Daily Archives: February 15, 2012

mod_spamhaus and botscout

Posted by bananasfk in web design, Whack a Spammer

scumbag spammer Robert Soloway

I decided to install mod_spamhaus and 77.92.233.198 (georgia) was my first  confirmation that it was working.  The sever rejects both get and put requests from the troubled like 77.92.233.198.

The interesting thing is what happens to botscout (my blog). Now its not a case of one or another and both are here for the long term but will the traffic to botscout reduce ?  With both working and time to spare here are the results for a week*.

day apache botscout result
1 sunday 77.92.233.198
77.92.233.198
193.37.156.146 no comparison ( 3)		 119.152.100.185
91.207.8.62
80.87.145.14
31.184.236.33
31.214.168.43
76.169.113.166
31.214.145.236
less than usual (7)		  10
 2 monday 31.214.169.126
178.206.193.50
46.17.97.223 same (3)		  95.166.24.156
87.117.11.118
204.74.221.249
176.31.240.43
31.214.169.126
188.143.233.14
59.61.175.118
31.214.169.126
212.235.107.85
188.143.232.157
46.147.70.238 less than usual (11)		  14
 3 tuesday 194.219.30.74
92.241.169.77
31.214.168.11
31.214.168.14
188.165.193.152 more (5)		  88.190.31.3
95.166.24.156
182.40.74.147
31.184.238.78
46.116.103.132
81.200.246.42
77.78.11.139
98.114.89.192
31.192.104.163
188.165.214.179
91.207.6.82
24.246.74.27
95.69.216.91
189.110.207.65
31.214.144.137
95.166.24.156
24.91.158.238
173.237.179.91
188.165.214.179
173.234.157.162
95.166.24.156
95.67.198.12
188.143.232.157
176.8.91.104
178.137.165.24 average (25)		  30
4 wednesday 109.230.216.233
91.212.226.144
109.230.244.133
31.214.169.126 average (4)		  31.184.236.8
88.190.31.3
86.111.79.5
109.75.192.91
189.110.207.65
93.123.124.127
85.192.15.83
120.32.189.147
88.190.31.3
77.126.154.232
95.166.24.156
188.165.214.179
173.237.179.91
188.165.214.179
31.214.168.48
91.210.105.229
176.8.91.104
199.168.142.166
188.143.232.157
91.207.4.202
176.195.188.118
77.65.48.239
77.65.48.239 average (21)		  25
 5 thursday 94.142.130.200
94.142.130.200
94.142.130.200 normal (3)		 109.191.158.61
31.184.238.78
183.17.187.16
89.73.21.148
178.137.165.24
111.172.103.180
88.190.215.53
81.200.28.126
31.184.236.33
173.195.5.168
89.252.58.37
46.105.104.121
78.27.136.151
81.102.160.146
31.214.168.48
204.124.183.74
31.214.133.8
31.192.104.163
188.143.232.157 average (19)		  22
 6 friday 109.230.244.133
94.142.130.130
46.17.102.180
109.230.213.115
46.17.102.180 above average (5)		 74.136.71.61
89.169.64.215
27.159.192.235
184.105.153.238
88.190.242.108
95.166.24.156
46.251.237.198
195.191.54.246
121.205.246.94
199.15.234.107
94.143.246.145
108.21.95.118
199.15.234.107
94.50.11.18
95.166.24.156
91.44.85.201
77.65.48.239
188.143.233.191
199.15.234.107
188.143.233.14
176.8.90.4
85.192.15.82
199.168.142.166
176.8.91.104
178.137.165.24
176.8.90.4 average (26)		 31
 7 saturday  109.230.213.115
46.17.102.180
94.75.121.141
94.142.133.190
109.230.223.96 average (5)		  178.137.162.85
31.214.133.8
95.166.24.156
193.105.210.42
199.15.234.107
7.159.192.235
173.234.157.162
199.15.234.107
93.85.32.161
178.93.113.123
81.200.246.42
109.124.198.38
199.15.234.107
95.166.24.156
31.184.236.34
46.251.227.56
110.85.124.174
94.181.137.187
91.210.105.229
109.87.210.81
199.168.142.166 average (21)		  26
 totals:  (3 3 5 4 3 5 5) 28 – 18.5 %  (10 25 21 19 26 21) 123 – 81.5%  150

The rules for a hit are a log entry (or file write of a kill) and a different time stamp for both during a set period of the day, so a hit from the same ip again is ok and no typo. Logs for both are stored in separate files too in case of double counting.

Monday and Wednesday saw one form comment spam doing both form validation and captcha.  So im not saying its perfect, dealing with 1 instead of 11 you can work it out.

There are some lists you would never use with mod_spamhaus.   And if you can install a local dns server**on your web server it seems to afford some extra protection.

Looking at the results even with such a small sample it seems to be clear that there is a differentiation between the email sending bot on port 25, and the ones who with or without humans try and get past web forms with or without captcha.

I have pages with three or four forms on them, its interesting to watch that the first form gets attacked more than the others which indicates a level of stupidity on the scan of the html  as to what gets submitted.

Amusingly the ajax stuff is rather fun as even if a human of some type gets past the validation and posts content like monday or wednesday from above it will not be displayed and looked at by web robot  and only the submiter sees the result or altered html.

I interpret the result as 20% more form spam intercepted and bandwidth saved through other tests being not implemented,  While perhaps the blocklist is not perfect it with other measures makes people whom emulate robert soloway a little harder to pump and dump.

* who said blogging should be instant? ** using a public dns service will make the dns query return a fail code.