[support] Many false applications for accounts
Dan Kegel
dank at kegel.com
Sat Apr 5 16:38:37 UTC 2014
I'll try honeypot!
I've been making do with the attached script and adding things to .htaccess;
it was surprisingly effective (though lately I'm seeing spam from within my
own city).
-------------- next part --------------
#!/bin/sh
# Script to look at http access logs for last ten days
# for drupal registration requests, locate netblocks
# that have too many repeat register-rs, and suggest
# .htaccess changes.
# Dan Kegel 2014
max_retries_for_one_ip=7
max_bad_days_for_network=3
mkdir tmp.$$
cd tmp.$$
for f in `ls -t ~/www_logs/www.*.gz | head -n 10`
do
name=`basename $f .gz`
zcat $f| grep register | awk '{print $1}' | sort | uniq -c | sort -n | awk '$1 > '$max_retries_for_one_ip' {print $2}' | sort > addr.$name.txt
done
cat addr.*.txt | sed 's/\.[0-9]*\.[0-9]*$//' | sort | uniq -c | sort -n | awk '$1 > '$max_bad_days_for_network' {print $2}' | sort > bad-networks
echo "Networks with multiple repeated registration requests for last ten days are"
cat bad-networks
echo "IPs from those networks are"
cat addr.*.txt | fgrep -f bad-networks | sort -u
echo "Visit e.g. http://www.iplocation.net and look up a few of those."
echo "If they are in regions you don't care about, add them to your .htaccess"
echo "e.g."
cat bad-networks | sort -u | awk '{print "deny from " $0}'
More information about the support
mailing list