Spam from India - Mainly the web form type.

Forums › IT Pro and developers › Spam from India - Mainly the web form type.

BlakJak

1330 posts

Uber Geek
+1 received by user: 735

Trusted

#67980 12-Sep-2010 14:39

I host or administer several websites in a private capacity,

I've found from time to time I get a flurry of spam type web form submissions and almost without exception they're from the same outfit - Bharti Tele-Ventures Limited - an Indian ISP.

I currently have traffic from full /12 firewalled off to prevent it. Unfortunately at least one of the sites I administer is vhosted with an ISP and not on my own machine, so firewalling is then less of an option (maybe I need to learn some more .htaccess hax ...)

Is anyone else seeing similar or is it just me being graced with such attention? :) Coz I can do without it, tbh.

(don't get me started on retarded attempts to resolve stuff on my internal-use-only RBL, which somehow got onto someones mass lookup table, which subsequently had me receiving a bunch of random 'we've closed our open relay, please unblock us' from mail admins in asia and eastern europe who've never actually had a mail rejection from me so don't actually _need_ to be unblocked... or on the several dozen IP addresses i've had to block from port 53 on my DNS server because they keep bombarding me with lookups for my rbl zone despite being sent an error, and never an actual response... )

No signature to see here, move along...

1 | 2

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41044

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#379028 12-Sep-2010 14:46

Do like we do here on Geekzone. Resolve the IP address using an IP-geo table and simply block from some countries (our list is quite good these days). Email for details if you want.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

BlakJak

1330 posts

Uber Geek
+1 received by user: 735

Trusted

#379031 12-Sep-2010 14:56

Do blocked countrys get a graceful 'youre blocked' notice or do they simply not work?

Are you able to do it on a by-URL basis?

I'd love a .htaccess type thing that let me block particular URLs (say, the contact forms) ...

No signature to see here, move along...

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41044

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#379034 12-Sep-2010 15:01

We simply redirect to default.asp when non-trusted users try to access some URLs (mainly the forum reply URLs and PM) from some countries. Otherwise they could just start using proxies (which some already do sometimes anyway).

The solution is based on a SQL table loaded with IP and country information. We then lookup the IP address in the table and find the corresponding ISO code. That's how we also find our flags.

It's part of our scripts, easily translated to other engines - PHP, etc.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

BlakJak

1330 posts

Uber Geek
+1 received by user: 735

Trusted

#379037 12-Sep-2010 15:04

Well I don't touch ASP to start with ;-)

You have inspired me, however.

http://www.maxmind.com/app/mod_geoip is something i'm going to look at .

No signature to see here, move along...

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41044

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#379044 12-Sep-2010 15:23

BlakJak: Well I don't touch ASP to start with ;-)

You have inspired me, however.

http://www.maxmind.com/app/mod_geoip is something i'm going to look at .

I already said you can use it with any script engine. It's four or five lines, so not hard to translate. But if you want something on Apache, then that's a good solution.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

codyc1515

1598 posts

Uber Geek
Inactive user

#379110 12-Sep-2010 19:54

I know in PHP you can just resolve the users ip to their reverse dns name.
Simply use:

$usersdns = gethostbyaddr($_SERVER['REMOTE_ADDR']);

Then get the last portion of their dns name, which should have their ccTLD in it, and block based on the ccTLD.
Though this does not always work, as some ISPs dont set a reverse dns entry, however, I have found it to work most of the time.

Dell

Shop now for Dell laptops and other devices (affiliate link).

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41044

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#379111 12-Sep-2010 19:56

codyc1515: I know in PHP you can just resolve the users ip to their reverse dns name.
Simply use:

$usersdns = gethostbyaddr($_SERVER['REMOTE_ADDR']);

Then get the last portion of their dns name, which should have their ccTLD in it, and block based on the ccTLD.

You would be killing your server if you do this. Performing reverse DNS lookups in your script would add to much to the script runtime. Also the ccTLD wouldn't be reliable.

A local Geo IP database lookup is much more efficient, and you should really only do it in the pages where input is allowed - and sometimes only at validation time.

It's all about the speed on the Internet...

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

BlakJak

1330 posts

Uber Geek
+1 received by user: 735

Trusted

#379118 12-Sep-2010 20:23

Not to mention that lack of PTR record is usually hand-in-hand with a doesnt-care-about-spammers approach to the interwebs.

No signature to see here, move along...

marpada

487 posts

Ultimate Geek
+1 received by user: 182

#379122 12-Sep-2010 20:46

Not sure if it's an option as you don't manage the servers, but in my opinion mod_security is the most flexible way to deal with form spamming (if you use Apache, obviously). It can inspect the POST body, so it's far more effective than mod_rewrite tricks. mod_security can also use RBLs and GeoIP queries.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#379157 12-Sep-2010 22:53

What about using something like http://www.google.com/recaptcha to protect your web forms? It's easy to implement and also most of your real site visitors can read.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41044

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#379158 12-Sep-2010 23:09

It only works against robots. Indian spam workers are cheap workforce and will go through captchas with no problems.

They also post close to relevant comments to go past automated filters or blog owners who are not paying attention.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Dyson

Shop now for Dyson appliances (affiliate link).

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#379163 13-Sep-2010 00:09

freitasm: It only works against robots. Indian spam workers are cheap workforce and will go through captchas with no problems.

They also post close to relevant comments to go past automated filters or blog owners who are not paying attention.

Ah right, Spam is getting smarter these days.

marpada

487 posts

Ultimate Geek
+1 received by user: 182

#379366 13-Sep-2010 17:11

I think a captcha or hidden field may work. It is true that workforce to enter captchas can be hired, but I guess they use the resources to add fake ads in sites like craiglist or create email accounts that they can use to keep the spam circle, not spamming through site forms.

Spammers usually employ customised web browsers or robots, so using mod_rewrite to filter suspicious User Agents won't block 100% of the spam but it's so easy to implement that it may worth the effort. You can see a list of suspicious user agents at http://www.projecthoneypot.org/comment_spammer_useragents.php?dt=7 , but it's better to check your logs to identify the agents that are bugging you (my unsuccessful spammers tend to like Deepnet Explorer or Crazy Browser 1.0.5 :) )

If you are willing to add some coding to your forms you may use the akismet API (very popular in Wordpress blogs), so they can evaluate in real-time if a submission is legit or spam
http://akismet.com/development/

BlakJak

1330 posts

Uber Geek
+1 received by user: 735

Trusted

#379382 13-Sep-2010 17:45

For the record, I have a captcha. It's a person, not a bot. The user agent was clean, too, a copy of the latest Firefox. Mauricio had it nailed in his response.

No signature to see here, move along...

raab

262 posts

Ultimate Geek
Inactive user

#379384 13-Sep-2010 17:54

michaelmurfy:
freitasm: It only works against robots. Indian spam workers are cheap workforce and will go through captchas with no problems.

They also post close to relevant comments to go past automated filters or blog owners who are not paying attention.

Ah right, Spam is getting smarter these days.

Or dumber, depending on how you look at it. The fact that they can't rely on automated systems to do their work anymore...

1 | 2