Welcome to Geeklog, Anonymous Monday, December 30 2024 @ 10:55 am EST
Geeklog Forums
Help! My site is under attack!
Page navigation
I have an army of spambots attacking my site right now ( http://dubiousprofundity.com/ ) I am getting 2-300 new http referrers every hour, all from www.antiquemarketplace.net (http: trimmed to keep it from creating a link). I have added tons of variations to my spam-X blacklist, but spamX doesn't seem to be able to just block that domain, and the hits are coming from all different IP's (spoofed, I'm sure). Can anyone help?
Luhme summa dat GL.
Luhme summa dat GL.
23
33
Quote
Status: offline
DubiousChrisJ
Forum User
Regular Poster
Registered: 05/10/05
Posts: 114
Anonymous commenting is disabled...and to access site statistics requires login as well. This doesn't stop them from filling up my Http referrer logs with their BS links...
Am I understanding you correctly?
Luhme summa dat GL.
Am I understanding you correctly?
Luhme summa dat GL.
29
32
Quote
Status: offline
DubiousChrisJ
Forum User
Regular Poster
Registered: 05/10/05
Posts: 114
Well, I guess I blocked enough variations to make a difference...it seems to have petered off...
I have some referrer spam here and there, but never anything like this before...I had just cleared the log, and went to 300 of the same link within minutes...and this kept up through multiple deletes.
Luhme summa dat GL.
I have some referrer spam here and there, but never anything like this before...I had just cleared the log, and went to 300 of the same link within minutes...and this kept up through multiple deletes.
Luhme summa dat GL.
28
23
Quote
guest
Anonymous
Why disabling the stats should help in this case?
33
28
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by DubiousChrisJ: I am getting 2-300 new http referrers every hour, all from www.antiquemarketplace.net
Welcome to the club - sounds like you're on the list of our special friends, "The Bulgarians". Expect more of the same over the coming days (but with different domains).
In addition to the measures linked to from the above article, I can also heartly recommend Bad Behavior (which, btw, is now finally running here on geeklog.net, too).
bye, Dirk
30
22
Quote
Matt
Anonymous
I'm being hit hard by these folks too, with the antiquemarketplace referrer. On my site, they were hitting all the "email this story" links, and actually generating emails, with their spam message in the comment field ahead of the story. I found out about it when a bunch of the emails bounced back to me.
I could look at my SMTP server logs, and see all the addresses that they had spammed. It was weird. Most of them didn't look like legitimate addresses, and they pounded on a couple of addresses over and over. I'm not sure what they were trying to do.
This opened my eyes to a problem that I should have considered before. If you have a website which allows a visitor to enter any email address, and cause email to be sent to that address, you effectively have an open SMTP relay if somebody finds it and abuses it. And the "email this story" function is exactly that: a website that allows anybody to use my server to send email to anybody, as long as they don't mind having my article appended to the end of their spam.
Has anybody else considered the possibility of "email this story" being abused as a spam relay? If so, is there any way to prevent it, other than disabling the function?
I could look at my SMTP server logs, and see all the addresses that they had spammed. It was weird. Most of them didn't look like legitimate addresses, and they pounded on a couple of addresses over and over. I'm not sure what they were trying to do.
This opened my eyes to a problem that I should have considered before. If you have a website which allows a visitor to enter any email address, and cause email to be sent to that address, you effectively have an open SMTP relay if somebody finds it and abuses it. And the "email this story" function is exactly that: a website that allows anybody to use my server to send email to anybody, as long as they don't mind having my article appended to the end of their spam.
Has anybody else considered the possibility of "email this story" being abused as a spam relay? If so, is there any way to prevent it, other than disabling the function?
26
28
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Matt: If you have a website which allows a visitor to enter any email address, and cause email to be sent to that address, you effectively have an open SMTP relay if somebody finds it and abuses it. And the "email this story" function is exactly that: a website that allows anybody to use my server to send email to anybody, as long as they don't mind having my article appended to the end of their spam.
Has anybody else considered the possibility of "email this story" being abused as a spam relay? If so, is there any way to prevent it, other than disabling the function?
Has anybody else considered the possibility of "email this story" being abused as a spam relay? If so, is there any way to prevent it, other than disabling the function?
So far, the spammers haven't been desperate enough to do that. But then again, I guess the appended story could actually help get their message through the spam filters ...
You can disable emailing stories for anonymous users in config.php (set $_CONF['emailstoryloginrequired'] = 1).
And it would probably make sense to check the message that has been entered for spam before sending it ... /me makes a note of that
bye, Dirk
20
31
Quote
guest
Anonymous
But why disabling the stats?
26
23
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by guest: But why disabling the stats?
