausführen einer SQL Anfrage */
	/* With mysql >= 4.1.0 you can insert ... ON DUPLICATE KEY update 
 If you specify the ON DUPLICATE KEY update clause (new in mysql 4.1.0), and a row is inserted that would cause a duplicate value in a UNIQUE index or PRIMARY KEY, an update of the old row is performed. 
 */
 //these are the basic queries, if you use mysql v.4.1.x you should simply use teh first query instead of the if-else construct
 $mysql4_1_x_query="INSERT INTO `".$spam_table."` (ip,count) VALUES ('".$_SERVER['REMOTE_ADDR']."',1)
 ON DUPLICATE KEY UPDATE count=count+1";
 $selquery="SELECT `ip`, `count` FROM `".$spam_table."`  WHERE `ip` = '".$_SERVER['REMOTE_ADDR']."'";
	$insquery = "INSERT INTO `".$spam_table."` SET `ip` = '".$_SERVER['REMOTE_ADDR']."', `count` = 1";
	$updquery =   "UPDATE  `".$spam_table."` SET count=count+1 WHERE ip='".$_SERVER['REMOTE_ADDR']."';";
	$result = mysql_query($selquery) or die('qr');
	
 // here is the code to update .htaccess
 $line = mysql_fetch_array($result, MYSQL_ASSOC);
 //var_dump($line);
 if ($line['banned']==NULL && $line['count']>2){
  if (is_writable($htaccess_file)){//echo 'banned';
  $filehnd=fopen ($htaccess_file,'a');
  fwrite($filehnd,'Deny from '.$line['ip']."\n");
  fclose($filehnd);
  $updquery =   "UPDATE  `".$spam_table."` SET banned=1 WHERE ip='".$_SERVER['REMOTE_ADDR']."';";
  mysql_query($updquery) or die('qru');
  }
  else{echo 'file not writeable ';}
 }
 if (mysql_num_rows($result)>0){
  $result = mysql_query($updquery) or die('qru');
	}
	else{
		$result = mysql_query($insquery) or die('qri');
	}
	//mysql_free_result($result);
		die ('die, spammers!');
 
 }

 // show spamips, if requested via disp=spammers
 if (strpos($REQUEST_URI,'disp=spammers')) {
	$link = mysql_connect($spam_host,$spam_user,$spam_pass)
	or die("no conn");
	mysql_select_db($spam_db) or die('oops'.mysql_error());
	$selquery="SELECT `ip`, `count`, `banned` FROM `spam_ips` ORDER BY `count` DESC";
	$result = mysql_query($selquery) or die('outch');
	/* Ausgabe der Ergebnisse in HTML */
	echo "<table border=\"1\" width=\"100%\">\n".
		'<tr><th>ip</th><th>count</th><th>banned</th></tr>';
	while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
	//var_dump($line);
	echo '<tr><td>'.$line['ip'].'</td><td>'.$line['count'].'</td><td>'.$line['banned'].'</td></tr>';
	$denystring.='Deny from '.$line['ip'].'<br>';
	}	
echo '</table>';
echo 'These are the spammers IPs <br>';
echo 'For your .htaccess:<br>'.$denystring;
die ();
}

/**
 * First thing: Do the minimal initializations required for b2evo:
 */

make shure your .htaccess is writable to the webserver.

A problem might be that the file will grow very large. We will see.[/code][/url]

This is the result in the error log:

[Wed Aug 17 11:09:44 2005] [error] [client 216.86.156.205] client denied by server configuration: /home/datenrou/public_html/blog/index.php
[Wed Aug 17 11:08:37 2005] [error] [client 216.86.156.205] client denied by server configuration: /home/datenrou/public_html/blog/index.php
[Wed Aug 17 11:08:12 2005] [error] [client 207.248.240.118] client denied by server configuration: /home/datenrou/public_html/blog/index.php
[Wed Aug 17 11:08:07 2005] [error] [client 62.77.41.21] client denied by server configuration: /home/datenrou/public_html/blog/index.php
[Wed Aug 17 11:08:07 2005] [error] [client 82.112.195.101] client denied by server configuration: /home/datenrou/public_html/blog/index.php
[Wed Aug 17 11:07:46 2005] [error] [client 216.86.156.205] client denied by server configuration: /home/datenrou/public_html/blog/index.php
[Wed Aug 17 11:07:46 2005] [error] [client 216.86.156.205] client denied by server configuration: /home/datenrou/public_html/blog/index.php

This seems to work, the stats say, that quite a lot of requests are 403'd. Goood thing.

