I'm Getting Spammed

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Nodda4me
Forum Newbie
Posts: 12
Joined: Sun Jun 18, 2006 6:57 pm

I'm Getting Spammed

Post by Nodda4me »

Screen shot of spam: http://nodda4me.net/up/S226021225.JPG

I'm getting spammed by some dumb Russian fag bot. It started about 72 hours ago. I had to write a script that will ban it automatically. It bypassed it once but I fixed it.

This spam keeps going on and on. About every 30 minutes, if not a little more.

I actually found one of the IPs on Wikipedia: http://en.wikipedia.org/wiki/User:212.138.64.176
This IP address has been blocked because it is believed to be an open proxy or zombie computer.

Does anyone have any information about this spammer? And, if you have received the same type of spam and have the IPs could I have them?

As I'm writing this, I have 40 banned IPs so far. You can go here to see all the banned IPs and even see the spam message / links. The links are mostly 404 error not found.
http://nodda4me.net/?q=BanAdmin

Thanks
Nodda4me
Forum Newbie
Posts: 12
Joined: Sun Jun 18, 2006 6:57 pm

Post by Nodda4me »

*update

http://www.zionismontheweb.org/hackers/ ... ddress.htm

Hopefully this is what I need to stop the spamming. I made an htaccess file containing:

Code: Select all

order allow,deny
deny from 212.138.47.*
deny from 212.138.64.*
deny from 212.138.113.*
deny from 86.51.5.36
deny from 86.51.5.84
deny from 59.120.35.49
deny from 63.246.155.68
deny from 66.235.206.193
deny from 70.42.51.10
deny from 72.29.80.155
deny from 83.143.81.86
deny from 83.76.15.160
deny from 147.202.43.242
deny from 195.56.55.5
deny from 195.225.120.2
deny from 202.142.212.30
deny from 203.204.130.58
deny from 208.66.195.15
allow from all
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Is this a Wordpress install?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Ah, I've been getting this stuff too. Just block the IPs and it should slow down to a trickle. If it's Wordpress, look into installing a Captcha plugin.
Nodda4me
Forum Newbie
Posts: 12
Joined: Sun Jun 18, 2006 6:57 pm

Post by Nodda4me »

What is a Wordpress and what is a Captcha plugin?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Nodda4me
Forum Newbie
Posts: 12
Joined: Sun Jun 18, 2006 6:57 pm

Post by Nodda4me »

Well, then it's not a "Wordpress", I made my site and the php scripts.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Hmm... you should still look into using a captcha.
Nodda4me
Forum Newbie
Posts: 12
Joined: Sun Jun 18, 2006 6:57 pm

Post by Nodda4me »

I'm still getting spammed. Not much, and it's not getting pass my ban script.

If anyone else is getting these spams, may want to use htaccess. I think it's blocking most of it.

Again, my htaccess:

Code: Select all

order allow,deny
deny from 212.138.47.*
deny from 212.138.64.*
deny from 212.138.113.*
deny from 86.51.5.36
deny from 86.51.5.84
deny from 59.120.35.49
deny from 63.246.155.68
deny from 66.235.206.193
deny from 70.42.51.10
deny from 72.29.80.155
deny from 83.143.81.86
deny from 83.76.15.160
deny from 147.202.43.242
deny from 195.56.55.5
deny from 195.225.120.2
deny from 202.142.212.30
deny from 203.204.130.58
deny from 208.66.195.15
allow from all

ErrorDocument 403 http://n4yhosting.com/nodda4me/forbid.php
Dear Josh,

The IP belongs to the Saudi Network Information Center. The group Team
Evil Arab Hackers were using this network as a springboard a while
back. The system admins were non responsive.

More info here (there an IE 7 format bug, appologies, will fix this
eventually... mean time use firefox if you have it)
http://www.zionismontheweb.org/hackers/
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Why not make the submissions moderated so they require your approval before being made public? Granted, this isn't very realistic on larger scale operations, but for small stuff it's perfectly fine for many.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

If your fighting a losing war, a technique that I've seen much success with is allow them to post their spam. Heres the catch, only show the spam to users in your ban list, and hide it to the rest of the users.

Code: Select all

$bans = file('bans.txt');

if (in_array($_SERVER['REMOTE_IP'], $bans))
{
   //get complete list of listings
}
else
{
   $sql = 'SELECT * FROM `listing` WHERE `ip` NOT IN ('.implode(',', $bans).')';
}
This will allow you to apply furthur security, and they won't be the wiser that their spam isn't being shown to anyone but spammers! Revenge! There are some downsides to this however. I would only recommend this is they are consistently trying to circumvent your defenses.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

Nice idea Jcart; not heard that before. That could be useful one day.
Nodda4me
Forum Newbie
Posts: 12
Joined: Sun Jun 18, 2006 6:57 pm

Post by Nodda4me »

I would never want to approve a message. Especially getting an email every 30 seconds.


Jcart, that could be useful. However, I dont' need it. I wrote my script to automatically check for spam (for instance, every message he has says "Thanks", so if the message has "Thanks" + "<a" + "http", then do the ban procedures.)


I also have my script set to ban someone who:
-Tries to post PHP "<?"
-Tries to post 3 or more URLs

No one would have to post 3 URLs, hell, they shouldn't even have to post 1. It's just.. like a guestbook.

Code: Select all

if ($ShoutName && $ShoutEmail && $ShoutInfo) {
			//Get the number of the following
	$dex1 = substr_count("$ShoutInfo","http");
	$dex2 = substr_count("$ShoutInfo","www.");
	$dex3 = substr_count("$ShoutInfo","<a");
	$dex4 = substr_count("$ShoutInfo","<?");
	$dex5 = substr_count("$ShoutInfo","Nice site. Thank you");
	$dex6 = substr_count("$ShoutInfo","Cool site. Thank you");
	$dex7 = substr_count("$ShoutInfo","Thank");
			//End of getting numbers
	if ($dex1 > 2 || $dex2 > 2 || $dex3 > 1 || $dex4 > 0 || $dex5 > 0 || $dex6 > 0 || $dex7 > 0) { //If the message has any of these then
		$Reason = "Unknown"; //Set default reason
		if ($dex1 > 2 || $dex2 > 2) { //If message has 3+ "www." and 3+ "http"
			$Reason = "URL Spammer";
		}
		if ($dex3 > 1) {
			$Reason = "URL Syntax"; //If message has 2+ "<a"
		}
		if ($dex4 > 0) {
			$Reason = "PHP Syntax"; //If message has "<?", automatic ban
		}
		if ($dex5 > 0 || $dex6 > 0) {
			$Reason = "spammer or bot"; //If message has "Nice site" message or the "Cool site" message
		}
		if ($dex7 > 0 && $dex1 > 0 && $dex3 > 0) {
			$Reason = "spammer or bot"; //My newest addition, "Thanks" + "<a" + "http" = ban
		}
		if ($Reason != "Unknown") {
			//Add to BAN table in SQL
			die("Banned: $Reason");
		}
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

So if someone posts on your guestbook saying "Thanks", they get banned? That seems like a poor system! Why not look into CAPTCHA's?
Nodda4me
Forum Newbie
Posts: 12
Joined: Sun Jun 18, 2006 6:57 pm

Post by Nodda4me »

Actually, it sounds like you have poor reading. I said if they say "Thank" + post an URL (Thanks" + "<a" + "http") then they are banned.
Post Reply