Fighting spam attacks

Dec 11, 2007

Today I hit the all time record of comment spam with a staggering 367 attacks in just 21 minutes. They were all coming from the same IP address but with various different comments that all had something to do with selling Christmas cards. I don’t mind the occasional comment spam attacks since none get through, but when they hit as hard as they did today I get annoyed because they take up CPU cycles and bandwidth.

I needed a way to block these pesky intruders from leeching on my server and hopefully find a way to keep them from returning.

BlogEngine.NET 1.3 to the rescue

The next version of BlogEngine.NET with the creative title of 1.3, which is due before Christmas, has some new events exposed for extension builders. One of them is called Comment.SpamAttack and gets raised every time a spammer tries to add a comment.

So I wrote a small extension that listens to that event and collects IP addresses from the clients making the spam requests. When the same IP address gets caught spamming comments 3 times, the extension clears the response and sends back a 404 HTTP header. The reason for that is to trick the spammer (which almost always is a dumb robot) to believe that the URL doesn’t exist and therefore it would stop trying and wont come back.

This extension is only a few hours old so I don’t have any statistics on its effect yet, but my spider sense tells me it will have positive effect in fighting the spam attacks right now and in the long term.

You can also create extensions that listens to the Comment.AddingComment which is raised before the comment is saved. That gives you the possibility to do your own spam filtering, because you can then cancel saving the comment and raise the Comment.SpamAttack event by calling the static Comment.OnSpamAttack() method.

I’ll test the extension thoroughly and if it behaves well, it will be included in the 1.3 release. You can also get a sneak peak at the extension by downloading the .cs file below:

BlackLister.zip (886 bytes)

* $4.95/month ASP.NET Hosting with FREE SQL 2012 DB! – Click Here!

Trackback spam fightingA short listing of the principles of trackback spam fighting.Worst spam day so farI've never recieved as much spam as I did today. Comment, trackback and referrer spam.Create your own spam filter extensionsMy last post about comment spam fighting resulted in a lot of e-mails from readers asking how to cre...

Comments (13) -

Josh Stodola

12/11/2007 7:49:19 PM #

How reliable are IP addresses really?

Mads Kristensen

12/11/2007 7:52:01 PM #

I don't know yet, but all 367 spam comments where coming from the same IP address. Apparently, not all spambots switch IP addresses for each request.

AAA

12/11/2007 7:55:34 PM #

Mads Kristensen

12/11/2007 7:58:07 PM #

@AAA

I appreciate the irony

Josh Stodola

12/11/2007 8:13:24 PM #

Well, that is not really my concern. What concerns me is when that spam bot gets a new IP address. What happens to the old? Is it not potentially possible that some poor soul (a legitimate visitor) decides to come to your site but is unable becuase his current IP address happens to be one that used to belong to a spam bot?

Mads Kristensen

12/11/2007 8:18:20 PM #

The legitimate visitor will still be able to post a comment since it would not be treated as a spam attack. The extension only sends the 404 HTTP header to robots that is in the process of spamming. That's the beauty of it. BlogEngine.NET knows the difference between legitimate POST requests and POST requests made by robots.

davidee

12/11/2007 8:27:54 PM #

i'm going to install and test it!! good work mads!

Jesse Foster

12/11/2007 9:52:52 PM #

Your response to xxx.com is perfect.

Both, the code, and the subtle humor, are awesome on this blog.

Jesse Foster | jf26028

Chris Blankenship

12/12/2007 6:36:50 AM #

I would like to try this out as well... Do I just drop the Blacklister.cs file into the App_Code\Extensions folder?

Nicholas DL

12/12/2007 11:17:31 AM #

I have been converting the blog from the web project path-based solution to a web-application project (not exactly easy since many files within BlogEngine.Net have no namespace, which I add) however one point I have noticed is that the naming of objects is not consistent (one example is SYNC_LOCK in this file versus _SyncRoot). As the project grows this could cause later problems. Otherwise, great app.

Justin Etheredge

12/12/2007 12:00:39 PM #

Nice! I am going to certainly have to try this one out.

Dan Atkinson

12/12/2007 12:13:58 PM #

Having been a long-time observer of spam IP addresses, I have seen many many attacks come from the same IP address. There are plenty of occasions however, when botnets also launch a spam attack on the website, sometimes preceded by a spider (another story).

I found that stopping spider crawls (based on user agent, speed, and IP range) was a fairly effective method of preventing spam, especially when tied in with a honeypot.