Blockierte IP-Adressen wegen Spamming

Spammer sind auch für Blogger und Wiki-Betreiber ein echtes Problem.

Aussperrung mit iptables

Überraschender Weise stammt der überwiegende Teil der Trackback-Spams von einigen wenigen IP-Adressen. Mit dem folgenden Skript ist bei mir Ruhe:

#!/usr/bin/perl
@iptoblock = qw(
    9.65.33.41
    64.185.237.170
    64.191.50.30
    64.202.163.76
    64.59.71.191
    65.18.193.119
    65.60.37.194
    65.60.37.194
    65.60.37.195
    65.98.59.218
    66.102.237.220
    66.102.237.46
    66.147.240.176
    66.197.149.15
    66.219.23.99
    66.45.240.66
    66.90.77.6
    66.96.208.53
    67.159.44.241
    67.159.44.63
    67.205.111.212
    67.225.138.242
    69.65.33.41
    69.72.202.186
    69.9.38.221
    70.87.237.2
    72.13.82.74
    72.167.131.45
    72.167.36.70
    72.29.79.200
    72.46.130.130
    74.206.236.244
    74.208.16.103
    74.208.16.35
    74.208.16.8
    74.220.215.91
    74.50.119.142
    74.54.128.66
    74.54.144.226
    74.54.200.178
    74.63.64.94
    74.86.238.186
    74.86.238.186
    74.86.60.98
    76.73.1.50
    82.100.220.47
    83.96.144.17
    84.243.222.63
    85.17.145.7
    91.121.156.130
    96.30.15.64
    97.74.144.43
    97.74.144.5
    174.36.251.178
    194.204.43.200
    195.47.247.159
    202.81.162.34
    206.51.226.198
    206.51.226.198
    207.182.156.242
    208.109.171.65
    208.109.181.83
    208.43.255.125
    208.53.130.221
    208.85.242.212
    208.85.242.212
    209.200.17.183
    212.227.114.150
    213.251.184.162
    216.245.193.186
    221.250.15.3
);


foreach $i (@iptoblock) {
    system("iptables -v -I INPUT  -s $i  -j DROP") ;    # drop ist unfreundlich, haelt dafür spammer ein wenig laenger auf?
    system("iptables -v -I OUTPUT -d $i  -j DROP") ;
}

Aussperrung per .htaccess

Identifizierte Spammer kann man über die Datei `.htaccess` aussperren. Hier die Regeln auf tschlotfeldt.de.

Apache-Dokumentation: http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html


Einige hartnäckigen Spammer liefern über offene Proxies Trackbacks in Massen ein. Ich habe diese Proxies über deren User-Agent ausgesperrt: 'libghttp/1.0'.

Überhaupt Trackbacks. Normalerweise werden Trackbacks nicht von Webbrowsern abgeschickt. Dafür kommen Trackback-Spams mit normalen User-Agents rein. Also aussperren, z.B. MS IE 6.0.

Seit einiger Zeit versuchen Spammer Trackbacks und Kommentare einzuliefern, indem sie als Referrer multiple URIs angeben. Die werden auch gleich ausgesperrt.

1. Zunächst mal ein ReWrite, das muss vor den Drupal-Regeln in der htaccess eingetragen werden:

<IfModule mod_rewrite.c>
  RewriteEngine on

  ## spam trackbacks send the unusal user-agent "Opera/8.0"
  RewriteCond %{HTTP_USER_AGENT} ^Opera\/.*$
  RewriteCond %{REQUEST_METHOD} ^POST
  RewriteRule ^trackback.*$  -  [F]

  # User-Agent libghttp aussperren
  RewriteCond %{HTTP_USER_AGENT} ^libghttp\/1.*$
  RewriteCond %{REQUEST_METHOD} ^POST
  RewriteRule ^trackback.*$  -  [F]

  # User-Agent MISE 6.0 aussperren, kommt nur Trackback-Spam rein
  RewriteCond %{HTTP_USER_AGENT} "^Mozilla\/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\..*$"
  RewriteCond %{REQUEST_METHOD} ^POST
  RewriteRule ^trackback.*$  -  [F]

  # User-Agent Jakarta 3 aussperren, kommt nur Trackback-Spam rein
  RewriteCond %{HTTP_USER_AGENT} "^Jakarta Commons-HttpClient\/3.*$"
  RewriteCond %{REQUEST_METHOD} ^POST
  RewriteRule ^trackback.*$  -  [F]

