Msg#: 4032114 posted 10:21 am on Nov 26, 2009 (gmt 0)
Hello guys, on my site I had phpbb forum which wasn't being used for at least a year. Couple of days ago I noticed that suddenly a lot of posts appeared with "obscene" content. As I wasn't even using the forum I simply deleted the whole folder from ftp and removed all associated tables in my DB.
Then the problems began. A certain IP range keeps requesting hundreds of deleted forum files resulting in 404s now. At least 500-1000 requests per day. All IP addresses start with either 84. or 89. other numbers seem to be pretty random, IP locator says all these requests come from Frankfurt Am Main (Germany).
-How should I proceed? I have virtually no experience in IP blocking, I know there is a way to do this in .htaccess, but is it even possible to block such a wide range? - what is it exactly that I'm seeing here? I never heard of such situation. What is this spammer trying to do actually? Except generate hundreds of 404's in my log?
Msg#: 4032114 posted 10:51 pm on Nov 26, 2009 (gmt 0)
There is a group of spam bots located in a German network which also targeted my phpbb forums some time ago. I have solved the problem in my firewall by simply blocking all HTTP traffic from those IP ranges (they resolved to server data centers, not to end user IPs). IP blocking in the firewall has the advantage that it doesn't cause any load on the webserver, but you have to know what you are doing, because you can easily lock down your server completely.
My experience is that those forum spam bots are quite dumb, and you will get requests for the deleted pages for at least another six months or so. If you don't have the forum anymore you can just let the spambots come in and eat their 404. They don't harm and adding all those IPs to your .htaccess for filtering might slow down other users because for every legitimate HTTP request the rules in the .htaccess files are parsed to see if a matching IP address exists.
Msg#: 4032114 posted 9:33 am on Nov 27, 2009 (gmt 0)
Thanks for the input lammert. Seems that this is not an isolated issue I'm experiencing then. As you said, they really seem rather "dumb". What could be the point in hitting a 404 wall so many times?
I suppose no harm will be done, but they do mess with my statistics somewhat, because they usually enter the front page and then keep looking for phpbb pages, which don't exists any more. But indeed they get active with wide array of IP addresses, I also believe that trying to block them in htaccess would be a terrible mess.
Msg#: 4032114 posted 7:11 pm on Nov 27, 2009 (gmt 0)
These spambots apparently don't parse the HTTP return codes and therefore don't remove your URLs from their list. They will try over and over until by human intervention your forum URLs are removed from the spamlist or the spambots is loaded with a new set of URLs. That can take several months.
I use this dumb attitude of spambots now in my new anti-spam approach and with my current setup they don't even reach my register or post scripts anymore.