New block for Bulgarians
It appears the Bulgarians (Zahariev brothers) stopped using pinappleproxy. This block still works:
SetEnvIfNoCase X-AAAAAAAAAAAA 1 spammer=yes
deny from env=spammer
If they took the trouble to remove pinappleproxy, then we don’t know how long it’ll take before they remove this one too. But hopefully we’ve come up with something else by then, or they’ve gotten tired of the game - or they get shut down some other way.
May 14th, 2005 at 2:00 pm
I, too, noticed the incredible vanishing Via: pinappleproxy trick. I’m using mod_security and have been trying to determine how to get it to watch for
x-aaaaaaaaaa. I’m _really_ new to all of this and am in a bit over my head. The best I can come up with isSecFilterSelective HTTP_x-aaaaaaaaaa|HTTP_XAAAAAAAAAA $but that prevents the web server from working at all. Obviously that’s a great spam-prevention tactic, but hardly useful to me. Any ideas?May 14th, 2005 at 2:17 pm
Hopefully someone will figure it out and post it. In the meantime, this is what that header looks like:
HTTP_X_AAAAAAAAAAAA=1
May 14th, 2005 at 4:45 pm
This is the entry in mod_security’s log when it catches something from these guys based on a keyword in the referrer:
========================================Request: 148.244.150.52 - - [14/May/2005:18:15:50 -0400] "GET /weblog/docs/graytuesday.writeback HTTP/1.1" 500 611
Handler: cgi-script
----------------------------------------
GET /weblog/docs/graytuesday.writeback HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Connection: Keep-Alive
Host: williaty.dyndns.org
Referer: h*tp://www.shivapage.com/party-poker.html
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)
x-aaaaaaaaaa: 1500000
x-aaaaaaaaaaaa: 1
x-forwarded-for: 242.36.124.78
mod_security-message: Access denied with code 500. Pattern match "blackjack|casino|gambling|holdem|hold-em|poker|roulette|slot" at HEADER.
mod_security-action: 500
HTTP/1.1 500 Internal Server Error
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Does any of that match up with what you’re getting?
May 14th, 2005 at 4:46 pm
Damn, I’m dumb, please edit that to take the spammer’s link out of that!
May 14th, 2005 at 5:13 pm
Aha, I noticed they’d been getting past my .htaccess blocks. I’ve been trying without success to block them using various permutations of RewriteCond rules, but apache doesn’t seem to be drawing the connection. I’ll try the SetEnvIfNoCase rule - thanks!
May 14th, 2005 at 5:17 pm
The most amusing with these spammers, is that they usually have a forwarded for. And it’s invariably fake! I mean, they’ll have an IP number in there that comes from some high security place, like a three letter agency or something like that. The one you’ve got there is IANA!
May 15th, 2005 at 12:10 am
OK, for those of you running mod_security, I’ve got the block figured. It takes two rules:
SecFilterSelective HTTP_x-aaaaaaaaaa|HTTP_X_AAAAAAAAAA .+$SecFilterSelective HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA .+$The .+$ matches one or more characters before end of line in the header field. Basically it’s a cheap way of saying “If this line exists, kill the request.” I hope this helps some of youMay 15th, 2005 at 12:13 am
You know, that looks terrible after your scripts stripped the br tags out. Let me try that marked up a different way:
SecFilterSelective HTTP_x-aaaaaaaaaa|HTTP_X_AAAAAAAAAA .+$
SecFilterSelective HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA .+$
Delete whichever of these looks uglier
October 20th, 2006 at 3:12 am
mod_security…
Ik heb al een tijdje mod_security draaien op mijn machine, tijd om eens te kijken of het echt wat doet:
zgrep “mod_security-message:” /var/log/apache2/audit_log.3.gz |awk ‘{print $9}’|sort | uniq -c| sort -r
1521 “.+$̶…