Ways to block spam
As I cant enter my old host I cant test.
However I want to know.
I changed host 3 days ago,
in previous host I discovered he blocked all ips in Spamhaus,
not only to send emails but also to access the web in the server.
Of course we had a discussion about this, so he said he disabled the security on my account and was no longer responsable for any hacking.....
Well when he did I started to get more spam, those that fill in your form, I dont have any captcha as I personally hate them.
1 day later I stopped receiving so many and I saw he were blocking people coming from google search with ip in Spamhaus again, so I asked him what happen as he disabled it on my account.
And I got as answer that they disabled it on the server (not only my account) and got dont remember how many hacking attempts.
So know I have change host, however the strange is I dont get hardly any spam from my forms.
So or either the spam was serverside (site is still on old host and I dont know if the form works as I cant access the site in my old host to test).
Now I wonder if maybe the new server has some kind of blocking or firewall.
I have spamassaign disabled and I couldn´t see any strange in the logfile the first day.
Anybody know how it works?
Even though you hate captchas, they're one of the best ways to prevent spam from cluttering up your forms.
I'm unsure about the 'hacking' part, that honestly might have just been a scare-tactic to try and get you to stay with your previous provider.
No, the hacking part was my previous provider that said that hackers and spammers comes form site blacklisted in Spamhaus, so big internet providers were blocked. And as could not reason with him I changed host.
Originally Posted by dylanbaumannn
I am very pleased with my new host, however I wonder why I hardly get any spam from the forms.
Before I went with the new hosting I asked them if they blocked ips for accessing websites and got as answer only those that have attacked before....
So I am doubting why I dont get any form-spam.
Should I see an error for the possible blocked ips?
My previous host gave an 406 and then I got an 404 as the 406 did not exists, just crazy.
Forgot to say, he even said, we´ve been doing it for a year, just because you noticied we wont change.
That is = we been steeling for a year and we wont stop just because you cought us....incredible, think he is mad.
No wonder last year was the worst year.
So you are asking how to stop form spammers but complain that your old hosting company was using the number one worldwide blocklist 'Spamhaus', and don't want to use captcha. You've wiped out the two most effective solutions right away.
So what does it leave you with? First of all I'd make sure I used nonces in any form. This wont stop a spammer, but it will inconvenience replay type attacks.
You'll ideally need some other random anti-automation code such as 'what is the middle number of these 1 3 5' etc.
Ideally limit posting links in comments to trusted/established users.
Forcing users to be registered with a confirmed email address before they can post is probably the most obvious choice, but spammers will often go through this process anyway as a look at any forum will show.
Personally we block obvious known proxy services too (TOR endpoint, Hidemyass etc) but this is done at a firewall level in our situation. I'm reasonably sure there is a .htaccess list of the big offenders floating around too.
The most effective systems are, of course, captcha and blocklisting known offender ranges - but as these don't suit you, you'll need to innovate and think outside the box.
Personally I'd like to get round to creating an 'intent' type script that looks for any links in a post, looks up both the URL in a domain level blocklist. Then, looks up the IP address of the host *and* ip address of the authoritative name server checking them against Spamhaus & Barracuda blocklists. The problem is doing this creates latency and a performance hit (potentially up to 30 seconds per look up) - which is why I've not bothered. I'm sure something like it already exists anyway.
MOD_SECURITY may also have options, but I'm not a fan.
No, sorry I did not expalin myself correctly.
Originally Posted by leslie.jones
I am not searching for a way to block spam, that does not worry me,
what worries me is loosing visitors.
I wonder how the host can block spammers without me knowing about it.
As my previous host blocked spamhaus ip both from sending emails and from visiting websites. When he turned this off for a day, I got more spam from my form, but still acceptable, but a big difference. I saw in my logfile people coming from google search that was blocked from accessing my website, and they were all in Spamhaus and big internet providers.
I just changed host that says they dont block spamhaus ips for accessing websites, only blocks ips that attacked the server.
So what I dont understand is why I get so few spam from the form in the new host.....The logic would be that I would get more spam as they dont block that way.
I am wondering if they are doing something strange also.