  ## a lot of trackback spam with this ua
  RewriteCond %{HTTP_USER_AGENT} "^Mozilla\/5\.0 (Windows; U; Windows NT 5\.1; ru; rv:1\.8\.0\.4) Gecko\/20060508 Firefox\/1\.5\.0\.4"
  RewriteCond %{REQUEST_METHOD} ^POST
  RewriteRule ^trackback.*$  -  [F]


  # Multiple Referrer aussperren
  RewriteCond %{HTTP_REFERER} "^http:[^,]+, http.*"
  RewriteCond %{REQUEST_METHOD} ^POST
  RewriteRule ^.*$  -  [F]

  # temporary block of POSTs with google-referer
  RewriteCond %{HTTP_REFERER} "^http://www.google.com/$"
  RewriteCond %{REQUEST_METHOD} ^POST
  RewriteRule comment/reply  -  [F]

  # Trackback auf google.groups aussperren
  RewriteCond %{REQUEST_METHOD} ^POST
  RewriteCond %{QUERY_STRING} url=http.*
  RewriteRule ^trackback/.*$ - [F]



  ...

2. IP-Adressen aussperren:

# added by timfly 2005-10-22 -- kaputter Google-Desktop
SetEnvIf Request_URI "\/atom\/atom\/atom"   isevil=yes
# added by timfly 2006-05-24                
SetEnvIf Remote_Addr "61.11.120.62"  isspamhost=yes
SetEnvIf Remote_Addr "72.232.10.10"  isspamhost=yes
# Fasthosts UK
SetEnvIf Remote_Addr "88.208.205.[0-9]+"  isspamhost=yes
# added by timfly 2006-06-10: most active spammer at tschlotfeldt.de
SetEnvIf Remote_Addr "202.75.49.133"  isspamhost=yes
SetEnvIf Remote_Addr "202.75.49.131"  isspamhost=yes
SetEnvIf Remote_Addr "202.75.49.130"  isspamhost=yes
SetEnvIf Remote_Addr "202.75.49.134"  isspamhost=yes
SetEnvIf Remote_Addr "202.76.235.6"  isspamhost=yes
SetEnvIf Remote_Addr "202.71.106.121"  isspamhost=yes
# caran.ru
SetEnvIf Remote_Addr "212.24.3[2-9].[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "212.24.[45][0-9].[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "212.24.6[0-3].[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "212.24.37.12[0-7]"  isspamhost=yes
SetEnvIf Remote_Addr "212.24.4[89].[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "212.24.5[01].[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "212.158.16[0-9].[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "212.158.17[0-5].[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "217.23.1[2-9][89].[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "217.23.2[0-9][0-9].[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "217.23.12[89].[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "217.23.1[3-9][0-9].[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "217.23.2[0-9]+.[0-9]+"  isspamhost=yes
# 195.225.177.6 (NetcatHosting)
SetEnvIf Remote_Addr "195.225.177.6"  isspamhost=yes
# nodek.ru
SetEnvIf Remote_Addr "81.177.1[45].[0-9]+"  isspamhost=yes
# matoto.com
SetEnvIf Remote_Addr "82.146.53.87"  isspamhost=yes
# TrackBack/1.02 Spammer
SetEnvIf User-Agent "TrackBack/.*" isevil=yes
# OpenHosting UK Network
SetEnvIf Remote_Addr "195.242.215.30"  isspamhost=yes
# TIME Telecommunications Sdn Bhd, Kuala Lumpur
SetEnvIf Remote_Addr "203.121.6[4-9].[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "203.121.[7-9][0-9].[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "203.121.[12][0-9]+.[0-9]+"  isspamhost=yes
# PQC Service, LLC, UA
SetEnvIf Remote_Addr "70.85.251.114"  isspamhost=yes
# some Spammer-IPs from Affinity Internet IP Management Group
SetEnvIf Remote_Addr "207.234.131.237"  isspamhost=yes
SetEnvIf Remote_Addr "207.36.181.212"  isspamhost=yes
SetEnvIf Remote_Addr "207.36.209.108"  isspamhost=yes
# install-ip-2.euselect.com: über 250 trackbacks an einem Tag von diesem offenen Proxy
SetEnvIf Remote_Addr "62.212.83.94"  isspamhost=yes
