Don't block IP addresses, block IP address ranges. And if you get little or no traffic from a particular IP address range, then you can block a *large* range.

How you might do so depends on what kind of server you're site is hosted on, unless you can do it in your 'main' script(s).

Jim

That is a good idea, however the IP's don't appear to be from the same "range". The all (so far) have started with a different number as the first segment of the address. But oddly they are all from Romania so far.

Having Apache lookup the IP is too costly right?

i buy a database of ip's mapped to countries and use it to block lots of countries, it's quick and easy - i believe there are open source/free lists available too.

yes there are open source lists that do geolocation, and I believe there's even a PHP Pear module that does it. The IP ranges may not be up to date, but surely they'll be *close enough*

also... check out this excellent discussion about blocking IPs.
[webmasterworld.com...]

Thanks for the suggestions. I'm trying out a IP mapped list. If it performs well enough, I think I'll have my problem solved!

I had a similar problem that I beat. But question to maximillianos
- the author of this thread.

• It sounds like your registration process needs a captcha. I suggest you enable/install a good one and then...
  
• Ban the last 'Romanian' IP number that spammed your boards and then:
  
• check to ensure that all previous IP numbers these guys used before are indeed banned.
  

This will help prevent any spammers/hijackers from getting in as a member visitor; including the ones that haunt you.

This has worked for me, and I have no complaints about one having to copy the captcha during registration. There are some scripts in the Public Domain that easily merge with many Internet scripts. If you don't have the option to plugin and use a captcha [recaptcha.net], You can find several good ones in the Public Domain.

i

Our registration requires email validation step where you get your password sent via email. So not sure capcha would help since it appears to be manual. They have now taken to a Florida based ISP and have been continuing from there, varying the ip each day.

I added a filter to stop posts containing the words they are using, and then they come back the next day and use slight misspellings, etc.

This is getting old real fast.

I should add this is not a spam attempt in regards to getting links, but an attempt to defame another individual and perhaps any websites the person is associated with. Not exactly sure their intent since I have not had time to research, but it appears to be a personal attack that goes back many years. I did run a report on my site and found similar posts/attacks from many years ago that I had removed and blocked back then.

One might guess I'm dealing with an unstable individual or organization that can hold a grudge for so many years.

A quick Google of some of the websites they are defaming shows that I am not the only target. 8 of the top 10 results are the same negative campaigning posts but on different sites around the web.

Bots can get through email validators automatically. I assumed you were using email validation, which I've had many a joker and spam-bots get through. After I installed the Captcha, I've not had any problems. Existing members don't need to go through that.
You might find it worth your while to try it.
Some bots can get through simple Capcha
If you're running a forum where there is a targeted member, what about asking that member to temporarily change their ID, since sh/e is drawing the wrath of this hacker, and then temporarily disable the older member account. The hacker can't post to someone if they don't seem to exist. It might point to a means of catching the guy. Obviously, whoever it is going through a proxy or two in order to hide the real IP.

Is it possible for your registration script to require a email reply instead of just a click-back link in the reg email? A Reply would give out some headers to follow up on.

Good luck - I will keep and eye on your progress here since I'm sure we could all be vulnerable to the same kind of problems one day. I hope you keep us updated here.

Just some thoughts - Mean while, I've a number of client sites targeted by a hijacker. Must be considered important sites since it's the same hijacker that defaced Twitter and China's big radio station web site.

i

Thanks for the info on e-mail validation. I did implement another work-around for the time being. I had recently installed a GEO-lookup tool. I added some code to the scripts that save new content to my site(s). It checks for the area-code they are coming from right now and blocks it from being published. The posts get put in a mod queue for review. They seem to be skipping around IP addresses, but all from the same town/area-code/ISP.

If they jump to another town, I'll just update my logic and go from there to buy some time while I look into a more secure registration process via captcha or whatever else.

Thanks!

Have you set your system so new members posts need to be approved before going live? Would that be at least a short term solution that would be workable for you?

Thanks for the suggestion Ken. I have sort of implemented your suggestion. Anyone posting from the area code in question will get reviewed before publishing.

Unfortunately it is hard to review every post since we get about a thousand a day added to the site. And I am not full time working on the site. Just a bunch of volunteer mods.

So far so good with the zip code block. We have not seen anymore today. But we will know more in a few days if they jump to another ISP.

Thanks again everyone for all the suggestions.