[wp-hackers] Simple comment spam experiment

Sabin Iacob iacobs at m0n5t3r.info
Wed Apr 16 22:14:49 GMT 2008


Otto wrote:
> I don't know of a particularly good lojack solution, obviously. I can
> think of some ways to do it.
>
> Idea: when spam comes in and is confirmed to be spam, block the IP
> from that site for a time period. All access to the site from that IP,
> blocked with instant 403. If this gets to enough sites, then rather
> rapidly the spammers can't send spam anymore. 

this is mostly what I do, however at the firefall/iptables level: 
fail2ban is monitoring the logs and adding firewall rules that end in DROP

> Problem: Blowback.
> Spammers will effectively shut down these sites for dynamic IP users
> who happen to get one of those IPs. Plus side: it will encourage ISPs
> not to allow spammers onto their networks at all and to take more
> proactive measures against this sort of thing.
>   

the latest fashion seems to be botnet-powered comment/trackback spam, so 
if you block the corresponding lusers with a mobilising message they may 
actually grab an antivirus and clean their machines, so you're helping 
save the world :D

> Anybody else got any other lojack ideas

instead of just DROP-ing the connections at the firewall, I believe one 
can set it to allow the handshake to occur, then drop anything coming 
from the internet and send RST to Apache to abort the connection;

or (my latest evil thought) set up a bunch of scripts like:

<evil script>
<?php
sleep(30);
header('HTTP/1.0 302 Moved Temporarily');
header('Location: /my/other/script.php');
?>
I am afraid your target has moved. Again.
</evil script>

and have them redirect in a circle (perhaps even with random switching 
between them) >:D
Most spam bots implement HTTP incompletely, but they usually do follow 
redirects; now, I need to see how I can put this in a nice graphical 
display like http://xkcd.com/350/



More information about the wp-hackers mailing list