# und noch ein Proxy
SetEnvIf Remote_Addr "62.212.81.166"  isspamhost=yes
# Louden County/Dept. of Information Technology
SetEnvIf Remote_Addr "208.27.212.24"  isspamhost=yes
# Bezeq International: Trackback-Schleider
SetEnvIf Remote_Addr "84.108.132.207"  isspamhost=yes
# Telecommunicationcompany Suriname - TeleSur: Trackback-Schleider
SetEnvIf Remote_Addr "200.2.167.7"  isspamhost=yes
# Dongguk University Seoul: Trackback-Schleuder
SetEnvIf Remote_Addr "210.94.178.29"  isspamhost=yes
# Korea Telecom: Trackback-Schleuder
SetEnvIf Remote_Addr "61.78.56.133"  isspamhost=yes
# Shaw Communications Inc., Calgary: Trackback-Schleuder
SetEnvIf Remote_Addr "24.86.152.158"  isspamhost=yes
# Comcast Cable Communications: Trackback-Schleuder
SetEnvIf Remote_Addr "68.57.169.11"  isspamhost=yes
# CHINANET Jiangxi province network: Trackback-Schleider
SetEnvIf Remote_Addr "202.109.187.122"  isspamhost=yes
# GWBN-CD-SHUANGLINSANQU: Trackback-Schleider
SetEnvIf Remote_Addr "211.162.152.206"  isspamhost=yes
# Bluefiber Networks: Trackback-Schleider
SetEnvIf Remote_Addr "64.40.103.8"  isspamhost=yes
# Meisei University, Japan: Kommentarspam
SetEnvIf Remote_Addr "202.232.192.35"  isspamhost=yes
#  Regione Toscana: Kommentarspam
SetEnvIf Remote_Addr "159.213.248.8"  isspamhost=yes
#  Universita di Palermo: Kommentarspam
SetEnvIf Remote_Addr "147.163.15.5"  isspamhost=yes
# Business Network, Panama
SetEnvIf Remote_Addr "81.95.146.227"  isspamhost=yes
# Korea Network Information Center
SetEnvIf Remote_Addr "61.253.10.18"  isspamhost=yes
# Hanaro Telecom Inc.
SetEnvIf Remote_Addr "218.39.97.233"  isspamhost=yes
# Yeouido-dong, Seoul
SetEnvIf Remote_Addr "203.247.156.16"  isspamhost=yes
# Oman Tel
SetEnvIf Remote_Addr "62.231.243.136"  isspamhost=yes
# ColdFusion Hungary Ltd.
SetEnvIf Remote_Addr "193.202.63.138"  isspamhost=yes
# COMUNE Di Faeto / Infostrada
SetEnvIf Remote_Addr "151.2.171.205"  isspamhost=yes
# Inhoster hosting company, Ukraine
SetEnvIf Remote_Addr "85.255.113.51"  isspamhost=yes
# CHINA RAILWAY TELECOMMUNICATIONS CENTER
SetEnvIf Remote_Addr "61.23[2-7].[0-9]+\.[0-9]+"  isspamhost=yes
# Interbusiness infrastructural
SetEnvIf Remote_Addr "217\.141\.109\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "217\.141\.251\.[0-9]+"  isspamhost=yes
# VITO Teledetectie en Aardobservatie Processen, CVB
SetEnvIf Remote_Addr "193\.191\.168\.158"  isspamhost=yes
# CHINANET Hubei province network
SetEnvIf Remote_Addr "221\.232\.159\.112"  isspamhost=yes
# CNCGROUP Henan province network
SetEnvIf Remote_Addr "125\.46\.36\.223"  isspamhost=yes
# Abitcool(China) Inc.
SetEnvIf Remote_Addr "59\.151\.29\.136"  isspamhost=yes
# Digital United IF,220,gangchi road Taipei Taiwan 114
SetEnvIf Remote_Addr "192\.72\.124\.[0-9]+"  isspamhost=yes
# Shanghai Municipal People's Prosecution Service
SetEnvIf Remote_Addr "222\.66\.48\.253"  isspamhost=yes
# China Railcom Liaoning Branch
SetEnvIf Remote_Addr "61\.235\.241\.114"  isspamhost=yes
# VAAN Dangsandong 5-ga Yeongdeungpo-gu SEOU
SetEnvIf Remote_Addr "211\.232\.92\.231"  isspamhost=yes
# SonicWall Inc
SetEnvIf Remote_Addr "217\.149\.45\.68"  isspamhost=yes
# Chunghwa Telecom Digital Telecom Branch Company
SetEnvIf Remote_Addr "203\.69\.39\.250"  isspamhost=yes
# CHINANET Guangdong province network
SetEnvIf Remote_Addr "202\.96\.189\.45"  isspamhost=yes
# CNC Group CHINA169 Henan Province Network
SetEnvIf Remote_Addr "218\.28\.207\.44"  isspamhost=yes
