Category Archives: spam

My (DNSBL) Blacklist list

Posted on by
Reply

Here is my current list of DNSBL’s that I use for blocking [much] spam, proxies, hijacked PC’s and “problem” IP’s.  Note that even using all of these DNSBL’s at the same time still will not prevent all spam, but when used in combination with Akismet, your site can be 99.9% spam free.

The real use for these DNSBL lists is to block open proxies and other IP’s that can cause trouble:

  • rbl.efnetrbl.org
  • spam.spamrats.com
  • combined.abuse.ch
  • xbl.spamhaus.org
  • web.dnsbl.sorbs.net
  • dnsbl.ahbl.org
  • problems.dnsbl.sorbs.net
  • opm.tornevall.org
  • cbl.abuseat.org
  • dnsbl-2.uceprotect.net
  • dnsbl.mags.net

How To Tell Spam From A Real Comment

Posted on by
Reply

In addition to Real Time Block Lists and static lists of blocked server farms I also use Akismet for blocking spam so I don’t really have a big spam problem.

But once in a while I get a nice, wordy comment posted here at the blog that slips past all the protection. When this happens it’s up to me to figure out if the comment is real or just some shitty, low-life, worthless spammer. For doing this I have one rule/process. It’s pretty easy, and so far has been nearly 100% effective and correct. This is how it works:

When you get a questionable comment – ask yourself this question:

Would this comment make as much sense on any page other than this one?

If the answer is “yes, this comment would make as much sense on a post about using SEO to increase traffic as it would on a post about why Google Plus is better than Facebook“, then it’s SPAM.

If the answer is “No, this comment only makes sense being posted to this particular post“, then, it’s not spam.

Here is an example of a comment that some clever spamshitter recently left on a blog post of mine regarding, what else, blocking spammers:

This is the fitting blog for anyone who needs to seek out out about this topic. You understand so much its almost arduous to argue with you (not that I really would want?HaHa). You undoubtedly put a brand new spin on a subject thats been written about for years. Great stuff, just great!

He almost got me by going for the ego and flattering me with the “great stuff” line, but the fact that this comment could be posted anywhere, on anything, regarding any subject, means it = SPAM. Sorry Mr. Einstein from Bulgaria, but it’s the spam-can for you! Go get a fucking job!

Fighting Spam: Giving Back

Posted on by
Reply

Most of my posts about fighting spammers, email harvesters and content scrapers focus on blocking them from your website. Blocking spammers and scrapers is all fine and well, but it’s a little selfish isnt it? I mean, if you (or your systems/modules/mods/firewall) identifies a spammer or content-scraper’s IP address why keep it to yourself? Especially if you are using shared or open systems like Akismet or BadBehavior which makes use of ProjectHoneypot.org‘s http:BL you might even feel guilty for not “giving back” to the anti-spam community! Ok, well maybe you never thought about it, but after you read how easy it is to give back you should feel guilty if you don’t!

How To Help The Fight Against Spammers, Harvesters and Scrapers:

You can easily help identify and catch spammers and harvesters by contributing resources to Projecthoneypot.org. Projecthoneypot is (i think) the largest free, open collection of honeypots on the internet. Projecthoneypot makes all the data it collects freely available via their http:BL (via BadBehavior, MOD_HTTPBL, http:BL for WordPress, and more).

There are 2 very easy ways you can contribute to the fight, and 1 slightly-less easy way:

First, you need to go over to ProjectHoneypot.org and create a free account. You will need to create an account either if you want to use their spam-blocking services above, or if you want to contribute resources. After you create your free account you will be issued an http:BL API key which is needed for any of the http:BL spam-blocking systems and you will then also be able to contribute spammer-blocking data in one of three ways:

1) “Borrow” someone’s shared honey-pot via a Projecthoneypot QuickLink: This is super easy! After you create your Projecthoneypot account, just click ‘Manage Quicklinks‘. After answering a question or two about your site, you will be given your own Honeypot link that you can paste on your site. You put this link on your website so that only bots/scrapers/spammers can ‘see’ it (it’s simple – and there are full instructions). Your visitors will never see the links, but spammers and scrapers will (there is a hidden honey-pot link in this post.. do you see it?) – they will follow the link to the shared-honeypot, where their IP information will be caught and published on the public block-lists. This is literally as simple as copying and pasting a link onto your site!

2) Install your own honeypot to catch spammers! I avoided installing my own honeypot for a long time because frankly I just assumed it was too complicated. But after finally taking the time (2 or 3 minutes) to read the instructions, I was surprised at how simple it was. To create and install your own honeypot, log-in to ProjectHoneypot.org and click ‘install a honeypot‘. Answer a few questions like what the URL is for your website, if you want to share it with others, and what language you want the honeypot in (probably PHP), and a custom honeypot script will be generated for you to download – full, step-by-step instructions are provided, but, basically you upload ONE SINGLE .PHP file to your website, open that file through your browser, click a link, and that’s it! You then put invisible links to your new honeypot on your website. The whole process, start to finish should not take more than 2 minutes.. 3 if you read slow!

