I'm not really a fan of banning by IP since the goal of the spammer is to get domain names linked. OTOH some IPs seem to be used exclusively by referer spammers, so another tool in your arsenal can't hurt. I decided it would be nice if you had a way in your back office to see exactly what sort of traffic is coming from (through?) any given IP. If it's nothing but spam then you should be able to kill it all in one click of a mouse. 2 really - one to select the IP and one to delete and ban everything associated with it. That's what I wanted and that's what I've got, and very soon you too can have it.

A wee bit of history, for the heck of it:

In order to write this hack I needed spam, so I emptied my antispam table, thus letting the spammers have a field day with my blogs. In the process I learned quite a bit. My primary blog gets hit pretty hard by a small handful of IPs. The two worst offenders also seemed to share about 70% of the domains they were pushing. My other installation, which happens to be of the "mydomain/folder" variety wasn't getting hit by/through those IPs at all. Must be lists out there and it all must be based on who's paying for what, but I dunno all that. Anyway I emptied my antispam table and started watching spammers.

After a fair amount of trial and error I decided on the following: if I choose to ban an IP several things should happen.
[list=1]

Every hit through that IP should be displayed in chronological order.

I should see the hit type since I don't want to ban IPs that also generate valid hitlog entries.

I should extract the bannable keyword from every referer hit and make a list of them, mindful to not duplicate a keyword in this list.

I should extract .spamdomain.tld instead of foobar.spamdomain.tld and boofar.spamdomain.tld (unless it's blogspot.com or myblogcity.com).

I should then be able to delete all the hits and add the keywords to my antispam table (unless it's already there) and ban the IP address.

If I add the keywords it should automatically recheck my hitlog table and delete matching entries.

If I use my antispam rechecker hack it should update the stats from 'needs' to 'gotit'

It should do it all for comments too.

If I ban the IP address it should keep track of how many hits and keywords that IP found when I banned it.

I should be able to unban an IP, but the keywords it found should stay banned.

Banned IPs with *any* referer info should get Isaac's "instant-403" treatment.

[/list:o]

By the way my antispam table is still almost empty. I've banned 2 IPs in 2 days. The first gave me 108 hits and 13 keywords overnight. The next morning another IP had generated 93 fake referer hits but only one keyword. I'm not sure I like the second one as an IP ban, but it's there so that's life. Anyway I've still got lots of spam in my stats but I don't have any IP that stands out as a super-spam-source, so I'm waiting for a really big kill. The first IP, when I banned it, had it's buddy in second place. Since I purged the hitlog table of those 13 keywords it's buddy dropped down to like 8th or 9th. It's worked its way back up to 2nd, but has chump change for total fake referer hits. I'm sure given another day or two it will be my third banned IP.

Okay that's enough. I think this tool is an alternative method of culling nasties. The antispam table combined with my rechecker hack and Isaac's "instant 403" thing is pretty danged strong. Throw in whoo's "rename the htsrv folder" and you've nailed spammers six ways to Sunday. I think the biggest benefit to this particular method (other than being controlled completely by The Admin) is when you've been away for a while and come back to hordes of screaming spammers laying seige to your personal city. It's very possible that a couple of clicks later you could have the whole thing cleaned up.

[url=http://wonderwinds.com/hackblog.php/2005/08/24/yaash_banning_ips_in_your_back_office]Here's the hack[/url] and have fun with it.

I think I'm done hacking v12. With phoeniz on the horizon I think I'd rather see if I'll be able to upgrade my blog to it, and maybe start looking at how to transfer some v12-era hacks. Oh except for tuning up this and any other pre-phoenix hacks I've done.

FINAL THOUGHT: Always always ALWAYS get your centralized blacklist updates and report any spammers that hit you.