I've recently been receiving some spam from some Russian IP's. As each spam attempt was from a different IP, blocking individual ones was a little futile and time consuming. I did a quick google and ended up at Deekayen's website as it seem's he has had similar issues. His solution was an Apache level "Deny"… My sollution uses iptables.
See, if someone is coming to my site with mal-intent, ideally I dont want them near the server - much less the site! Even with Apach Deny rules, each spam attempt will be costing me bandwidth + a server hit. Additionally, if I were to do a site Drupal upgrade then its quite likely my .htaccess would get overwritten thus opening me up to spam again.
My sollution requires root access to your server and that the server be running a version of linux (I'm pretty sure they all ship with iptable's now). Initially, I simply did the following - assuming 123.123.123.123 is the offending IP:
iptables -I INPUT -s 123.123.123.123 -j DROP
The manual page for iptables defines DROP as:
DROP means to drop the packet on the floor
The problem with this is that for every offending IP, you would need to add a rule in. What if you KNEW that every ip in the 123.123.123.0 - 123.123.123.255 range was going to offend. Well, there are a number of ways to do this. One uses a subnet mask and the other (untested) uses the iptables ip-range facility.
Subnet Sollution
This method is EXACTLY the same as the previous example however you slightly change the IP address…
iptables -I INPUT -s 123.123.123.0/24 -j DROP
The /24 on the end tell's iptables that the source address should me a 24 bit mask of 123.123.123.0. For more information on subnetting an IP - please read this Wikipedia artcle on the subject. I dont know a lot about it…
IP-Tables IP-Range Sollution
I didn't personally use this method - mainly because it was less effort to block the entire range rather than a specifc smaller range, however this sollution provides finer control over what actually gets blocked. For example, you might not want to block 123.123.123.0 - 123.123.123.255 - you might only want to block 123.123.123.15 - 123.123.123.23 inclusively. As I said, I haven't personally tried this method, however it is a suggested alternative in a forum post over at ServerBeach.com about Blocking an IP Range. This is example given in that forum by aryani.
iptables -I INPUT -m iprange --src-range 123.123.123.15-123.123.123.23 -j DROP
The manual page describes it as follows…
iprange
This matches on a given arbitrary range of IPv4 addresses
- [!]--src-range ip-ip
- Match source IP in the specified range.
- [!]--dst-range ip-ip
- Match destination IP in the specified range.
I cannot find any mention of the "-m iprange" part in the manual though. I wonder if thats OS-specific.
Where do I find these IP address things?
Well, you have a number of options. I have the Spam module installed on this site so anything that is considered spam will go there first to be moderated. The Spam module logs the IP address of anything it considers spam however Drupal doesn't (unfortunately) log the IP address of commenters by default. Maybe there is a module which will do this?
If you have access to the server logs, you could search through them for attempted connections to your site's comment script. With linux - this is VERY easy, for example:
grep 'comment/reply' /path/to/logs/httpd/my_log
That will search for anything with 'comment/reply' in it. I'm sure a linux and/or regular expression guru could work up something "better", but thats a basic example. If there are too many results, you can always pipe the results to a reader like less or more. Most logs will also contain the date/time that this access attempt happenned plus a note of if it was a GET or POST request.
One other option is that could lookup common IP's from a blacklisting website.
What website could I use for this? Could I help?
Why yes - of course you could help!
Enter Project Honey Pot which is a really cool community driven anti-spam site. You can register for free and you gain access to a list of IP addresses which have been logged spamming in some way. If you feel generous, you could host a "Honey Pot" on your website which can help them find new or existing harvesters. I've set one up on this site - it can be seen here.
If you're feeling particularly generous, you can also offer a subdomain (or maybe full domain) for spamming. Basically, you add an MX record to a subdomain of your own domain to point at one of Project Honey Pot's MX server's. This is only likely only be possible through a decent Registrar, 123reg doesn't seem to support it. Any email that gets sent to this subdomain (eg, somebody@subdomain.thingy-ma-jig.co.uk) will get sent to Project Honey Pot and they can analyse it for spam. If it is spam - they make a note of the source IP. I dont KNOW, but I assume these email addresses get used on the Honey Pot pages.
There are LOADS of services out there to help out with spam. Most simply offer a service to block spam on your website, for example Akismet. Personally I dont want these people on my site. If all they're going to do is waste my time tidying up after them and waste my server resources (such as CPU cycles and bandwidth) then they can simply not have access (this reminds me of a parental approach on toys - "if you cant play with it sensibly then you cant play with it at all"). I'd much rather a situation where as soon as a known spammer tries to get to my site, they get turned down at the door for EVERYTHING. The knock on advantage of turning away spammers is that it reduces my illegitimate hits and therefore my Google Adsense CTR (Click Through Rate) might go up therefore increasing the value of a click on my site.
I'd be interested to hear what methods others are using to protect themselves - Drupal or otherwise!
NO subject
You are russophobe or simply the name of article seem successful? :(
I've nothing personal against Russians
Don't get me wrong - could be Russian, American or British. I couldn't care less where the mindless idiot who would rather waste their time spamming sites than go outside or get a friend comes from. If the people who had been regularly spamming had been tracable to America rather than Russia, then that's where the title would be pointing its finger.