# Xiamen University Zhangzhou Campus
SetEnvIf Remote_Addr "59\.77\.16\.170"  isspamhost=yes
# ZheJiang Province Telecom Co.,Ltd. LinAn City Branch
SetEnvIf Remote_Addr "60\.190\.249\.66"  isspamhost=yes
# Xiamen University
SetEnvIf Remote_Addr "210\.34\.14\.186"  isspamhost=yes
# Everyones Internet, Houston TX
SetEnvIf Remote_Addr "207\.44\.238\.95"  isspamhost=yes
# Emirates Telecommunications Corporation
SetEnvIf Remote_Addr "195\.229\.241\.180"  isspamhost=yes
# Karel Sokol - KASO, CZ
SetEnvIf Remote_Addr "82\.113\.63\.92"  isspamhost=yes
# Eurociber, ES
SetEnvIf Remote_Addr "193\.127\.7\.58"  isspamhost=yes
# CHINANET Hubei province network
SetEnvIf Remote_Addr "221.232.159.112"  isspamhost=yes
# CNCGROUP Beijing province network
SetEnvIf Remote_Addr "221\.21[6-9]\.[0-9]+\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "221\.22[0123]\.[0-9]+\.[0-9]+"  isspamhost=yes
# CHINANET-ZJ Hangzhou node network
SetEnvIf Remote_Addr "125.12[01]\.[0-9]+\.[0-9]+"  isspamhost=yes
# ChinaNetCenter Ltd.
SetEnvIf Remote_Addr "210\.192\.9[6-9]+\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "210\.192\.1[01][0-9]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "210\.192\.12[0-7]\.[0-9]+"  isspamhost=yes
# Layered Technologies, Inc.
SetEnvIf Remote_Addr "72\.36\.134\.242"  isspamhost=yes
# CHINANET beijing province network
SetEnvIf Remote_Addr "219\.141\.12[89]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "219\.14[23]\.[0-9]+\.[0-9]+"  isspamhost=yes
# CNC Group CHINA169 Shandong Province Network
SetEnvIf Remote_Addr "124\.129\.108\.185"  isspamhost=yes
# ShenZhen Topway Video Communication Co. Ltd.
SetEnvIf Remote_Addr "222\.248\.[0-9]+\.[0-9]+"  isspamhost=yes
#  Keymachine.de komplett aussperren, reagiert nicht auf Beschwerden
SetEnvIf Remote_Addr "62\.141\.5[6-9]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "62\.141\.6[0123]\.[0-9]+"  isspamhost=yes
# keyweb/keymachine.de DE-KEYWEB-III
SetEnvIf Remote_Addr "87\.118\.9[6-9]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "87\.118\.1[01][0-9]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "87\.118\.12[1-7]+\.[0-9]+"  isspamhost=yes
#keyweb/keymachine.de  DE-KEYWEB-II
SetEnvIf Remote_Addr "84\.19\.17[6-9]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "84\.19\.18[0-9]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "84\.19\.19[01]\.[0-9]+"  isspamhost=yes
# CHINANET Guangdong province network
SetEnvIf Remote_Addr "59\.3[2-9]\.[0-9]+\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "59\.4[0-2]\.[0-9]+\.[0-9]+"  isspamhost=yes
# Spam from ITBN - IT Broadband Network 8/F Taifu Building, 10 Yi Dewai Road Beijing, China
SetEnvIf Remote_Addr "202\.46\.22[4-9]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "202\.46\.23[0-9]\.[0-9]+"  isspamhost=yes
#  Spam from CNCGROUP-LN - CNCGROUP Liaoning province network
SetEnvIf Remote_Addr "60\.1[6-9]\.[0-9]+\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "60\.2[0-3]\.[0-9]+\.[0-9]+"  isspamhost=yes
# Trackback-Spam from DO-CODE-LACNIC - Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL
SetEnvIf Remote_Addr "200\.88\.114\.166"  isspamhost=yes
# Trackback SPAM from CMNET-henan - China Mobile Communications Corporation - henan
SetEnvIf Remote_Addr "211\.142\.116\.205"  isspamhost=yes
# Trackback-spam from TC Communications, LLC HTCC
SetEnvIf Remote_Addr "66\.153\.12[89]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "66\.153\.1[3-9][0-9]\.[0-9]+" isspamhost=yes
