spamquestion 0.2

I released version 0.2 of the spamquestion plugin last night. It now conforms to the requirements for a PyBlosxom plugin. The code is much cleaner too. Available from the usual place.

Tags: ,
posted: Tue, 20 Nov 2007 15:53 | permalink | comments

Blog spam update

Well, two comment spams have made it past the spamquestion plugin. This makes me wonder if either the submissions were done manually or whether the software the spammers use is at least human assisted. I guess it's also possible that the spam software is so good that it can automatically work out my simpler arithmetic questions.

The web server logs give some clues. There's literally hundreds of obviously automated POST attempts to various pages on my blog. The requested related to the two comments that made it through however seem far more human however. Here's one example: - [03/Nov/2007:01:41:57 +0000] "GET /blog/Holland_photos_online.1024px HTTP/1.1" 200 11367 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" - [03/Nov/2007:01:42:06 +0000] "POST /blog/Holland_photos_online#comment_anchor HTTP/1.1" 200 14928 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"

These are the only two HTTP requests made for the first spam that made it through; no dumb, repeated automatic requests like some of the other attempts in the logs. Notice how the parent page was visited first and then 9 seconds later the POST was made. That's pretty quick for someone to fill out the form manually but it's possible, especially if the spam body was ready in the clipboard. If their system is partially automated then the short delay is even more plausible.

To test whether some spambots are actually capable of doing simple arithmetic by themselves, I've removed all the addition and subtraction questions from my spamquestion configuration and have added more questions that are harder to answer programmatically. If the spam continues, then I'm going to conclude that there's definitely some human assistance going on. If it stops, then it's more likely that the spambot software was actually able to solve some of my arithmetic questions itself.

I also need to look at is short-term blocking of spamming IPs. When examining my logs I found there had been almost 500 comment spam attempts for just today! I'd rather not be dealing with that bandwidth on my server. Dropping all packets from a spammer's IP for a few hours would slow them right down.

Fun fun fun...

Tags: ,
posted: Mon, 05 Nov 2007 22:49 | permalink | comments

Comments renabled, announcing spamquestion

Due to my recent comment spam issues I've created a new PyBlosxom plugin called spamquestion. It is similar to the existing Magic Word plugin but instead of using just the one question for any comment entry on the blog, it randomly selects a question from a larger set of configured questions. This makes it much harder for spammers to get past the comment form using automated software. Unlike CAPTCHA systems this scheme doesn't disadvantage visually impaired people or those on text based browsers.

The spamquestion plugin can be downloaded from my Code page.

Comments are now re-enabled on my site, with spamquestion enabled. It'll be interesting to see how the scheme holds up. I also plan to install the Akismet plugin as a second line of defense.

Tags: ,
posted: Wed, 31 Oct 2007 23:17 | permalink | comments

Spam: good news and bad news

The bad news...

My blog was hit by a comment spammer last week. Hundreds of entries were made, interestingly focussing only a few articles (perhaps with a higher Google ranking?). Running without a CAPTCHA system or similar was good while it lasted. Comments are now disabled until I get around to installing a CAPTCHA style plugin.

Lazy web: what anti comment-spam technologies do you find work well for you? Is CAPTCHA the best option we have?

The good news...

I started using SpamAssassin for my personal email over a month ago. Having seen the complete ineffectiveness of some anti-spam systems I was fairly pessimistic about how effective it would be. Boy was I wrong. Without any tweaks to the default filtering config (except for ensuring that the latest rules are being used) it stops virtually spam hitting my mailbox with zero false-positives so far. I get 20-40 spams a day and 1 or 2 a month get through to my inbox.

My mail volume is comparatively low so I just set Procmail to invoke SpamAssassin for each inbound message. For higher volume situations something like SA's spamd should probably be used. Using Procmail has the nice benefit of being able to direct spam to a separate folder for later persual and deletion.

A cron job is set to run sa-update ever night to ensure the latest default checks are being used. This is important; spammers develop new tricks to bypass anti-spam systems all the time.

Currently I have all suspected spam going to a spam folder. However SA has been so successful that I'm thinking of getting Procmail to automatically delete higher scoring spam and send only the lower scoring spams to the spam folder. Depending on attitudes towards false-positives some might just delete all emails that SA thinks is spam. Personally, I'd rather be a bit cautious. Losing real email scares me.

It's so nice when something works beyond expectation.

posted: Wed, 24 Oct 2007 15:49 | permalink | comments