Because your stats link to them and that's all they're after. More links, better Google ranking. So you're doing free advertising for these scumbags ...
bye, Dirk
19
22
Quote
guest
Anonymous
My stats just lists the top stories, comments, e-mail stories, links, etc. It has nothing about referrers.
29
20
Quote
Matt
Anonymous
Geez ... do these guys ever give up? I followed Cindy's spampop suggestion to deny requests with the x-aaaaaaaaaa: header, and that's working. All their requests are getting blocked with a 403 error. But they're still filling my access logs with their referrer sites, which I guess is their main goal (or at least one goal, I'm still not sure what they were trying to accomplish with the mail trick). It makes me want to email them and say "Hey jerks, give up!! I"ll make damn sure your sites don't show up in my stats no matter how hard you hammer me!"
30
21
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by guest: My stats just lists the top stories, comments, e-mail stories, links, etc. It has nothing about referrers.
That's fine then. The above comments were about the visitor stats plugin (aka GUS plugin). Geeklog's own little stats page doesn't display any referrers.
bye, Dirk
32
21
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Matt: Geez ... do these guys ever give up?
Nope. They don't care about return codes (no spambot does, AFAIK). Blocking them in .htaccess at least takes the load off your server (and database).
They've been hitting geeklog.net for months (since last December), getting 403s for each and every request. They've only stopped a few weeks ago (and I still have them on other sites).
bye, Dirk
23
26
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by LWC: That would just hammer your 403 page.
The 403 "page" on geeklog.net is this (from our .htaccess):
Text Formatted Code
# send a short 403 messageErrorDocument 403 "Access denied.
That's all it sends: 14 bytes (plus the HTTP header). If you have a busy site and/or under attack, you want to save what you can.
Quote by LWC: Why don't you use the 127.0.0.1 method, which you suggested yourself in the past?
Not all spambots follow the redirect. The Bulgarians' do, actually. But redirecting them to 127.0.0.1 doesn't make a lot of sense since they exclusively use open proxies, so you would only hammer the proxies.
bye, Dirk
27
18
Quote
Status: offline
drshakagee
Forum User
Full Member
Registered: 10/01/03
Posts: 231
I added some stuff to my personal blacklist in spam-x and I have gone from 100 spam comment attempts a day to less then 10 and I have even had days with no attempts. They do eventually stop. I get occasional complaints from normal users that their comments are flagged as spam, but I don't mind since it's not too often.
Yes I am mental.
Yes I am mental.
19
22
Quote
ironmax
Anonymous
Another way that you caould stop them is if you run your own server as I do, you could block them using the firewall or router to disable connections from those IPs that they are using to connect from. Plus I don't allow anonomous comments, so that pretty much stopped them cold in their tracks. Also yiou could use Bad Behavior as another tool to twart their attempts.
Mike
Mike
24
32
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by ironmax: Another way that you caould stop them is if you run your own server as I do, you could block them using the firewall or router to disable connections from those IPs that they are using to connect from.
Last time I bothered to count, I came up with a list of 1463 different IP addresses (all open proxies, mind you) they had used over time.
It may, of course, help as a short-time measure when you're really getting a lot of hits.
Quote by ironmax: Also yiou could use Bad Behavior as another tool to twart their attempts.
Bad Behavior checks for that special header they seem to be using all the time. You can also feed that to the Spam-X plugin (that's what's the Header filter module is for).
bye, Dirk
26
24
Quote
Matt
Anonymous
Quote by Dirk:
Not all spambots follow the redirect. The Bulgarians' do, actually. But redirecting them to 127.0.0.1 doesn't make a lot of sense since they exclusively use open proxies, so you would only hammer the proxies.
bye, Dirk
Not all spambots follow the redirect. The Bulgarians' do, actually. But redirecting them to 127.0.0.1 doesn't make a lot of sense since they exclusively use open proxies, so you would only hammer the proxies.
bye, Dirk
Firewalling makes the most sense, if you can do it. Unfortunately, I'm on a virtual server and can't set up a firewall. I used the technique of checking for the x-aaaaa header, which worked nicely. At first I used it to deny access, and sent a short message like Dirk's instead of a 403 page. But if some of the spambots are actually following redirects, I decided it made more sense to redirect to an address that was either dead or firewalled, so that it wouldn't respond. Redirecting to 127.0.0.1 will probably cause the spambot's host to immediately respond with a connection rejected, but redirecting to a dead or firewalled IP will make the bot wait for a timeout, which could slow it down some. Granted, it only works for the bots that follow redirects, but even for the ones that don't, it still reduces your server load by sending a redirect instead of letting them hit your actual content. And I can also keep the spam hits out of my access logs (actually I route them to a separate log so I can still be aware of them), by using the spammer environment variable on the log directives.
25
22
Quote
Page navigation
All times are EST. The time is now 10:55 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content