Blog Comment Spambot Problem

Over the past few days the Apache server on my personal server has konked out a few times. Normally I’m in the middle of something else, annoyed, and running mostly on caffeine and willpower. So I just kick it over, restart it, and call it finished. But today it was hung again and I decided to bite the bullet and figure out what was up. After a couple of “how the hell did you find that out” kind of questions I figured I would post this for posterity.

It looks like the problem is that spambots are posting to the server and then keeping connections open forever (or at least for a long time). So how do you figure out something like that? Apache2 has a server status interface that it publishes via HTTP, but it’s turned off in most of the default configurations I’ve seen. You’ll probably have something like the following somwhere in your apache2.conf:

<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
</Location>

I add “ExtendedStatus On” below that section so that I get a detailed list of requests in the output as well. The page can only be loaded from localhost, which means I have to setup an SSH tunnel from my desktop in order to hit it.

Once you have that you setup you’ll be able to see what pages a request is hitting, how long it’s been going for (the “SS” column in the status table) and what IP it’s coming from. Then it’s just a simple “iptables -I INPUT -s $ip -j DROP” and that ip effectively no longer exists as far as you’re concerned. As long as you don’t mind dropping chunks of the Internet out of existence as far as your server is concerned in order to keep your web server up (turns out I’m fine with it) everything should be peachy. Sure I could also change the Apache config to not allow that behavior, but when my own poorly written junk needs to hold a connection to the server open for 5 minutes I would have problems myself. See, that’s what us in the biz call “engineering” right there.

Here’s the list of IPs I’ve banned so far cause they were hitting my comment form too agressively:

  • 213.240.225.101
  • 80.231.205.88
  • 82.137.247.132
  • 209.88.89.183
  • 61.220.150.2
  • 212.138.64.172
  • 148.233.159.24
  • 222.124.11.218
  • 68.110.103.157
  • 148.233.229.235
  • 193.233.82.10
  • 217.153.32.42
  • 213.182.158.167
  • 85.13.112.53
  • 212.138.64.178
  • 200.68.62.164
  • 210.102.99.71
  • 200.105.208.66
  • 195.137.188.92
  • 66.194.196.7
  • 148.233.159.57
  • 200.148.246.180
  • 80.34.213.167
  • 210.245.33.36
  • 64.181.43.7
  • 82.137.247.131
  • 201.17.197.43
  • 203.154.224.16
  • 193.226.105.151
  • 200.96.206.30
  • 148.233.229.236
  • 66.110.119.170
  • 218.26.14.194
  • 200.88.125.9
  • 81.183.209.6
  • 200.80.130.60
  • 200.43.196.131
  • 148.233.159.58
  • 200.65.127.163
  • 203.147.0.48
  • 200.129.163.7
  • 213.251.177.115
  • 69.79.152.26
  • 200.215.32.10
This entry was posted in ThisIsMobility. Bookmark the permalink.

One Response to Blog Comment Spambot Problem

  1. Spambots are certainly bad beasts and should be banned from the entire Universe.

    Did you consider reducing or disabling the KeepAliave? That’s what allows them to keep the connection open.

    Also you might consider lowering the number of connection a process can take before diing (MaxRequestsPerChild). This often helps especially if you have PHP running.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">