Weblog Spamming Problem

Forum Moderators: phranque

Message Too Old, No Replies

Weblog Spamming Problem

which IP address should be banned

Storyman

6:31 pm on Nov 29, 2004 (gmt 0)

For the last couple of weeks my site has been bombarded with weblog spam. They have used up over 30 megs of bandwidth. I'd like to stop it because the problem seems to be increasing at a steady flow.

Basically what the offenders are doing is pinging my site thousands of times. As it was explained elsewhere in this forum the intent is to promote their site at my expense.

All of this is pretty new to me and somewhat uncertain on how all of the pieces fit together. The logs for most recent visitors show the host IP as something like 69.50.X.X and gives a web site as the referring page as www.offender.com.

Using DNSstuff all of the referring domain names come back as belonging to a range of IPs, 206.161.X.X.

Should I be banning the Host IP (69.50.0.0), the referring page IP (206.161.0.0) or both?

jdMorgan

9:20 pm on Nov 29, 2004 (gmt 0)

The goal is to stop the abuse, so ban both to start.

If you are seeing that all Remote_Addr IP addresses are in the same block, then this may be an automated attack. In that case, don't feel bad about banning by remote address.

As you're probably aware, blocking by referrer is imperfect, because the referrer field is often blank, even for legitimate visitors.

Taking that into account, first stop the problem, and then go back and create exceptions where you feel that legitimate visitors may be being blocked.

Jim

Storyman

10:02 pm on Nov 29, 2004 (gmt 0)

When using .htaccess to deny access to the site does it look at both the Host IP and the refering IP as well?

Is there a special instruction for the refering site or do they all use the same deny instruction?

jdMorgan

11:24 pm on Nov 29, 2004 (gmt 0)

You can use mod_rewrite and specify the variable you wish to examine directly, or you can use mod_setenvif to set an arbitrary variable based on specified request variables, and then test the arbitrary variable in your allow from or deny from mod_access directives.


RewriteCond %{REMOTE_ADDR} ^123\.45\.67\. [OR]
RewriteCond %{HTTP_REFERER} ^http://bad_site\.com
RewriteRule .* - [F]


SetEnvIf Remote_Addr ^123\.45\.67\. getout
SetEnvIf Referer bad_site\.com getout
Order allow,deny
Allow from all
Deny from getout

These methods are essentially equivalent. In some cases, IPs denied by mod_access will generate entries in your server error log, while those denied by mod_rewrite will not.

Note that if you use a custom 403 error page, you will need to make allowances for that in the code. Otherwise, any 403 error will cause the client to be internally redirected to the 403 error page, and since all pages are denied, that will result in another 403 error, causing a loop.

Jim

Storyman

12:36 am on Nov 30, 2004 (gmt 0)

jdMorgan,

Thank you for the various methods for blocking an IP address.

My hosting company has a program that writes a list of banned IP addresses in the form of:

<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 63.216.0.0
deny from 63.217.0.0
deny from 63.218.0.0
deny from 63.219.0.0
deny from 63.220.0.0
deny from 63.221.0.0
deny from 63.222.0.0
deny from 63.223.0.0

Does any one approach have clear advantages of the others? Which method requires the leaset amount of CPU processing? Or are they about equal?

Thanks for your help.

jdMorgan

1:29 am on Nov 30, 2004 (gmt 0)

Use whichever one you're more comfortable with. In your case, since your host has already provided the custom 403 exclusion using mod_access, just use mod_access.

It's really a personal preference kind of thing... There may be some minor performance differences, but then again, the computers are supposed to work for us, not the other way round... :)

Jim