#reqs: status code
-----: -----------
61238: 200 OK
38241: 403 Access forbidden

Aug 25, 2005 21:16

In addition to adding BlockUntrustedVisitors(); to b2evocore/_blog_main.php I have (and would reccomend) you add the same to htsrv/comment_post.php and htsrv/trackback.php to nerf the spammers that direct-access these files to post comments and trackbacks rather than going through the proper URLs.

Currently still in testing on my blog but I don't think i've seen a DNS Blacklisted IP manage to post a comment or a trackback so far.

Aug 28, 2005 15:27

Pneumatus wrote:

Currently still in testing on my blog but I don't think i've seen a DNS Blacklisted IP manage to post a comment or a trackback so far.

Good thing, but have no spammer accessing these pages directly. These are the most wanted in the blog:

    29989: 32.00%: Aug/27/05 9:57 PM: /blog/index.php 11513: 9.25%: Aug/26/05 4:50 PM: /blog/index.php?blog=1&disp=stats 6122: 3.71%: Aug/26/05 4:50 PM: /blog/index.php?blog=5&disp=stats 1392: 2.46%: Aug/27/05 9:53 PM: /blog/index.php?blog=1_ 1315: 0.02%: Aug/23/05 1:28 AM: /blog/index.php?blog=4&disp=stats [/list:u]

Sep 07, 2005 22:07

[url=http://sylvestre.ledru.info/blog/sylvestre/2005/09/03/le_spam_tue]A b2evolution blogger[/url] has implemented the [url=http://forums.b2evolution.net/viewtopic.php?p=23293#23293]BlockUntrustedVisitors()[/url] hack and [url=http://sylvestre.ledru.info/blog/sylvestre/2005/09/03/le_spam_tue]he notices a reduction of 50% of his CPU usage[/url] ([url=http://translate.google.com/translate?u=http%3A%2F%2Fsylvestre.ledru.info%2Fblog%2Fsylvestre%2F2005%2F09%2F03%2Fle_spam_tue&langpair=fr%7Cen]English translation here[/url]).

The following image shows [url=http://sylvestre.ledru.info/blog/sylvestre/2005/09/03/le_spam_tue]his server CPU usage[/url] among time:
http://blog.lesperlesduchat.com/media/external/graph_utilisation_cpu.png
Who's going to find first at what time he's implemented the [url=http://forums.b2evolution.net/viewtopic.php?p=23293#23293]BlockUntrustedVisitors()[/url] hack?

Now, since I noticed about 30% of my blogs requests lead to redirects, mainly made by .htaccess antispam filtering and [url=http://forums.b2evolution.net/viewtopic.php?p=23293#23293]BlockUntrustedVisitors()[/url] filtering, I wonder if it isn't more interesting to first call the cheap [url=http://forums.b2evolution.net/viewtopic.php?p=23293#23293]BlockUntrustedVisitors()[/url] function, then filter using a local blacklist (and thus stopping using .htaccess to filter spam).

Sep 08, 2005 01:12

BlockUntrustedVisitors looks great, I'll have to give it a try.

I've seen a lot of talk about the stats page, so I'll point to a discussion and solution on another [url=http://forums.b2evolution.net/viewtopic.php?t=3764]thread[/url] about this -- the stats discussion begins [url=http://forums.b2evolution.net/viewtopic.php?p=20550#20550]here[/url].

I have also implemented a method to ban any IP address that repeatedly calls any script in the htsrv directory that generates a server error (e.g., 404 Not Found). I get lots of those because I regularly rename the htsrv directory -- see [url=http://forums.b2evolution.net/viewtopic.php?p=24926&highlight=#24926]this thread[/url] for details.

Here's my [url=http://www.yabfog.com/blog/yabfog/2005/09/07/more_trackback_spam]post[/url] about this solution, and here's a [url=http://www.yabfog.com/files/checkban.phps]link to the latest code[/url]. As of this post, the code was as follows:

<?php
function checkBan ($errIP) {
    $fBad = dirname(__FILE__).'/badguys.txt';
    $fBanned = dirname(__FILE__).'/bannedguys.txt';
    $htaccess = dirname(__FILE__).'/.htaccess';
    $admin_email = rtrim(file_get_contents(dirname(__FILE__).'/admin_email.txt'));

    file_exists($fBad) && $bad = file($fBad);
    file_exists($fBanned) && $banned = file($fBanned);

    if (is_array($banned) && in_array("$errIP\n", $banned)) {
        echo ''; # How did this guy get through?
    } elseif (is_array($bad) && in_array("$errIP\n", $bad)) {
            # Two strikes and you're out!
            # Add the bad IP to the banned list
        $fp = fopen($fBanned, 'a');
        fwrite($fp, "$errIP\n");
        fclose($fp);
            # Add the bad IP to .htaccess
        $fp = fopen($htaccess, 'a');
        fwrite($fp, "Deny from $errIP\n");
        fclose($fp);
            # Notify me of this action by email
        $msg = wordwrap("$errIP was added to the list of banned IP addresses.", 70);
        $subj = "New banned IP address";
        mail($admin_email, $subj, $msg);
    } else {
            # Add the IP to the bad list
            # If he does it again, he'll get banned
        $fp = fopen($fBad, 'a');
        fwrite($fp, "$errIP\n");
        fclose($fp);
    }
} # end sub
?>

N.B.: On my site, PHP scripts run with my privileges, not the privileges of the webserver (e.g., nobody or apache). If that's not your situation, any files that checkban writes to will need to be world writeable. Obviously, that's not a good idea for .htaccess, so you'll want to come up with a secure alternative.

Also, if you get a lot of traffic (which I don't), you'll probably want to comment out the line that sends an email notification every time an IP is blocked. I like that, though, because I want to know that my script is working.

Sep 13, 2005 03:48

For all users having implemented the BlockUntrustedVisitors(): the [url=http://www.empty.us]www.empty.us[/url] site checked by the BlockUntrustedVisitors() function appears to be down making accessing from external URLs very long (until a timeout makes the PHP going on...) I recommand to remove using that site until the next release of BlockUntrustedVisitors() that would not hang if a site is not responding.

Edit the following code in the BlockUntrustedVisitors() function:

    $DnsblServices = array( 
      array( 'query' => "$d.$c.$b.$a.list.dsbl.org",     'url' => 'http://dsbl.org/listing?'.$VisitorIP ),   // See http://www.dsbl.org 
      array( 'query' => "$d.$c.$b.$a.opm.blitzed.org",   'url' => 'http://opm.blitzed.org/'.$VisitorIP ), // See http://opm.blitzed.org/info 
      array( 'query' => "$d.$c.$b.$a.bsb.empty.us",      'url' => 'http://bsb.empty.us/lookup/?ip='.$VisitorIP ), // See http://bsb.empty.us/ 

      // Make sure the following is the last entry of the table. 
      // If you have to insert other entries, insert them above that comment. 
      array( 'query' => $ReferrerDomain.'.bsb.empty.us', 'url' => 'http://bsb.empty.us/lookup/?h='.$ReferrerDomain ) // See http://bsb.empty.us/

and remove the two last entries, so you should see:

    $DnsblServices = array( 
      array( 'query' => "$d.$c.$b.$a.list.dsbl.org",     'url' => 'http://dsbl.org/listing?'.$VisitorIP ),   // See http://www.dsbl.org 
      array( 'query' => "$d.$c.$b.$a.opm.blitzed.org",   'url' => 'http://opm.blitzed.org/'.$VisitorIP ), // See http://opm.blitzed.org/info 


The next version (to be released) won't wait long before skipping a query of a down site.

I am very interested in any ways to filter spam, especially blog-specific spam (mainly referrers, comments and trackbacks). If you know any, you're welcome to share your ideas on the [url=http://forums.b2evolution.net/viewtopic.php?t=5367]Request for The Ultimate Antispam Plug-in or Hack[/url] thread.

Feb 12, 2006 21:08

kwa wrote:

How to implement it?
If you haven't created a conf/hacks.php file before, create a dummy (empty) conf/hacks.php file with:

<?php

/* PHP code to be inserted here */

?>

What do you do if you already have a conf/hacks.php file that does something else?
Thanks
J

Feb 12, 2006 21:45

add whatever code your trying to use below or above whatever already exists in the file.. for instance:


<?php
function some-function() {.......
.....
}
function some-other-function() {
.....
}
?>

or you can just enclose them sperately, like so:


<?php
function some-function() {.......
.....
}
?>

<?php
function some-other-function() {
.....
}
?>

Apr 07, 2006 00:54

when I installed the BlockUntrustedVisitors hack it was not possible to access my blog from google searchs.

I got redirected to the dsbl.org website when pressing a search result for my blog on google.

DSBL: Listing Data


Form is loading...

Open Source CMS – This forum is powered by b2evolution CMS, a complete engine for your website.