As for why one host would see more spam and attacks than the other, well that could be for many reasons. Size of host, firewall policy, location, type of domains it hosts, colour of toothbrush etc.
I'd like to think that your previous host were not stupid enough to use any Spamhaus list that contained PBL data. It would be pretty moronic to block dynamic ranges. However, if they made sensible use of the SBL,XBL or even DBL data then you can be sure they were blocking rubbish traffic that you would not want.
You may well have more 'traffic' (aka 'visitors') as a result of not blocking miscreants IP's, but the quality of that traffic will probably be very poor and irrelevant and just be a waste of bandwidth (and in turn, money).
Most of us spend a lifetime fighting spammers and miscreants from defacing and hacking our websites. Turning off security features to make their lives easier is not something I'd advocate, but it's a personal choice. If you confident that your code is 110% robust and secure, happy to manually remove spam posts and welcome traffic from miscreants and spammers then don't let me, or any hosting company, put you off ;-)
I actually seen with my own eyes spanish, swedish, american etc big internet provider coming from a google search being blocked and the host said with his own word that they blocked those ips from viewing websites as it is from there the spammers and hackers come...
Originally Posted by leslie.jones
Its normal to block emails but not access to websites as most persons using those ips are normal persons.
As you referenced spamhaus, I have already read there guidelines and the guidelines are totally against what the host done. And I have more bandwith than I can use:
"Should I use the XBL to block access to my webserver since it means that the IP address has a virus or open proxy?
A listing in the XBL does not mean this. It means that at one time the IP address may have had a virus or open proxy.
The XBL contains mostly dynamic IP addresses, meaning the user you would be blocking is probably not going to be the user with the exploited computer. Please do not block innocent users.
If you still feel you must use the XBL in this way, do not refer users back to Spamhaus. You must deal with blocked users yourself. Either by giving them a point of contact, or perhaps by instituting a CAPTCHA + cookie system to screen out spam-bots. "
I do think its up to me if I want to waste my bandwith or not.
Word from the owner:
"As you can see, I am correct. 188.8.131.52 is on the SpamHaus blacklist at http://www.spamhaus.org/query/bl?ip=184.108.40.206 which would explain why mod security took them out as suspicious."
btw, that ip is no longer listed, and most blocked were XBL only
Well yes, 220.127.116.11 is one of Oranges mobile phone customers using a data service. Sure, there are plenty of good customers in these ranges, but it's a range I've often seen in abuse and attacks. As XBL data is dynamic once the miscreant is dealt with, the IP is released from the XBL so I don't fear using it for anything.
But it's a personal choice and I like to do all I can to stop attackers, not welcome their traffic.
well Ive been asking many hosts and all said the same, they do block emails but not ips from visiting site, unless they are atacking the server.
Originally Posted by leslie.jones
And its up to the client to block ips from accessing there websites, I pay the bandwith.
Anyway my question was, if host block ips from accesing should an error be created, or could I search the rawlog file for the error?
On my previous host I could perfectly well see the error and the search term used in google. But can the host block and there is no way I can see that ips been blocked?
It depends how they are blocking it - that is, what mechanism are they using to block it.
Are they blocking it at a firewall level? Application level? Are they using something like MOD_SECURITY?
You need to ask them how they have implemented blocking and if you can have log access to any such blocking for your domain.
The host would be the only people who could answer this accurately.
I asked and they says they use firewall and also sometimes mod_security and I asked there rules for blocking they said this:
Originally Posted by leslie.jones
"IP blocks which intended to restrict/prevent access to the website is done by the Server firewall. The rules in general would be like continuous login failures to cPanel/Shell access etc., Port scanning etc. According to the rules, the IP denial can be temporary or permanent. When a specific IP is blocked in the server, users will neither get any alerts based on it nor any E-mail bounce backs. If they are getting any E-mail bounce backs, it should be of some other reason"
I wonder if spiders that search for forms to spam, can they be detected as port scanning?
I only know that without catcha I have less of formspam, I was waiting that maybe I would have to add one, but no need for 1 or 2 per day.
However I am very pleased with the service for this host, however sort of not liking that I dont get any error etc...