The blog title is a pun based on the James Bond 007, From Russia With Love.
For your information, take a look at these stat's. Out of the top 25 offending countries for comment spame, Russia makes up 6 of them and a sum of the offences logged shows Russia is the top offender (according to my maths, but it is 1am here...).
More spam
I got some more spam... I've now had to block 4 IP Subnets...
Really, update your CAPTCHA
Really, update your CAPTCHA module. See (http://drupal.org/node/114364).
I'll look into it
Thanks, I'll look into updating it. I know the module is heavily in development. Currently its my only defence! ;-)
I've just read that thread...
... and I AM using the latest CAPTCHA module. I upgraded as soon as that bug and fix was announced.
Thanks though :-)
yes, The Russians
yes,
The Russians stink..The entire ISP's shold be baned! Russian is a spam country, no wonder post-communist MF's...
Thats a little strong
It really is a minority doing it - unfortunately all from the same ISP it seems...
What should happen is some kind of punishment on the ISP by the Russian government or something, otherwise the ISP has no incentive to track these users down.
Overview
I have visited your site 335-times
what is the ip range for
what is the ip range for russian federation?i want to block everything comming from this country...*sorry*
im sick and tired with this spammers....
I dont know...
I'm not sure... There must be an easy way to find out the IP address range for the offending ISP...
It is also a real shame that we 'have' to paint everyone with the same brush when it comes to spam like this, however there is very little choice.
IP tables script
hey,
i'm in the same situation as you. i'm trying to get ip tables up and running for a drupal based server i have.
fyi, although you added the INPUT line above, when you reboot your server it will no longer be in your config! You actually have to write a script and then save to iptables config file for reuse on next reboot.
that said, would you be interested in sharing the rest of your iptables lockdown script/config (you can hide the ip addresses if need be or change them)?
thanks if you can
Ah damn!
You know, you're right!
My otherwise very stable VPS decided to lock-up a few nights ago. This caused me to reboot it and - you guessed it - I lost my config! DAMN!
Once I get my IP Tables back I'll try to post them up here!
Thanks
I'll look for the repost!
More than one solution now
Actually, I'm using more than one solution now. The deny solution was for the people who kept repeatedly trying to post junk. My site is on a shared server, so iptables isn't a possible solution.
This combination of settings has brought my site's spam to 0.00%.
Source for finding IP ranges for a country
I'm experimenting with almost exactly what you've outlined in the above article.
I am also using the website at the below link as a source for finding (potentially) offending ranges from (often) offending sources.
It's worth a shot.
I'm using some scripts based on netstat and whois lookups to determine frequent visitors from locations where my leash-holders don't do any business. Based on that, I'm able to remove the recent offenders.
If I see a pattern related to a particular ISP or location, then I use the below to DROP all ports that may offend.
http://www.proxyserverprivacy.com/ipaddress_range.php
Thanks,
sem
SPAM is a really
SPAM is a really international thing ;-)
Ban Russia
I learned recently that Russians cannot be prosecuted for cyber crimes against non-Russian nationals. If they care so little for the welfare of the rest of the planet then they should be unhooked (via copius blacklisting) and they can talk amoungst themselves.
install no-follow attribute,
install no-follow attribute, or premoderation. And no spam here.
The spam has appeared to stop recently... I do use the Spam Module which picks up things like number of links in the post, number of links to the same place, repeated words, etc... Its quite good.
USA is top?
Hi there,
Just reading your posts and comparing to the stats over at honey pot and also my own server records. I'm surprised! USA comes up top for all kinds of spam activity but (and i think im not the only one here) my own server records show that the top culprit is Russia. This could be misleading counter intelligence on the part of the Americans - my guess is the American spammers bluff as Russians to avoid detection and blame - maybe by using .ru addresses etc - however they cant fool the stats at honey pot? Maybe honeypot has been hacked by the Russians to show the USA as the number 1 culprit.
OMG I think I just discovered the cold war is still going on in cyberspace!
Top-5 Countries For
Harvesting
United States] United States (18.6%)
#2 [China] China (12.9%)
#3 [Spain] Spain (8.6%)
#4 [Romania] Romania (6.7%)
#5 [Germany] Germany (5.8%)
Top-5 Countries For
Spam Sending
#1 [United States] United States (15.2%)
#2 [China] China (14.4%)
#3 [Korea] Korea (6.7%)
#4 [Germany] Germany (5.7%)
#5 [Poland] Poland (5.0%)
Top-5 Countries For
Dictionary Attacks
#1 [United States] United States (13.2%)
#2 [Russian Federation] Russian Federation (8.3%)
#3 [China] China (7.9%)
#4 [Korea] Korea (6.3%)
#5 [Spain] Spain (5.9%)
Top-5 Countries For
Comment Spamming
#1 [United States] United States (34.8%)
#2 [Japan] Japan (7.0%)
#3 [Brazil] Brazil (6.7%)
#4 [India] India (6.0%)
#5 [Germany] Germany (4.5%)