A way to fight spam together? Re: [development] My site is under attack (trackbacks, spam and cpu usage).

Augustin (Beginner) drupal.beginner at wechange.org
Mon Sep 18 07:26:42 UTC 2006

@everybody: see the second part of this email about a better long term 

On Monday 18 September 2006 11:40 am, Jeremy Andrews wrote:
>   I had a similar problem some time ago, and ended up writing
> the very simple 'trackback_blackhole' module which solved the
> resources issues for me. The module is distributed with the
> v2 spam module, available here:
>   http://kerneltrap.org/jeremy/drupal/spam/#downloads
>   You can download the whole tarball, and then just install
> the trackback_blackhole module without installing the spam
> module.

Thanks Jeremy,

I had a look. Actually, I wanted to write a simple module myself to do exactly 
the same thing. I find your use of hook_init() very clever in this case.

However, I think the use of a .htaccess directive would be more efficient, 
because there is not even the need of a partial Drupal bootstrap. 
I've added the following code to my .htaccess at www.wechange.org :

<FilesMatch "^(trackback)">
  Order deny,allow
  Deny from all

It denies access to any request starting with trackback like:
but allows requests like:

I'll report back in a week on the difference it makes on cpu usage.

Jeremy: you might want to add this code snippet (or any improved version of 
it) in your INSTALL or README files.
One day, I will want to reopen comment submissions by anonymous users and then 
I will need the spam.module, so I appreciate your efforts on your 
spam.module. Thanks a lot!

@everybody: the .htaccess solution works for my immediate need, but it is a 
bit selfish because it doesn't help anyone else. 
What follows is not specific to trackback spam, but is relevant to any kind of 
spam being propagated via compromised servers or computers.

<strong class="must-understand" >
The only thing needed for evil to win, is that good people do nothing.

At first, all the trackback spam came from the same IP, but then they upgraded 
their software, so that each spam submission came from a different IP. 
Certainly, each of those IP correspond to a compromised Windows(TM) box, or a 
compromised web site (using a CMS minus security updates), don't they? (or do 
I misunderstand the way open relays can be used?) 

For now, I have successfully denied trackback spammers access to my site, but 
they are still free to spam the rest of the world.
What bothered me the most about cpu usage, was that it was such a waste: it 
was not even helping the spammers who never got a single of their links 
Now, if my cpu power can be put to better uses, I don't mind the extra 
resources needed: 
is there a way to collect those IPs used by spammers, and share them among us, 
and with organizations fighting spam.
The aim would be to get wormed or trojaned windows(TM) boxes (or compromised 
web sites) to upgrade to a safe version or shut down. 

If all Drupal web sites were collaborating on gathering useful data, and 
passing on this data to relevant organizations, we might collectively achieve 
One spam report against one IP might achieve nothing, but a concerted effort 
to systematically denounce bad IPs might force people to take positive 

I really don't know how such a thing could be organized. One has to study 
first how organizations fighting spam and organizations setting up blacklists 

Maybe the developers on this list have better, more concrete ideas...



P.S. 50 minutes since the .htaccess update, and since the last log entry about 
"trackback/123 not found".
Yeah! :)

Because we and the world need to change.
Intimate Relationships, peace and harmony in the couple.

More information about the development mailing list