3) Donate an MX record: Donating an MX record will allow project honeypot to generate unique (fake) email address to catch spammers. These fake email addresses are posted in honeypots for spammers to find and the more unique domains available, the better. Donating an MX record does not use your email system or any of your resources because all of the (fake spam) email goes directly to Projecthoneypot.org and unspam.com’s email servers. To donate an MX record you need to be able to edit your DNS Zones/DNS MX records – it’s not as simple as using a honeypot, but full instructions are given, and it’s not difficult. If you are comfortable with editing DNS entries it’s a snap, if you aren’t comfortable monkeying with your DNS settings, you may want to stick with method’s #1 and #2 above. I was uncomfortable donating and configuring an MX record at first, but after doing the first one, i’ve since donated several more.

Now that you know how easy it is to help in the fight against spammers/email harvesters/scrapers you have no excuse not to help – NOW you will feel guilty if you didn’t feel guilty before.

Note about links: You may notice that the links to Projecthoneypot.org above are ‘referral’ links. Projecthoneypot referrals are not paid referrals. Instead Projecthoneypot keeps track of how many referrals each member has for “karma points”.. We don’t really get anything else out of it other than feeling better about ourselves for helping spread the word about how easy it is to fight spam :-)

MOD_SECURITY vs Bad Behavior

Posted on by
1

Bad Behavior and MOD_Security are both great tools to help block spammers, bots, scrapers, proxies, and application-level attacks – but which one should you use?

Bad Behavior:
+ Easy to install and configure, especially on WordPress. The Drupal Bad Behavior module is no longer supported so it will not work “out of the box” with the newest version of Bad Behavior, but you can make it work by following these instructions. (I have the fully-patched and working module that you can drag’n Drop into your modules directory – contact me if you would like a copy)
+ Many built-in rules that block a wide variety of spammers, bots, scrapers, proxies and other bad stuff.
- No control over the rules and no visibility into what is blocked or why; Bad Behavior has an on/off “strict mode” setting – but it’s a mystery as to what it changes. Bad Behavior also allows you to whitelist IP’s, but gives you no other control of what is or is not blocked
- Must be installed and separately administered on every site/domain/sub-domain.
- May be slower due to the additional PHP overhead

MOD_SECURITY:
+ Full, fine-grained control over blocking rules
+ Create your own rules, or get (free) fully-tested rules from GotRoot (and customize to your needs)
+ Fully integrates with CSF Firewall
+ Protects the entire server with the same ruleset
+ Very lightweight/fast – does not use PHP resources
- Must have root-access to install
- Can only run on a dedicated or VPS server
- More difficult to install for non-Linux types

I started with BadBehavior, then used both Mod_Security and BadBehavior together for a number of years with a very light-set of ModSecurity rules, allowing Bad Behavior to block the rest. Recently I grew tired of maintaining Bad Behavior across all my sites and frustrated with the lack of control in Bad Behavior. I translated all of the Bad Behavior rules into Mod Security and now use it exclusively.

So which one is right for you? Only you can decide. Now you know the differences.

DRUPAL: How To Use dnsBL and RBLs

Posted on by
Reply

Most of my recent yammering about using DNSBLs to block spammers, trolls and other riff-raff has focused on using the DNSBL with Mod_security rules and IPTables firewall which requires either a dedicated server or at least a VPS – leaving all you shared-hosting users out in the cold to fend for yourselves..

But Drupal users in shared-hosting environments rejoice and fear not! You can easily incorporate some of the fun and function of these DNSBLs too! You won’t have the same ability to totally drop their packets but you can block the posts that they make or redirect them to an error page.. Here’s how:

The Drupal TROLL module will not only allow you to block IP’s of users or other IP’s that you add to the block-list, but it will also make-use of DNS Blacklists (DNSBL) to prevent the spammers/trolls, etc from making any posts. They can still read your pages, they just can’t make posts. To use the DNSBL option in TROLL, install as usual, then on the DNS BLACKLIST tab in the configuration page click the “Enable Operation” checkbox and specify how many blacklists the IP must appear on before being “blacklisted” (1 should be plenty).

By default the Troll module uses dnsbl.sorbs.net, bl.spamcop.net, dnsbl.njabl.org, cbl.abuseat.org, & sbl-xbl.spamhaus.org. I would be careful with some of those – particularly spamcop.net and the sbl-xlb.spamhaus.org list. I would change sbl-xbl.spamhaus.org to XBL.spamhaus.org and maybe replace the others with some from my favorite black lists. Remember – be careful. I dont think the Troll module will log when IP’s are blocked so you wont have a good gauge of who is being blocked.

The other way which you can use instead-of Troll or in addition-to Troll is one of my other favorite Drupal Modules, Bad Behavior. The newer version of BadBehavior includes httpBL support from ProjectHoneyPot which will catch/stop a lot of spammers and trolls. The Drupal BadBehavior module is no longer officially supported by the Author, but the community has been doing a good job at patching it and keeping it current. To get the newer versions of BadBehavior to work with Druapal and also enable httpBL support read-through this page at Drupal: Updated For BadBehavior 2.1. If all the posts in that thread are too much to follow, I have the fully-patched (with updated whitelists) version and I’d be happy to ZIP/gZIP it up and send to anyone that needs it.