[users@httpd] Blacklists & similar to avoid e.g. forum spam

[Phil Endecott <sp...@chezphil.org>]

Dear Experts,

Would anyone like to share any strategies for blocking forum spam and 
similar nastiness?

I have a couple of forums which were totally filled with spam when I 
was once on holiday.  When I got back I had to take them down for ages 
to clean them up, and then added a "captcha" mechanism to prevent 
further attacks.  This seems to have worked (fingers crossed).  
However, I still see vast numbers of attempted attacks: so much so that 
these accesses dominate the sites' bandwidth usage.  It's not a huge 
problem at present, but it's clear that e.g. a ten-fold increase could 
easily happen overnight and would start to get expensive.

I've also started to see sites that just download large files over and 
over again, and I'm writing this message now because an address in 
Indonesia has downloaded one largish file 1664 times in the last two 
hours.  Again, the bandwith is not yet a problem, but I think I need to 
do something - or at least know what I could do - before it becomes one.

I guess that the accesses come from "botnets" of compromised Windows 
machines.  The IP addresses that I have checked look like DSL lines.

So, I was wondering whether there are IP blocklists that I could apply 
- that strategy seems to work well for email.  But there are a few obstacles:

- For email filtering, the prevalent view seems to be to not identify 
individual compromised home computers, but rather to block the entire 
IP ranges of DSL providers.  This is fine for email but obviously isn't 
appropriate for the web.

- For email, the latency of doing a DNS blocklist lookup per connection 
is acceptable.  But for a web server, latency is more undesirable.  I 
imagine that it would be satisfactory to reject connections only if 
they were blocked by a locally cached blocklist entry, and to check new 
connections in the background.

- Finally, I don't see any support for this sort of thing in Apache.

Perhaps people have other strategies?

Many thanks for any suggestions.

Phil.





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Blacklists & similar to avoid e.g. forum spam

[Ryan Barnett <Ry...@Breach.com>]

Phil,
ModSecurity can help address comment SPAM on a number of fronts -

1) The soon-to-be-released version of the Core Rule set
(http://www.modsecurity.org/projects/rules/index.html) will include some
basic rules around identify comment SPAM.

2) You could use the @rbl operator in ModSecurity 2 to run real time
lookups against the various block lists.

3) As you mentioned below, you probably don't want the overhead of
repeated rbl checks every time the SPAMMER posts a message, so you could
combine the @rbl check with a persistent collection (based on the IP
address) that can enforce a temporary block (say for 1 day).

4) There are some other ModSecurity ideas that you might be able to take
from ScallyWhack (http://projects.otaku42.de/wiki/ScallyWhack) which
helps to prevent Comment SPAM on TRAC sites.  

5) We had a recent thread on the modsecurity-users-list about rate
limiting POST requests that can help against aggressive SPAMMERS -
http://article.gmane.org/gmane.comp.apache.mod-security.user/4403.  

Hope this info helps.

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

> -----Original Message-----
> From: Phil Endecott [mailto:spam_from_apache_users_3@chezphil.org]
> Sent: Monday, February 11, 2008 12:55 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Blacklists & similar to avoid e.g. forum spam
> 
> Dear Experts,
> 
> Would anyone like to share any strategies for blocking forum spam and
> similar nastiness?
> 
> I have a couple of forums which were totally filled with spam when I
> was once on holiday.  When I got back I had to take them down for ages
> to clean them up, and then added a "captcha" mechanism to prevent
> further attacks.  This seems to have worked (fingers crossed).
> However, I still see vast numbers of attempted attacks: so much so
that
> these accesses dominate the sites' bandwidth usage.  It's not a huge
> problem at present, but it's clear that e.g. a ten-fold increase could
> easily happen overnight and would start to get expensive.
> 
> I've also started to see sites that just download large files over and
> over again, and I'm writing this message now because an address in
> Indonesia has downloaded one largish file 1664 times in the last two
> hours.  Again, the bandwith is not yet a problem, but I think I need
to
> do something - or at least know what I could do - before it becomes
one.
> 
> I guess that the accesses come from "botnets" of compromised Windows
> machines.  The IP addresses that I have checked look like DSL lines.
> 
> So, I was wondering whether there are IP blocklists that I could apply
> - that strategy seems to work well for email.  But there are a few
> obstacles:
> 
> - For email filtering, the prevalent view seems to be to not identify
> individual compromised home computers, but rather to block the entire
> IP ranges of DSL providers.  This is fine for email but obviously
isn't
> appropriate for the web.
> 
> - For email, the latency of doing a DNS blocklist lookup per
connection
> is acceptable.  But for a web server, latency is more undesirable.  I
> imagine that it would be satisfactory to reject connections only if
> they were blocked by a locally cached blocklist entry, and to check
new
> connections in the background.
> 
> - Finally, I don't see any support for this sort of thing in Apache.
> 
> Perhaps people have other strategies?
> 
> Many thanks for any suggestions.
> 
> Phil.
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org