## February 1, 2005

The group of spammers I blogged about previously, the ones using crapflooding techniques (multiple POSTs from behind anonymous proxies) for comment spam, finally returned, this time as Trackback spammers. Lotta people seem to have been hit hard.

Since it took the Crapflooders only a week or so to figure out that Trackback flooding was easier and more fun than Comment flooding, I was wondering when these spammers would come to the same realization. Last night, they finally did. Golem received several hundred trackback attempts, in two concerted waves.

When the crapflooders were at it, a throttle on the number of trackbacks in a given time-period was my main defence. That throttle is now built-into MT 3.1x.

Since then, I’ve wised up a bit, and block submissions (of Trackbacks and Comments) from open HTTP Proxies. Thanks to Brad Choate’s plugin, modified to use the opm.blitzed.org DNSBL list of open Proxies (instead of the irrelevant dsbl.org list of open SMTP servers), all of the hundreds of would-be spam Trackbacks were blocked.

The modifications to Brad’s plugin are easy,

--- plugins/dsbl_deny.pl.orig   Thu Nov 11 11:06:29 2004
+++ plugins/dsbl_deny.pl        Thu Nov 11 11:08:58 2004
@@ -12,9 +12,9 @@
my ($eh,$app, $comment) = @_; my$remote_ip = $app->remote_ip; my ($a, $b,$c, $d) = split /\./,$remote_ip;
-    if (checkdnsrr("$d.$c.$b.$a.list.dsbl.org")) {
+    if (checkdnsrr("$d.$c.$b.$a.opm.blitzed.org")) {
$app->log("Blocked comment post from known open proxy:$remote_ip");
-        my $url = "http://dsbl.org/listing?$remote_ip";
+        my $url = "http://opm.blitzed.org/proxy?ip=$remote_ip";

# we're forcing out the header here and exiting since I can't find
# a cleaner way to force a redirection to the DSBL.org site...

The only surprising thing was how well it performed.

#### Update (2/2/2005):

Zack is, alas, correct. My “internal working version” is a little more heavily hacked than I let on (or even remembered). So, pending Brad releasing a new version of his plugin, here’s a (slightly neatened-up) canned replacement which filters both Comments and Trackbacks.

#### Update (2/4/2005):

Ever the scientist, I decided to check whether the success of the opm.blitzed.org open proxy list in covering the particular proxies used by these spammers in their recent Trackback Spam runs was due to dumb luck or to genuine comprehensiveness. So I decided to look up a much larger sample of IP addresses, used in recent weeks by these lowlifes for referrer spam and their (feeble attempts at) comment spam. The result is that opm.blitzed.org lists only about half of those IP addresses1. In other words, I got lucky2.

So I’ve begun to deploy some other countermeasures against them, which I will surely write about anon. In the meantime, there’s a wee buglet in the plugin I posted the other day. If you downloaded it, please download it again.

1 Looking back at a weeks-old list of proxies may not be a reliable measure. Many of these may once have been open, but are now closed and delisted. So this surely understates the effectiveness of the Blitzed list. By how much is hard to tell.

2 In case you’re wondering about the Central Limit Theorem, a spam run seems to use about a dozen different proxies, but these are likely not uncorrelated. If the spammers use trojanned PCs for their spam run, none of them will show up on the Blitzed list. Conversely, if they happen to use open proxies, which have previously been used to connect to certain IRC channels (monitored by the BOPM), they all will appear.

Posted by distler at February 1, 2005 5:57 PM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/502

Thanks for taking the time to write this up, Jacques. I think this episode will give us the incentive to upgrade our site. Though we can’t hope to be as all-singing, all-dancing, all-standards-compliant as golem ;-)

Posted by: Kieran Healy on February 1, 2005 6:04 PM | Permalink | Reply to this

This is the same method which I was going to implement into my own little project (when it gets finished!) so it’s good to know that it works :)

Posted by: Porges on February 1, 2005 9:08 PM | Permalink | Reply to this

### Blitzed

I was flabbergasted that blitzed.org knew every single one of the open proxies they used on their spam run. I expected it to catch most. But all? That was remarkable.

Blitzed gathers their list of open proxies by monitoring IRC channels. It would be be really cool if someone were to adapt (supplement, really) their work by doing the same for blog Comments/Trackbacks.

If Typepad (and some other big blog hosting services) used an modified version of the BOPM to check whether a client submitting a Comment/Trackback was an open proxy, we could really put the boot to these open-proxy-using spammers once and for all.

