1 penguin_pete Jun 08, 2006 16:31
3 penguin_pete Jun 08, 2006 18:39
See, there's some new thinking on this I've read [url=http://underscorebleach.net/jotsheet/2005/01/referrer-spam-proposal]here[/url]. I'm inclined to agree with the line "the htaccess arms race is unwinnable". It's not that it's hard, it's that it is a nuissance to have to devote a chunk of my time each day to adding to it and checking to make sure legit sites aren't listed. In the extreme case, I can see my htaccess file growing to fill all my available server space...and the spam will STILL come! You can blacklist until the cows come home.
My referral stats are flooded anyway, even after I *deleted* the _stats.php and changed the _main.php "case 'stat'" action from "require( dirname(__FILE__).'/_stats.php');" to "die("random insult");" What I might as well do is try to get a message through to the infected computer's owner. This has a chance of raising awareness of the problem at the source. So that's my question: will a Windows machine running a zombie IE process accessing the page be able to display this pop-up on the user's screen, will the pop-up stay there no matter what until a human clicks the dismiss button, are spammers aware of this and able to block it, has this been tried before, etc?
4 edb Jun 08, 2006 19:23
Well it's not going to hurt, but I really doubt it'll help either. There is no reason to believe spam comes from hijacked computers. In fact there is good reason to believe spam is automatically generated by programs that people buy and use from their own computer/server to push their domain name on blogs. personman once provided a link to a site that sells spamming software but I can't find the thread right now. They don't stop when you deny them the page, as is evident in server logs, so why would they stop after getting the page with a popup - a popup they'll never see because they are not visiting the page.
Give it a shot and let us know how it goes eh?
Meanwhile upgrade your blog!!! You are running a very old version. And keep your antispam table up to date. Use the ban symbol to ban and delete and REPORT domains that spam you. We will then add heavy spammers to the keyword list, and you will recieve the benefit of a large community of users who also report.
5 village_idiot Jun 08, 2006 20:49
As I understand it, these hits are coming from different zombie computers infected to access my page with a false referer.
I would argue that you simply misunderstand.
While it's true that because nearly all spam hits come folks hidden behind proxy ips, its impossible to disprove that theory, consider this:
IF spam was merely the result of "infected" computers, why bother to use a proxy ip?
For starters, the availability of anonymous proxies is as changable as my underwear. Thats why there are entire sites dedicated to lists of open proxies of all kinds.
The scripting necessary to pull of such a distributed spam attack is one thing -- the additional scripting necessary to protect 100s or 1000s of "zombie pcs" by going out and locating available proxy ips is another thing, and just doesnt fit. It's far too complicated, especially when there are much easier methods.
Water takes the path of least resistance. and thusly so. So do people.
There are shell scripts that allow for mass spamming; they need only one box, and a list of sites to spam. There are software applications that come with built in lists -- I know of atleast two such kinds. They come with updates, btw, new sites added daily.
While you are waiting for comments from folks that display surprise that they're unintentionally spamming your site, download a good old fashioned post scanner and start taking a look at the open ports on the IPs -- 8080, etc.. theyre open proxies, available to me, you anyone and they exist everywhere. Those boxes arent infected, theyre just wide open.
I don't think 'infected' computers are behind spam. I think what will happen is the spam-bots will continue to hit you and you won't notice any change. You should upgrade to 0.9.1 or 0.9.2 because of quite a few improvements, the biggest of which is how little your server will work before it turns away spammers listed in your antispam table. The old way was to let the spammer have the whole page before comparing to the list and not adding them to the hit log. The new way is to compare the referer to the list immediately and only making the page for non-spammer visitors.
Also .htaccess isn't that hard. It's NOT easy, but it's not hard either. The thing about it is that it can mess things up pretty badly if done wrong, so you want to be sure of what you're putting in that file. There are a few threads that talk about using .htaccess to block spam.