Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    New Coder
    Join Date
    Oct 2011
    Posts
    65
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Ways to block spam

    Hi,
    As I cant enter my old host I cant test.
    However I want to know.
    I changed host 3 days ago,
    in previous host I discovered he blocked all ips in Spamhaus,
    not only to send emails but also to access the web in the server.
    Of course we had a discussion about this, so he said he disabled the security on my account and was no longer responsable for any hacking.....
    Well when he did I started to get more spam, those that fill in your form, I dont have any captcha as I personally hate them.
    1 day later I stopped receiving so many and I saw he were blocking people coming from google search with ip in Spamhaus again, so I asked him what happen as he disabled it on my account.
    And I got as answer that they disabled it on the server (not only my account) and got dont remember how many hacking attempts.

    So know I have change host, however the strange is I dont get hardly any spam from my forms.

    So or either the spam was serverside (site is still on old host and I dont know if the form works as I cant access the site in my old host to test).

    Now I wonder if maybe the new server has some kind of blocking or firewall.
    I have spamassaign disabled and I couldn“t see any strange in the logfile the first day.

    Anybody know how it works?

  • #2
    Regular Coder
    Join Date
    Feb 2012
    Location
    Nebraska, USA
    Posts
    132
    Thanks
    8
    Thanked 19 Times in 19 Posts
    Even though you hate captchas, they're one of the best ways to prevent spam from cluttering up your forms.

    I'm unsure about the 'hacking' part, that honestly might have just been a scare-tactic to try and get you to stay with your previous provider.

  • #3
    New Coder
    Join Date
    Oct 2011
    Posts
    65
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by dylanbaumannn View Post
    Even though you hate captchas, they're one of the best ways to prevent spam from cluttering up your forms.

    I'm unsure about the 'hacking' part, that honestly might have just been a scare-tactic to try and get you to stay with your previous provider.
    No, the hacking part was my previous provider that said that hackers and spammers comes form site blacklisted in Spamhaus, so big internet providers were blocked. And as could not reason with him I changed host.
    I am very pleased with my new host, however I wonder why I hardly get any spam from the forms.

    Before I went with the new hosting I asked them if they blocked ips for accessing websites and got as answer only those that have attacked before....
    So I am doubting why I dont get any form-spam.
    Should I see an error for the possible blocked ips?

    My previous host gave an 406 and then I got an 404 as the 406 did not exists, just crazy.

    Forgot to say, he even said, we“ve been doing it for a year, just because you noticied we wont change.
    That is = we been steeling for a year and we wont stop just because you cought us....incredible, think he is mad.
    No wonder last year was the worst year.
    Last edited by helenp; 02-03-2012 at 10:12 PM.

  • #4
    New Coder
    Join Date
    Nov 2011
    Posts
    88
    Thanks
    4
    Thanked 26 Times in 26 Posts
    So you are asking how to stop form spammers but complain that your old hosting company was using the number one worldwide blocklist 'Spamhaus', and don't want to use captcha. You've wiped out the two most effective solutions right away.

    So what does it leave you with? First of all I'd make sure I used nonces in any form. This wont stop a spammer, but it will inconvenience replay type attacks.

    You'll ideally need some other random anti-automation code such as 'what is the middle number of these 1 3 5' etc.

    Ideally limit posting links in comments to trusted/established users.

    Forcing users to be registered with a confirmed email address before they can post is probably the most obvious choice, but spammers will often go through this process anyway as a look at any forum will show.

    Personally we block obvious known proxy services too (TOR endpoint, Hidemyass etc) but this is done at a firewall level in our situation. I'm reasonably sure there is a .htaccess list of the big offenders floating around too.

    The most effective systems are, of course, captcha and blocklisting known offender ranges - but as these don't suit you, you'll need to innovate and think outside the box.

    Personally I'd like to get round to creating an 'intent' type script that looks for any links in a post, looks up both the URL in a domain level blocklist. Then, looks up the IP address of the host *and* ip address of the authoritative name server checking them against Spamhaus & Barracuda blocklists. The problem is doing this creates latency and a performance hit (potentially up to 30 seconds per look up) - which is why I've not bothered. I'm sure something like it already exists anyway.

    MOD_SECURITY may also have options, but I'm not a fan.

  • #5
    New Coder
    Join Date
    Oct 2011
    Posts
    65
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by leslie.jones View Post
    So you are asking how to stop form spammers but complain that your old hosting company was using the number one worldwide blocklist 'Spamhaus', and don't want to use captcha. You've wiped out the two most effective solutions right away.

