The BFC Computing Weblog: Tag spam

Check Your Pyzors

Bill McGonigle — Mon, 30 Jul 2007 01:30:00 -0400

The main Pyzor server seems to have been down for a couple months now (no wonder my spam load was so high!). Even if you do ‘pyzor discover’ the server it returns is the one that doesn’t respond.

To restore pyzor functionality, change your pyzor/servers file to:

82.94.255.100:24441

and restart any processes, e.g. spamd or MailScanner which may have the old value in memory. Watch out for any ‘pyzor discover’ cron jobs you might have around.

Raw Spamtrap Data

Bill McGonigle — Wed, 11 Apr 2007 22:00:00 -0400

Bill Stearns has posted an analysis of his spamtrap data, covering the past six years. He makes a point of just providing data and not drawing conclusions, though the data can be very useful for doing such things.

Don’t worry - the Adult…Images link is just a file with md5 sums.

Spammer Tzome abuses Mozilla Bugzilla

Bill McGonigle — Tue, 10 Apr 2007 15:50:00 -0400

Just in case you’re ever temped to buy anything from a company called Tzome (no link, purposely), remember that they forced themselves upon the Mozilla bug database:

Received: from mail.Tzome.com (unknown [70.52.117.218]) by bfccomputing.com (Postfix) with ESMTP id DAD107FFEC for <bill+ mozilla- bugzilla@bfccomputing. com>; Tue, 10 Apr 2007 15:37:11 -0400 (EDT) Received: from sirseth ([192.168.1.1]) by mail.Tzome.com (Merak 8.3.0) with SMTP id PXI78101 for <bill+ mozilla- bugzilla@bfccomputing. com>; Tue, 10 Apr 2007 15:24:01 -0400 From: "John" <John@Tzome.com> To: <bill+ mozilla- bugzilla@bfccomputing. com> Subject: Hey It's John

and thus deserve condemnation rather than commission.

The above address was purposely broken with spaces to prevent it from being scraped here and thus muddying the waters.

Photo: Dog Food Run in Hanover

Tracking Blog Spam

Bill McGonigle — Fri, 30 Mar 2007 03:19:00 -0400

My blog is getting killed with spam, greater than 300 per day. Does anybody know how to implement CAPTCHA in typo? Or make Akismet do a better job of ranking?

In the meantime I’ve taken to blocking IP addresses. Here’s a handy little script I worked up (regex from the Perl regex FAQ) to take a block of arbitrary text (copy ‘n paste from my typo admin console’s log of comments) and spit back iptables blockrules for any IP addresses found in the text:

#!/usr/bin/perl -w
use strict;
use warnings FATAL=>'all';

my (@addresses);
while (<>) {
    my $str = $_;
    if ($str =~ /\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}/)
    {  #{1,3} says find at least 1 and no more than 3 of \d.
        # we must escape the dots . which are normally wild cards
        # to make them match dots.
        # you might have notice already that $& contains the last match
        my $remoteHost = $&;
        push(@addresses,$remoteHost);
    }
}

foreach my $address (@addresses) {
    if ($address ne '127.0.0.1') {
        print "-A RH-Lokkit-0-50-INPUT -s $address -j DROP\n";
    }
}

Now, this isn’t the best strategy as of 789 spams, there were 189 unique hosts, so it’s more distributed than I’d like. Perhaps it’s a start, though.

Update: I installed Typo 4.1 which has a feature called ‘Enable Spam Protection’, which looks at blacklists.