MT spam still causes server strain
Blogherald reports that webhost Birdhouse is forcing all their customers using MT to only allow registered commenting.
I guess they never heard of pinappleproxy?
| Spamhuntress |
| writes on spam and admin issues |
Blogherald reports that webhost Birdhouse is forcing all their customers using MT to only allow registered commenting.
I guess they never heard of pinappleproxy?
I saw your comment at Birdhouse. As a webhost I understand his problems, although at the moment my biggest problem is trackback spam. Trackback moderation isn’t even an option on MT and is bringing my server to it’s knees regularly. This is what I said to him about .htaccess solutions:
“.htaccess solutions bring their own problems - many of my customers aren’t comfortable implementing solutions like that, which means I have to do it for them. I’m not a massive host by any means but I’m hosting around 200 accounts so updating everyone’s .htaccess file is a big job. I’m not an Apache expert either and it’s never clear whether these fixes can be apllied server-wide via the Apache config file, which would be the most useful solution for a web host.”
I guess I’m asking you the question can the snippet you posted be put in the main Apache config file so it applies server-wide?
That’s an excellent question!
According to this site, it works both places:
http://httpd.apache.org/docs-2.0/mod/mod_rewrite.html
Since pinappleproxy is so unusual, I’d test it out in the main config file.
And there is a plugin for moderation of trackbacks in MT:
http://jayseae.cxliv.org/moderate/
I’ve installed it on my MT blog (not this one), but haven’t gotten any trackbacks, so don’t know how it works. I’ll do a test trackback soon, just to test it out.
Thanks - I’ll try this out and let you know how it goes.
OK, this is what I added to httpd.conf:
RewriteEngine on
RewriteCond %{HTTP:VIA} ^.+pinappleproxy
I’ve also implemented a script that uses MT Blacklist to create rules for ModSecurity and have been watching the server in case of performance issues. While I watched we got hit by a massive spam attack which within 2 minutes rendered the server completely unusable
I’ve been looking through the ModSec audit log and I’m seeing this :
Via: 1.1 pinappleproxy, 1.0 KCBNET
I’ve obviously done something wrong in the httpd.conf but can’t figure out what, can you see what it is?
Sorry - the whole snippet I added is :
RewriteEngine on
RewriteCond %{HTTP:VIA} ^.+pinappleproxy
I missed a bit!
Reread this:
http://www.candygenius.com/spampop
You probably need this immediately below:
RewriteRule .* - [L,F]
Thanks - I added that and restarted Apache. Fingers crossed
You can also do this using a mod_security rule:
SecFilterSelective “HTTP_Via|HTTP_via” “pinappleproxy”
Also, in your mod_rewrite rule regex, there’s not much point to doing:
^.+pinappleproxy
^.+ is telling it to look for the beginning of a string, followed by one or more characters, followed by pinappleproxy. You would be just as well to write:
pinappleproxy
Hurray! I added the to my mod_sec config instead and in 5 minutes it’s blocked 250+ hits!
Congrats!
And now we have a discussion here that hopefully will help other admins later on… (food for Google).