    So what does it leave you with? First of all I'd make sure I used nonces in any form. This wont stop a spammer, but it will inconvenience replay type attacks.

    You'll ideally need some other random anti-automation code such as 'what is the middle number of these 1 3 5' etc.

    Ideally limit posting links in comments to trusted/established users.

    Forcing users to be registered with a confirmed email address before they can post is probably the most obvious choice, but spammers will often go through this process anyway as a look at any forum will show.

    Personally we block obvious known proxy services too (TOR endpoint, Hidemyass etc) but this is done at a firewall level in our situation. I'm reasonably sure there is a .htaccess list of the big offenders floating around too.

    The most effective systems are, of course, captcha and blocklisting known offender ranges - but as these don't suit you, you'll need to innovate and think outside the box.

    Personally I'd like to get round to creating an 'intent' type script that looks for any links in a post, looks up both the URL in a domain level blocklist. Then, looks up the IP address of the host *and* ip address of the authoritative name server checking them against Spamhaus & Barracuda blocklists. The problem is doing this creates latency and a performance hit (potentially up to 30 seconds per look up) - which is why I've not bothered. I'm sure something like it already exists anyway.

    MOD_SECURITY may also have options, but I'm not a fan.
    No, sorry I did not expalin myself correctly.
    I am not searching for a way to block spam, that does not worry me,
    what worries me is loosing visitors.

    I wonder how the host can block spammers without me knowing about it.
    As my previous host blocked spamhaus ip both from sending emails and from visiting websites. When he turned this off for a day, I got more spam from my form, but still acceptable, but a big difference. I saw in my logfile people coming from google search that was blocked from accessing my website, and they were all in Spamhaus and big internet providers.

    I just changed host that says they dont block spamhaus ips for accessing websites, only blocks ips that attacked the server.
    So what I dont understand is why I get so few spam from the form in the new host.....The logic would be that I would get more spam as they dont block that way.
    I am wondering if they are doing something strange also.

    Thanks,

  • #6
    New Coder
    Join Date
    Nov 2011
    Posts
    88
    Thanks
    4
    Thanked 26 Times in 26 Posts
    As for why one host would see more spam and attacks than the other, well that could be for many reasons. Size of host, firewall policy, location, type of domains it hosts, colour of toothbrush etc.

    I'd like to think that your previous host were not stupid enough to use any Spamhaus list that contained PBL data. It would be pretty moronic to block dynamic ranges. However, if they made sensible use of the SBL,XBL or even DBL data then you can be sure they were blocking rubbish traffic that you would not want.

    You may well have more 'traffic' (aka 'visitors') as a result of not blocking miscreants IP's, but the quality of that traffic will probably be very poor and irrelevant and just be a waste of bandwidth (and in turn, money).

    Most of us spend a lifetime fighting spammers and miscreants from defacing and hacking our websites. Turning off security features to make their lives easier is not something I'd advocate, but it's a personal choice. If you confident that your code is 110% robust and secure, happy to manually remove spam posts and welcome traffic from miscreants and spammers then don't let me, or any hosting company, put you off ;-)

    REFERENCE LINK:
    http://www.spamhaus.org/
    Last edited by leslie.jones; 02-07-2012 at 11:23 AM.

  • #7
    New Coder
    Join Date
    Oct 2011
    Posts
    65
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by leslie.jones View Post
    As for why one host would see more spam and attacks than the other, well that could be for many reasons. Size of host, firewall policy, location, type of domains it hosts, colour of toothbrush etc.

    I'd like to think that your previous host were not stupid enough to use any Spamhaus list that contained PBL data. It would be pretty moronic to block dynamic ranges. However, if they made sensible use of the SBL,XBL or even DBL data then you can be sure they were blocking rubbish traffic that you would not want.

    You may well have more 'traffic' (aka 'visitors') as a result of not blocking miscreants IP's, but the quality of that traffic will probably be very poor and irrelevant and just be a waste of bandwidth (and in turn, money).

