I find Spam Karma very effective - although I do not get anything like that level of spam it still adds up to 40,000 blocked since I installed SK 2 a few years ago and only a handful of spam comments have shown in the moderation queue in that time.
@ergophobe, Yes, hidden form fields work surprisingly well. Bot writers do not seem to handle them as successfully as Capthcha even though I would have imagined it is much easier.
As you mentioned, Most of the entries on your list are from broadband.kyivstar.net(big PITA lately), 163data.com.cn and sovam.net.ua. Those are blocked on all of the sites I manage. Flat out 403.
I have Yet to see a normal visitors on all sites I run from kyivstar or sovam. My content just does not rank in UA to bring in visitors.
I think I've mentioned it before on this forum... I've set up 2 open forums that are pretty much SPAM Magnet. Those forums feed IP data into one central location(MySQL DB). Hosting ranges get no access, bad headers gets IP in DB, having a referrer as adomain name that ends with ".ru/" or ".ua/" is a one way ticket for sure.
The IPs that are not already in DB checked against STOPFORUMSPAM(has a lot of plugins) and PROJECTHONEYPOT(same here) just to make sure, surprisingly never fails, almost all comeback as badies.
I don't do moderation on those forums. Data tables with comments and newly created threads get truncated every few days or so automagicaly. Any requests to deleted thread URLs are a sure way to get in DB. Bam. DB gets reseeded with a few threads that would contain text equivalent to everything I just wrote, but the words would be in the random order. Something like "would in but be random the order words the".
No self respecting Human ever did or will leave a comment on these 2 forums. It did catch me some human visitor IPs from INDIA, same IPs were later used by some with "blue-widgets + link exchange" in referrer from GOOGLE on one of the main sites. OH, And Search Engines are not allowed past the home page and forum index, so no harm there...
By the time they(bots) get to my normal sites, it's too late for them.
It cost me $5.95 a month to host it and gets written off as business expense/productivity enhancement at the end of the year :).
|I've set up 2 open forums that are pretty much SPAM Magnet. |
That was pretty much the purpose of the blog initially, to experiment with the spambots, and then I started actually using it and the more I posted the higher the volume of spam that flooded the site.
Quite amusing to watch it unfold.
It's painfully easy to send 2000, 4000, 8000, etc.. successful spam blog posts per day.
"Goes to show you this isn't some script kiddie, this is industrial strength spamming. "
No, you can do most of this with a simple $99 purchase. Or roll your own. Sending bulk spam posts requires proxy servers - this may cause some people to think the traffic originates from China or elsewhere when the spammer may be sitting next door.
As someone has already suggested - target websites are found by scraping search results for specific phrases. Removing all canned responses that Wordpress or other blog/CMS software uses will make a dramatic difference.
Even then, it's very easy to scrape for target sites in a multi-step process:
- scrape for "comments +name +email" (use many variations)
- check all positive results for [yoursite]/wp-login.php
- now you have a large list of 'clever' Wordpress sites
Akismet is your friend.
Honey pot blogs are also used by spammers to find targets.
Take spam posts on your honey pot and scrape Google for matching posts. The results will be websites that don't moderate posting - and will then be added to the list.
|It's painfully easy to send 2000, 4000, 8000, etc.. successful spam blog posts per day. |
I think you missed my global point that it's NOT painfully easy to send 500 spams to tens of thousands of blogs daily. Do the math, that's some serious scalability issues for people just sending a mail list with 10K members, let alone spamming the whole web of WordPress blogs.
My point was it's not some kiddies running a script off a single computer, this is a serious operation and based on the input I've gotten about the range of these IPs, it's a frighteningly large operation.
I'd really like to know the total scope of this spambot operation as you know a ton of people hit this page looking for the IP that didn't bother posting.
We're facing a serious threat IMO that might need drastic measures to neutralize like blocking whole ISP or countries which is what I do on my serious websites. I put a big red circle and slash on the Great Firewall of China, Ukraine, Russia, Nigeria, Vietnam, etc. ad nauseum which means based on traffic I've determined that entire countries or ISPs were more of a threat than a benefit and locked them out.
Many others so the same thing and how far does this have to go before members of those ISP pools finally realize what's happening to block their access to the world before they finally revolt and get those spamming vermin offline?
Sadly, in those locations, I'll conjecture those IPs might even be accessed for a small fee via installed proxy server software on PCs throughout that network, but that's just speculation as it's hard to imagine Comcast customers wouldn't eventually have a full blown riot if they had this problem and the source of the problem would be squished.
These are with at least 100 spam posts per range in the past month:
CN, RU and UA.
|How does it work? |
Each time a new comment, trackback, or pingback is added to your site it's submitted to the Akismet web service which runs hundreds of tests on the comment and returns a thumbs up or thumbs down. As a result, you don't have to waste your time sorting through and deleting spammy comments from your blog.
Sure thing, but that is after the fact.... The Necromonger in me warns them to stay away. But the Furyan in me ... likes plain 403s when the request is made and hopes they will listen...
I presume most have noted that these spambot ranges are very near, if not identical, to many of the bad search bot ranges. I killed all my open comments several years back... and it looks like it has become even more agressive than it was back then.
|these spambot ranges are very near, if not identical |
There is some duplication, however I'd advise caution in such an assumption.
