Phil, ModSecurity can help address comment SPAM on a number of fronts - 1) The soon-to-be-released version of the Core Rule set (http://www.modsecurity.org/projects/rules/index.html) will include some basic rules around identify comment SPAM.
2) You could use the @rbl operator in ModSecurity 2 to run real time lookups against the various block lists. 3) As you mentioned below, you probably don't want the overhead of repeated rbl checks every time the SPAMMER posts a message, so you could combine the @rbl check with a persistent collection (based on the IP address) that can enforce a temporary block (say for 1 day). 4) There are some other ModSecurity ideas that you might be able to take from ScallyWhack (http://projects.otaku42.de/wiki/ScallyWhack) which helps to prevent Comment SPAM on TRAC sites. 5) We had a recent thread on the modsecurity-users-list about rate limiting POST requests that can help against aggressive SPAMMERS - http://article.gmane.org/gmane.comp.apache.mod-security.user/4403. Hope this info helps. -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache > -----Original Message----- > From: Phil Endecott [mailto:[EMAIL PROTECTED] > Sent: Monday, February 11, 2008 12:55 PM > To: users@httpd.apache.org > Subject: [EMAIL PROTECTED] Blacklists & similar to avoid e.g. forum spam > > Dear Experts, > > Would anyone like to share any strategies for blocking forum spam and > similar nastiness? > > I have a couple of forums which were totally filled with spam when I > was once on holiday. When I got back I had to take them down for ages > to clean them up, and then added a "captcha" mechanism to prevent > further attacks. This seems to have worked (fingers crossed). > However, I still see vast numbers of attempted attacks: so much so that > these accesses dominate the sites' bandwidth usage. It's not a huge > problem at present, but it's clear that e.g. a ten-fold increase could > easily happen overnight and would start to get expensive. > > I've also started to see sites that just download large files over and > over again, and I'm writing this message now because an address in > Indonesia has downloaded one largish file 1664 times in the last two > hours. Again, the bandwith is not yet a problem, but I think I need to > do something - or at least know what I could do - before it becomes one. > > I guess that the accesses come from "botnets" of compromised Windows > machines. The IP addresses that I have checked look like DSL lines. > > So, I was wondering whether there are IP blocklists that I could apply > - that strategy seems to work well for email. But there are a few > obstacles: > > - For email filtering, the prevalent view seems to be to not identify > individual compromised home computers, but rather to block the entire > IP ranges of DSL providers. This is fine for email but obviously isn't > appropriate for the web. > > - For email, the latency of doing a DNS blocklist lookup per connection > is acceptable. But for a web server, latency is more undesirable. I > imagine that it would be satisfactory to reject connections only if > they were blocked by a locally cached blocklist entry, and to check new > connections in the background. > > - Finally, I don't see any support for this sort of thing in Apache. > > Perhaps people have other strategies? > > Many thanks for any suggestions. > > Phil. > > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