    Most of us spend a lifetime fighting spammers and miscreants from defacing and hacking our websites. Turning off security features to make their lives easier is not something I'd advocate, but it's a personal choice. If you confident that your code is 110% robust and secure, happy to manually remove spam posts and welcome traffic from miscreants and spammers then don't let me, or any hosting company, put you off ;-)

    REFERENCE LINK:
    http://www.spamhaus.org/
    I actually seen with my own eyes spanish, swedish, american etc big internet provider coming from a google search being blocked and the host said with his own word that they blocked those ips from viewing websites as it is from there the spammers and hackers come...
    Its normal to block emails but not access to websites as most persons using those ips are normal persons.
    As you referenced spamhaus, I have already read there guidelines and the guidelines are totally against what the host done. And I have more bandwith than I can use:
    From Spamhause
    "Should I use the XBL to block access to my webserver since it means that the IP address has a virus or open proxy?
    A listing in the XBL does not mean this. It means that at one time the IP address may have had a virus or open proxy.

    The XBL contains mostly dynamic IP addresses, meaning the user you would be blocking is probably not going to be the user with the exploited computer. Please do not block innocent users.

    If you still feel you must use the XBL in this way, do not refer users back to Spamhaus. You must deal with blocked users yourself. Either by giving them a point of contact, or perhaps by instituting a CAPTCHA + cookie system to screen out spam-bots. "

    I do think its up to me if I want to waste my bandwith or not.

    Word from the owner:
    "As you can see, I am correct. 213.205.232.76 is on the SpamHaus blacklist at http://www.spamhaus.org/query/bl?ip=213.205.232.76 which would explain why mod security took them out as suspicious."
    btw, that ip is no longer listed, and most blocked were XBL only
    Last edited by helenp; 02-07-2012 at 12:53 PM.

  • #8
    New Coder
    Join Date
    Nov 2011
    Posts
    88
    Thanks
    4
    Thanked 26 Times in 26 Posts
    Well yes, 213.205.232.76 is one of Oranges mobile phone customers using a data service. Sure, there are plenty of good customers in these ranges, but it's a range I've often seen in abuse and attacks. As XBL data is dynamic once the miscreant is dealt with, the IP is released from the XBL so I don't fear using it for anything.

    But it's a personal choice and I like to do all I can to stop attackers, not welcome their traffic.

  • #9
    New Coder
    Join Date
    Oct 2011
    Posts
    65
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by leslie.jones View Post
    Well yes, 213.205.232.76 is one of Oranges mobile phone customers using a data service. Sure, there are plenty of good customers in these ranges, but it's a range I've often seen in abuse and attacks. As XBL data is dynamic once the miscreant is dealt with, the IP is released from the XBL so I don't fear using it for anything.

    But it's a personal choice and I like to do all I can to stop attackers, not welcome their traffic.
    well Ive been asking many hosts and all said the same, they do block emails but not ips from visiting site, unless they are atacking the server.
    And its up to the client to block ips from accessing there websites, I pay the bandwith.

    Anyway my question was, if host block ips from accesing should an error be created, or could I search the rawlog file for the error?
    On my previous host I could perfectly well see the error and the search term used in google. But can the host block and there is no way I can see that ips been blocked?

  • #10
    New Coder
    Join Date
    Nov 2011
    Posts
    88
    Thanks
    4
    Thanked 26 Times in 26 Posts
    It depends how they are blocking it - that is, what mechanism are they using to block it.
    Are they blocking it at a firewall level? Application level? Are they using something like MOD_SECURITY?

    You need to ask them how they have implemented blocking and if you can have log access to any such blocking for your domain.

    The host would be the only people who could answer this accurately.

  • #11
    New Coder
    Join Date
    Oct 2011
    Posts
    65
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by leslie.jones View Post
    It depends how they are blocking it - that is, what mechanism are they using to block it.
    Are they blocking it at a firewall level? Application level? Are they using something like MOD_SECURITY?

    You need to ask them how they have implemented blocking and if you can have log access to any such blocking for your domain.

    The host would be the only people who could answer this accurately.
    I asked and they says they use firewall and also sometimes mod_security and I asked there rules for blocking they said this:
    "IP blocks which intended to restrict/prevent access to the website is done by the Server firewall. The rules in general would be like continuous login failures to cPanel/Shell access etc., Port scanning etc. According to the rules, the IP denial can be temporary or permanent. When a specific IP is blocked in the server, users will neither get any alerts based on it nor any E-mail bounce backs. If they are getting any E-mail bounce backs, it should be of some other reason"

    I wonder if spiders that search for forms to spam, can they be detected as port scanning?
    I only know that without catcha I have less of formspam, I was waiting that maybe I would have to add one, but no need for 1 or 2 per day.
    However I am very pleased with the service for this host, however sort of not liking that I dont get any error etc...


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •