View Full Version : Is Today International Spam Day and Someone Didn't Tell Me?
Jason Dunn
01-26-2008, 01:07 AM
This morning around 9 am I checked in on this site and saw the "Recent Posts" section flooded with spam - 83 spam messages promoting a discount drug purchasing site, all by the same user (<i>KeralasGoldendweller</i>). I researched the IP address (85.255.117.226) and it traced back to an telco in the Ukraine (UkrTeleGroup Ltd.). I deleted all the spam, then started to block the entire IP range - but never finished because I was puzzled at the way phpBB was handling the block - I put in a ban for 85.255.117.*, and phpBB registered that as 85.*.117.* (maybe a smart networking person can explain if that makes sense). I figured I'd look into it later.<br /><br />About 30 minutes ago I received a phone call from Jeff, one of our forum moderators, and he said he was going into a meeting but I should look at the site again. This time, there was 120 forum spam messages - all hard-core porn links. <sigh> The offending IP? Yup, you guessed it, the same range - just the part I didn't get around to banning yet. <double sigh> I deleted all the spam, and with Janak's help we've now banned the entire IP range from reaching our server.<br /><br />So, with apologies to my pierogi-loving peeps in the Ukraine (I'm 1/4th Ukrainian myself, and I do love my pierogi!), we've had no choice but to ban a good chunk y'all from visiting us. When we move to our new vBulletin-based forum system (should be soon now), we have a much better system in place for stopping spam so I hope this is the last time I have to apologize for spam in our forums. ;-)
RogueSpear
01-26-2008, 02:19 AM
I am a struggling phpBB site owner myself. I've found a rather elegent solution to what I would estimate as 80% of all the problem IP addresses. I have an .htaccess file in the root of my phpBB directory structure and, among other things in there, I block out subnets as defined in the The Spamhaus Don't Route Or Peer List (http://www.spamhaus.org/drop/). I've found not too many people are of aware of either this list itself or the fact that you can block in htaccess by CIDR notation (it seems that the usual htaccess method people use is to lop off the last one or two octets). So a short example of what's in my htaccess file:<Files .htaccess>
order allow,deny
deny from all
</Files>
order allow,deny
deny from 116.199.128.0/19
deny from 116.50.8.0/21
deny from 132.232.0.0/16
deny from 134.33.0.0/16
deny from 138.252.0.0/16
deny from 141.193.0.0/16
deny from 152.147.0.0/16
They update the DROP list regularly so it does pay to check on it every now and again. What I usually do is hang on to my last used list until I grab another one. Then use WinMerge to easily find the changes.
jdhill
01-26-2008, 02:39 AM
Both 0 and 255 are invalid in any of the four octets (the numbers between the period) of any IP address. The values in each octet must range from 1 to 254. Subnet masks may contain 0 or 255, but IP addresses may not.
RogueSpear
01-26-2008, 02:50 AM
For an IP address you are correct. I am not however specifying individual IP addresses, but rather subnets. There's an easy way to test this out too (as I did) - enter a network block w/ CIDR notation where it includes your IP address. Then try to access your site with a web browser.
BukTop
01-26-2008, 08:59 AM
Hello All! I don't think that banning IP can help to resolve the problem. Our forum (SpbClub.com) is under similar spam attacks every day and every day they have a new completely different IP. But we've found a way to block spam -- they advertise the same site every day (e.g. amazing-***-videos-***), so we just block all the posts containing a given URL... and it works ;)
pdagold
01-26-2008, 02:12 PM
Both 0 and 255 are invalid in any of the four octets (the numbers between the period) of any IP address. The values in each octet must range from 1 to 254. Subnet masks may contain 0 or 255, but IP addresses may not.
That's not entirely true, see http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295199,sid63_gci1053572,00.html. Unfortunately, this BB system doesn't know about these exceptions and automatically replaces "255" with an asterisk. I believe that this IP with 255 octet in it was selected intentionally just because of these problems...
Lord_Zelo
01-30-2008, 05:14 PM
Just a suggestion to help you keep spammers out... Don't use phpBB's account setup system, make your own that puts what it needs into the phpBB user table.
I had the same problem... so I took the signup link of the website, that didn't work. I had to completly remove the signup php scripts that were being used by phpBB to create accounts. I then proceeded to make my own account creation system that just inserts the right stuff into phpBB and it works great now. I haven't had a spammer since.
Maybe this doesn't matter if you are going to vBulletin soon anyway. :)
vBulletin® v3.8.9, Copyright ©2000-2019, vBulletin Solutions, Inc.