Page 1 of 2

I'm Getting Spammed

Posted: Mon Jan 15, 2007 7:33 am
by Nodda4me
Screen shot of spam: http://nodda4me.net/up/S226021225.JPG

I'm getting spammed by some dumb Russian fag bot. It started about 72 hours ago. I had to write a script that will ban it automatically. It bypassed it once but I fixed it.

This spam keeps going on and on. About every 30 minutes, if not a little more.

I actually found one of the IPs on Wikipedia: http://en.wikipedia.org/wiki/User:212.138.64.176
This IP address has been blocked because it is believed to be an open proxy or zombie computer.

Does anyone have any information about this spammer? And, if you have received the same type of spam and have the IPs could I have them?

As I'm writing this, I have 40 banned IPs so far. You can go here to see all the banned IPs and even see the spam message / links. The links are mostly 404 error not found.
http://nodda4me.net/?q=BanAdmin

Thanks

Posted: Mon Jan 15, 2007 7:58 am
by Nodda4me
*update

http://www.zionismontheweb.org/hackers/ ... ddress.htm

Hopefully this is what I need to stop the spamming. I made an htaccess file containing:

Code: Select all

order allow,deny
deny from 212.138.47.*
deny from 212.138.64.*
deny from 212.138.113.*
deny from 86.51.5.36
deny from 86.51.5.84
deny from 59.120.35.49
deny from 63.246.155.68
deny from 66.235.206.193
deny from 70.42.51.10
deny from 72.29.80.155
deny from 83.143.81.86
deny from 83.76.15.160
deny from 147.202.43.242
deny from 195.56.55.5
deny from 195.225.120.2
deny from 202.142.212.30
deny from 203.204.130.58
deny from 208.66.195.15
allow from all

Posted: Mon Jan 15, 2007 9:47 am
by feyd
Is this a Wordpress install?

Posted: Mon Jan 15, 2007 1:59 pm
by Ambush Commander
Ah, I've been getting this stuff too. Just block the IPs and it should slow down to a trickle. If it's Wordpress, look into installing a Captcha plugin.

Posted: Mon Jan 15, 2007 4:05 pm
by Nodda4me
What is a Wordpress and what is a Captcha plugin?

Posted: Mon Jan 15, 2007 4:46 pm
by John Cartwright

Posted: Mon Jan 15, 2007 4:58 pm
by Nodda4me
Well, then it's not a "Wordpress", I made my site and the php scripts.

Posted: Mon Jan 15, 2007 5:00 pm
by Ambush Commander
Hmm... you should still look into using a captcha.

Posted: Mon Jan 15, 2007 5:47 pm
by Nodda4me
I'm still getting spammed. Not much, and it's not getting pass my ban script.

If anyone else is getting these spams, may want to use htaccess. I think it's blocking most of it.

Again, my htaccess:

Code: Select all

order allow,deny
deny from 212.138.47.*
deny from 212.138.64.*
deny from 212.138.113.*
deny from 86.51.5.36
deny from 86.51.5.84
deny from 59.120.35.49
deny from 63.246.155.68
deny from 66.235.206.193
deny from 70.42.51.10
deny from 72.29.80.155
deny from 83.143.81.86
deny from 83.76.15.160
deny from 147.202.43.242
deny from 195.56.55.5
deny from 195.225.120.2
deny from 202.142.212.30
deny from 203.204.130.58
deny from 208.66.195.15
allow from all

ErrorDocument 403 http://n4yhosting.com/nodda4me/forbid.php
Dear Josh,

The IP belongs to the Saudi Network Information Center. The group Team
Evil Arab Hackers were using this network as a springboard a while
back. The system admins were non responsive.

More info here (there an IE 7 format bug, appologies, will fix this
eventually... mean time use firefox if you have it)
http://www.zionismontheweb.org/hackers/

Posted: Mon Jan 15, 2007 5:55 pm
by feyd
Why not make the submissions moderated so they require your approval before being made public? Granted, this isn't very realistic on larger scale operations, but for small stuff it's perfectly fine for many.

Posted: Mon Jan 15, 2007 5:57 pm
by John Cartwright
If your fighting a losing war, a technique that I've seen much success with is allow them to post their spam. Heres the catch, only show the spam to users in your ban list, and hide it to the rest of the users.

Code: Select all

$bans = file('bans.txt');

if (in_array($_SERVER['REMOTE_IP'], $bans))
{
   //get complete list of listings
}
else
{
   $sql = 'SELECT * FROM `listing` WHERE `ip` NOT IN ('.implode(',', $bans).')';
}
This will allow you to apply furthur security, and they won't be the wiser that their spam isn't being shown to anyone but spammers! Revenge! There are some downsides to this however. I would only recommend this is they are consistently trying to circumvent your defenses.

Posted: Mon Jan 15, 2007 6:01 pm
by jayshields
Nice idea Jcart; not heard that before. That could be useful one day.

Posted: Mon Jan 15, 2007 6:16 pm
by Nodda4me
I would never want to approve a message. Especially getting an email every 30 seconds.


Jcart, that could be useful. However, I dont' need it. I wrote my script to automatically check for spam (for instance, every message he has says "Thanks", so if the message has "Thanks" + "<a" + "http", then do the ban procedures.)


I also have my script set to ban someone who:
-Tries to post PHP "<?"
-Tries to post 3 or more URLs

No one would have to post 3 URLs, hell, they shouldn't even have to post 1. It's just.. like a guestbook.

Code: Select all

if ($ShoutName && $ShoutEmail && $ShoutInfo) {
			//Get the number of the following
	$dex1 = substr_count("$ShoutInfo","http");
	$dex2 = substr_count("$ShoutInfo","www.");
	$dex3 = substr_count("$ShoutInfo","<a");
	$dex4 = substr_count("$ShoutInfo","<?");
	$dex5 = substr_count("$ShoutInfo","Nice site. Thank you");
	$dex6 = substr_count("$ShoutInfo","Cool site. Thank you");
	$dex7 = substr_count("$ShoutInfo","Thank");
			//End of getting numbers
	if ($dex1 > 2 || $dex2 > 2 || $dex3 > 1 || $dex4 > 0 || $dex5 > 0 || $dex6 > 0 || $dex7 > 0) { //If the message has any of these then
		$Reason = "Unknown"; //Set default reason
		if ($dex1 > 2 || $dex2 > 2) { //If message has 3+ "www." and 3+ "http"
			$Reason = "URL Spammer";
		}
		if ($dex3 > 1) {
			$Reason = "URL Syntax"; //If message has 2+ "<a"
		}
		if ($dex4 > 0) {
			$Reason = "PHP Syntax"; //If message has "<?", automatic ban
		}
		if ($dex5 > 0 || $dex6 > 0) {
			$Reason = "spammer or bot"; //If message has "Nice site" message or the "Cool site" message
		}
		if ($dex7 > 0 && $dex1 > 0 && $dex3 > 0) {
			$Reason = "spammer or bot"; //My newest addition, "Thanks" + "<a" + "http" = ban
		}
		if ($Reason != "Unknown") {
			//Add to BAN table in SQL
			die("Banned: $Reason");
		}

Posted: Mon Jan 15, 2007 7:08 pm
by jayshields
So if someone posts on your guestbook saying "Thanks", they get banned? That seems like a poor system! Why not look into CAPTCHA's?

Posted: Mon Jan 15, 2007 8:09 pm
by Nodda4me
Actually, it sounds like you have poor reading. I said if they say "Thank" + post an URL (Thanks" + "<a" + "http") then they are banned.