SetEnvIf Remote_Addr "66\.153\.2[0-9][0-9]\.[0-9]+"  isspamhost=yes
# trackback-spam from CMNET China Mobile Communications Corporation, 29, Jinrong Ave., Xicheng district, Beijing
SetEnvIf Remote_Addr "211\.13[6-9]\.[0-9]+\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "211\.14[0-3]\.[0-9]+\.[0-9]+"  isspamhost=yes
# Spam from ISP "CARAVAN", Moscow, RU-CARAVAN-990216
SetEnvIf Remote_Addr "212\.24\.3[2-9]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "212\.24\.[45][0-9]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "212\.24\.6[0-3]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "212\.23\.13[01]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "212\.23\.136\.20[0-7]"  isspamhost=yes
SetEnvIf Remote_Addr "212\.23\.151\.[0-9]+"  isspamhost=yes
# Spam from  Makati, 12/F Valero Telepark
SetEnvIf Remote_Addr "222\.127\.228\.[0-9]+"  isspamhost=yes
# Spam from Heilongjiang Telecom Corporation
SetEnvIf Remote_Addr "222.17[01]\.[0-9]+\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "222.172\.[0-9][0-9]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "222.172\.1[01][0-9]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "222.172\.12[0-7]\.[0-9]+"  isspamhost=yes
# Spam from LG DACOM Corporation
SetEnvIf Remote_Addr "211.119.242.4[0-9]"  isspamhost=yes
# Spam from TurkTelekom, Turk Telekom 06103 ANKARA
SetEnvIf Remote_Addr "85\.105\.20[89]\.[0-9]+"  isspamhost=yes
SetEnvIf Remote_Addr "85\.105\.2[12][0-9]\.[0-9]+"  isspamhost=yes
# Spam from Net AE-DU-20060815, Emirates Integrated Telecommunications Company PJSC (EITC-DU) 502666 Dubai
SetEnvIf Remote_Addr "91\.7[3-5]\.[0-9]+\.[0-9]+"  isspamhost=yes
# Spam from OVH SAS, Roubaix
SetEnvIf Remote_Addr "91\.121\.200\.220"  isspamhost=yes
# Spam from Rajamangala Institute of Technology, RIT center, Pathum Thani, TH
SetEnvIf Remote_Addr "203\.158\.221\.227"  isspamhost=yes
# Spam from OVH SAS, Roubaix
SetEnvIf Remote_Addr "87\.98\.136\.154"  isspamhost=yes
# Spam from CCK EumedConnect LL connection for Institutes and universities in Manar, Manouba, Sousse, Monastir,Sfax, Gabes cities
SetEnvIf Remote_Addr "196\.203\.190\.226"  isspamhost=yes
# Spam from MORE, 3212 LeMone Ind. Blvd., Columbia, US
SetEnvIf Remote_Addr "204\.185\.11\.48"  isspamhost=yes
# Spam from OVH, Paris: rps2160.ovh.net
SetEnvIf Remote_Addr "91\.121\.200\.220"  isspamhost=yes
# Spam from OVH, Paris: r12262.ovh.net
SetEnvIf Remote_Addr "87\.98\.136\.154"  isspamhost=yes
# Spam from COW Production, Denmark
SetEnvIf Remote_Addr "208\.53\.137\.178"  isspamhost=yes
# Spam from JCS "Rial Com", 142100 Moscow reg. Podolsk
SetEnvIf Remote_Addr "80\.71\.249\.147"  isspamhost=yes
# Spam from Rajamangala Institute of Technology, RIT center, Pathum Thani
SetEnvIf Remote_Addr "203\.158\.221\.227"  isspamhost=yes
# Spam from Afghan Wireless
SetEnvIf Remote_Addr "121\.100\.50\.7"  isspamhost=yes
# Spam from Sanghvi Institute of Management & Science- M., 16/17, A.B. Road, 2nd floor, Indore, Madhya Pradesh
SetEnvIf Remote_Addr "125\.21\.17\.60"  isspamhost=yes
# Spam from CHINANET-XJ, TIANSHANGUFENG
SetEnvIf Remote_Addr "218\.84\.186\.230"  isspamhost=yes
# Spam from National WiMAX/IMS environment, Pakistan
SetEnvIf Remote_Addr "58\.27\.230\.62"  isspamhost=yes
# Spam from CERVECERIA REGIONAL, Z.I. SANTA ROSALIA, FRENTE A PRODUVISA, 100, CAGUA, 2101 - CAGUA - AR, Venezuela
SetEnvIf Remote_Addr "200\.35\.83\.86"  isspamhost=yes



order deny,allow
deny from env=isevil
deny from env=isspamhost

Tags: [[tag:Spam]]