Posted by: Jacques Distler on February 1, 2005 9:46 PM | Permalink | PGP Sig | Reply to this

### Re: Blitzed

If you wanted to be more secure (although it would appear you don’t need it at the moment) you might try “sbl-xbl.spamhaus.org”
in place of “opm.blitzed.org”, as it integrates the Blitzed list along with the CBL (cbl.abuseat.org) and their own Spamhaus block list.

Your open proxy check by the Trackback reciever seems like a great idea, sounds like a project…

Posted by: Porges on February 1, 2005 10:09 PM | Permalink | Reply to this

### Bigger isn’t necessarily better

If you wanted to be more secure (although it would appear you don’t need it at the moment) you might try “sbl-xbl.spamhaus.org” in place of “opm.blitzed.org”, as it integrates the Blitzed list along with the CBL (cbl.abuseat.org) and their own Spamhaus block list.

Others have argued similarly, but I don’t see the point. I don’t care whether a given client has an open SMTP relay, or an usecured formmail CGI script or whatever. All I care about is whether it’s an open HTTP proxy. I get fewer “false positives” by sticking to a DNSBL that list only open HTTP proxies, rather than some mega-list with all kinds of other stuff mixed in.

Your open proxy check by the Trackback reciever seems like a great idea, sounds like a project …

The IRC guys seem to have done a bang-up job already. But, yeah, this would be a cool addition.

Posted by: Jacques Distler on February 1, 2005 10:28 PM | Permalink | PGP Sig | Reply to this

### Re: Bigger isn’t necessarily better

I get fewer “false positives” by sticking to a DNSBL that list only open HTTP proxies, rather than some mega-list with all kinds of other stuff mixed in.

That’s an important point. I am using Brad’s plugin with the “moderate” setting and in the last few days my own comments have been moderated because of the SMTP proxy issue. I have BellSouth DSL. Switching over to blitzed fixed that.

Posted by: Zack on February 2, 2005 12:57 AM | Permalink | PGP Sig | Reply to this

MT-DSBL doesn’t block trackbacks, does it? So this must be another one of your patches!

Posted by: Zack on February 2, 2005 2:14 AM | Permalink | PGP Sig | Reply to this

You missed a line at the top.

package plugins::dsbl_deny;

The plugin doesn’t work without that.

Posted by: Zack on February 2, 2005 5:28 PM | Permalink | PGP Sig | Reply to this

### Truncated file

Corrected.

Also, Brad Choate is planning to release a new “official” version of the plugin with many more features (configurability from within the MT interface, etc.).

Posted by: Jacques Distler on February 2, 2005 5:40 PM | Permalink | PGP Sig | Reply to this
Read the post on the move to MT 3
Weblog: Al-Muhajabah's Movable Type Tips
Excerpt: I seem to be taking "better late than never" to its ultimate extreme. It's getting close to a year since MT 3.0 was released (I think about nine or ten months now). All this time, I've still been on MT...
Tracked: February 3, 2005 1:41 AM
Weblog: Don't Back Down
Excerpt: I've received only a small taste of the trackback spam that has been floating around. Yet it's still enough to be annoying. Especially since I didn't really have any good way of addressing it. With comments, I can moderate them. I can make sure they ha...
Tracked: February 3, 2005 11:11 AM
Read the post Mod Security and DBSL
Weblog: joe mullins dot com
Excerpt: Updated the server last night while feeling crappy and skipping out on martial arts. Installed mod_security (here's why) and Jacques' hacked DBSL plugin for Movable Type. While my blogs have been pretty spam free since moving to the new server...
Tracked: February 4, 2005 4:12 PM
Read the post Front-end and Back-end Changes
Weblog: Procrastination
Excerpt: There have been a lot of changes here recently, most of them on the back-end. Most of this work was related to having a bilingual (English and Urdu) blog along with MathML equations. This required valid XHTML 1.1 and serving...
Tracked: February 11, 2005 8:24 AM
Read the post 스팸 트랙백 공격중 (Tackback Spam)
Weblog: HOLLOBLOG (별주부뎐)
Excerpt: 드디어 올 것이 왔네요. 오늘 드디어 '텍사스 홀뎀'인가 하는 유명한 키워드로 스팸 트랙백 공격이 시작되었는데, mt-blacklist로는 방어가 되지 않네요. 쩝~ 당분간 트랙백을 막는 수 밖에는 방법이 없을 것 같군요. 이런~ 추가: 관련 링크들을 찾아 보았습니다만, 결국...
Tracked: February 15, 2005 7:01 AM
Read the post The Story of Pings
Weblog: Upon Reflection
Excerpt: In the continuing saga of man versus spam, there is yet another trick the vermin use to "spread their message". First there was comment spam, then there was referral spam, and now we have...Trackback Spam! Why take the time to...
Tracked: March 14, 2005 2:14 PM