That's the central flaw, that it's a web service. If the spammers ever wanted to do some biblical stuff and DDOS them out of existence, like they did Blue Frog, then what would all the Askimet users do besides drown in spam?
I really don't like anything reliant on a centralized server for 100% of it's functionality and my spam blocker worked easily just be looking at the headers sent by the spambots and if it didn't look like a browser header, punt it.
It was really that easy.
Even if they fixed the headers, a large percentage of the user agents being used are defective, another easy criteria to use to toss spam.
Using the logic I employed there was nothing left to send to Askimet had I used it.
Yes, it does let real humans post comments too as I tested it and some real comments got posted in the same time frame 10K spams got tossed so I'm pretty sure it was working properly.
I can see a day when we'll need the processing power of the cloud to sort out traffic hitting multiple sites to stop scrapers and spammers but we're hardly there yet, it's a waste of bandwdith, and a centralized service is just a big fat target for spammers to attack.
incrediBILL - The drain on individual ISP bandwidth is small in relative terms. Think of a 1000-IP botnet running on (eg) AT&T - no impact at all. Even scaling up by 10 or 100 is unlikely to be noticed within the normal fluctuations of an ISP's total bandwidth, especially now that people download and share so many videos and films.
Botnets are cheap. They are a commodity, $10 per hundred IPs or whatever. There are millions of compromised machines so plenty of sub-networks for rent. It actually does come down to a script kiddy with a single computer: he just has a botnet to run the script through. And in many instances a very fast botnet, since lots of people are using the latest fast computers nowadays.
And not a great deal of point in specifically blocking countries. As I noted above, some countries' computers really are more easily compromised but in the end the botnets are really only specialised proxies for the real criminals. In general I get as many phishes from America as from anywhere else (I spend more time watching mail than web, hence the bias). And remember that computers are mainly compromised through phishing emails.
As to a serious threat: that began years ago. It's just that it's easier now to compromise computers. I was stating six/seven years ago that the internet was seriously broken but no one took any notice. The internet was never very well built to begin with and hasn't improved much since. Look at the threat blogs: the evidence is there.
For reference, Kaspersky's recent list of malware runs...
Top 5 malware hosting countries
Top 5 countries with the highest frequency of web attacks
Top 5 countries where infected files are most frequently discovered
Top 5 countries with lowest infection rates
Note the missing countries we continually accuse of hacking us. I'm not saying Ukraine, China, Korea etc are not high on the baddies list but they are not the worst, according to the above list.
|Botnets are cheap. They are a commodity, $10 per hundred IPs or whatever. |
Guess I was thinking how much spam per machine kind of bandwidth as the frequent spammers hitting me seems to mostly come from a small range of IPs so I didn't suspect a botnet. It looked like we well organized spamming operation with a few machines and an IP pool. I could be wrong, could just be some real high-end gear compromised giving them a better spam platform for now.
There are spammers who hire space with uncaring server providers or ISPs, but look at it this way: If you do not want to be arrested you would need to lie about who you were etc, otherwise unpleasant policemen might come knocking on your door.
This DOES happen (both hiring space and getting busted) but it's easier and safer to rent an anonymous botnet. The fact that a lot of stuff comes from a single or related group of IPs could simply mean a small botnet is in use - say, 100 machines. It's possible the rented machines are high-power computers or even part of a compromised server farm: there are several of those around.
Thought I'd post the results of a SPAM BY DATE report just to see the escalation and peak spam dates.
2014-01-04 618 < WOW!
These are the stats from the WP_COMMENTS table as I noticed it ramping up BEFORE installing the spam blocker, notice the gradual increase:
Notice 2013-12-12 is the day it shifted gears and skyrocketed ever since.
Not sure what changed, but that's when the party started.
It seems from your results that there is no significant "daily" component. I find here (UK) that both web and mail have far fewer baddies on the weekend (and on holidays such as Christmas / new year) - something like 10%.
This might suggest a more automated approach - fire it off and let it run as long as it likes as against fire it off every morning I can be bothered to get out of bed.
Which in your context probably makes sense: they are spamming forums; they do not need to analyse or react to any break-ins.
I use Akismet also and get very few comments that I need to approve as it trashes most of them.
Domains like broadband.kyivstar.net, sovam.net.ua, corbina.ru, etc. got on my modest "ABSOLUTEY NO GO" filter list #2 when they started doing their stupid stuff. The frequency of their hits seems to be declining - no idea whether them getting 0-byte responses has anything to do with that.
I haven't seen more than 2 or 3 possibly legitimate access attempts from there, so in my case this kind of filter seems OK.
RewriteRule (admin|allow|cgi|client|config|datab|db) - [NC,G]
RewriteRule (default|disable|document|editor|fopen) - [NC,G]
RewriteRule (http|licence|login|manage|mysql|php|plugin) - [NC,G]
RewriteRule (public|user|script|search|template|wordp) - [NC,G]
RewriteRule (web[a\-\_]) - [G]
RewriteRule (wp\-) - [G]
RewriteRule \.(asp|js) - [NC,G]
RewriteRule \/js - [NC,G]
RewriteRule \\ - [G]
China is blocked altogether via zero-byte 403 - to much pressure from there (especially and no way to sort out legitimate traffic from attacks...
| This 46 message thread spans 2 pages: < < 46 ( 1  ) |