Fucking spambots!

14 12 2006

If you see this website not responding from time to time, it’s because it’s currently being targeted by a network of spambots that try to post with such violence that they manage to bring the system to its knees.

The problem is not so much identifying spam—Akismet does that perfectly well 99.99% of the time. The problem is that, precisely because of Akismet, each post will tie up an Apache child process for a significant interval of time and those bots are posting so quickly that they will make the server reach the configured limit on the number of server processes in a matter of seconds.

I could raise that number, but this system hasn’t got a whole lot of memory, and I would hate shelling out more money just to keep those bots at bay. Barring a reconfiguration of Apache to use a different multiprocessing model or anything that would cost me a significant amount of time—after all, one of the reasons for using WordPress on Apache is just because it simply works, most of the time, and requires very little maintenance— one option left to me is harvesting the IP addresses of those bots and block them using iptables.

Of course, it’s an uphill battle, and I’m afraid I will quickly reach a point where the kernel will start sweating just to check every packed against a huge list of source addresses (I have more than 700 right now in this file, which you are free to reuse if you have the same problem). Probably most of those PCs (fuck Microsoft and its idea of security, by the way) have dynamic IP addresses, which just makes the problem bigger.

Anyway, this strategy seems to be working for now, so I’ll stick to it. If you’re curious, all the bots in this recent wave exhibit the following User-Agent string:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)
Advertisements

Actions

Information

8 responses

14 12 2006
Luis

Install bad behaviour ASAP. Perfect for just this sort of problem.

14 12 2006
niq

I hacked up mod_robots to deal with an acute problem of precisely this nature: it was quicker than figuring out a recipe with mod_rewrite at the time! Feel free to grab it from http://apache.webthing.com/svn/apache/misc/

14 12 2006
ugo

I actually did something simpler. Just hacked my WP installation so that the comment post action URL would be different from the default one. As long as bots don’t read the form, they will get a 404.

14 12 2006
Ste

# grep Maxthon /var/log/apache2/divinocibo.it-combined.log | grep comments|wc -l
8738

(logrotate runs daily…)

14 12 2006
ugo

Ste, it’s better if you insert

| sort | uniq

before “wc -l”. This way, you’ll have a count of unique IPs, which is more meaningful.

14 12 2006
Ste

you are right, Ugo.
here we go!
grep Maxthon /var/log/apache2/divinocibo.it-combined.log|grep comments|sort|uniq|wc -l
8618

more meaningful now 🙂

14 12 2006
ugo

Ste, meaningful sta cippa! 😉

You have to extract the IP address from the first column of the output. Try:

grep … | cut -f 1 -d ‘ ‘ | sort | uniq | wc -l

1 12 2007
FUCKING SPAM BOTS

FUCK SPAMBOTS DUDE I HATE THEM AHG RG RGAHR GAH GHA R just some empathy enjoy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: