PDA

View Full Version : guestbook spam



telyt
08-25-2003, 10:43 AM
My guestbook.html on my website has been spammed several times. Aside from cleaning it up manually after each occurrance, is there anything I can do to prevent this?

wildjokerdesign
08-25-2003, 01:25 PM
I have the same problem with a script on my site. I have added a sub routine to it that blocks certian IP's from posting. Unfortunatly I do not belive that the Guestbook.cgi has this feature. I will try to take a look at it and see if there is a way to modify it. I do belive it used to have an option for recording a useres IP.

If you are running on WestHost 2.0 there is a way that you can block out IP's from using your site. If you are a new client to WestHost you should have WestHost 2.0 if you are an older client you should be updated soon and WestHost will contact you when they do. You can read about IP Filtering in the manual here. http://manual.westhost.com/part4.html#ipfiltering ... be carefull not to block yourself from access.

If you can get the IP of the person who is spamming your site you can block their IP.

I want to work on a list of IP's or Blocks of IP's that spam. Two that I know of and have blocked now are 203.152.143.138 and 202.54.133.25 .

Here is another post about this subject. http://forums.westhost.com/phpBB2/viewtopic.php?t=232

torrin
08-26-2003, 08:30 PM
Just for fun I did a whois on those 2 ip addresses. Here are the results.


torrin@nicole:~$ whois 203.152.143.138
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 203.152.128.0 - 203.152.159.255
netname: EMMSONS
descr: Emmsons Infotech Ltd.
descr: An ISP in India
country: IN
admin-c: BG17-AP
tech-c: AS121-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-IN-EMMSONS
changed: hostmaster@apnic.net 20000804
status: ALLOCATED PORTABLE
source: APNIC

person: B B Gandhi
address: Emmsons Infotech Ltd.address: 101,South Delhi House, 12,Zamrudpur Community Centre, Kailash Colony,
address: New Delhi
address: Zip-110048
country: IN
phone: +91-11-6216314
fax-no: +91-11-6218647
e-mail: sharma_aks@usa.net
nic-hdl: BG17-AP
mnt-by: MAINT-NEW
changed: sharma_aks@usa.net 20000721
source: APNIC

person: Akshay Kumar Sharma
address: Emmsons Infotech Ltd.address
address: 12,Zamrudpur Community Centre
address: Kailash Colony,
address: New Delhi
address: Zip-110048
country: IN
phone: +91-11-6216314
fax-no: +91-11-6218647
e-mail: sharma_aks@indiatimes.com
nic-hdl: AS121-AP
mnt-by: MAINT-IN-AKSHAY
changed: sharma_aks@usa.net 20010705
source: APNIC


torrin@nicole:~$ whois 202.54.133.25
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 202.54.128.0 - 202.54.255.255
netname: VSNL-IN
descr: Videsh Sanchar Nigam Ltd - India.
descr: Videsh Sanchar Bhawan, M.G. Road
descr: Fort, Bombay 400001
country: IN
admin-c: IA15-AP
tech-c: VT43-AP
remarks: Internet Service Provider
mnt-by: APNIC-HM
mnt-lower: MAINT-VSNL-AP
changed: hostmaster@apnic.net 20020204
status: ALLOCATED PORTABLE
source: APNIC

person: IP Administrator
address: 10th Floor, 2 MG Road
address: Fort Mumbai - 400001
address: India
country: IN
phone: +91-22-2623620
fax-no: +91-22-2653887
e-mail: ip-admin@giasbm01.vsnl.net.in
nic-hdl: IA15-AP
mnt-by: MAINT-VSNL-AP
changed: gpsingh@giasbm01.vsnl.net.in 20010605
source: APNIC

person: VSNL Tech
address: 10th Floor, 2 MG Road
address: Fort Mumbai - 400001
address: India
country: IN
phone: +91-22-2623620
fax-no: +91-22-2653887
e-mail: ip-tech@giasbm01.vsnl.net.in
nic-hdl: VT43-AP
mnt-by: MAINT-VSNL-AP
changed: gpsingh@giasbm01.vsnl.net.in 20010605
source: APNIC

It looks like they are both from ISPs over in India. I'm not sure how they do it, but if it's some kind of dial up service, they probably assign the ip address when the user dials up. In which case, you'll probably want to block the whole ISP range.

Just an observation. :)

wildjokerdesign
08-26-2003, 09:10 PM
Yes Torrin I had thought of that. I just had not had the time to figure out how to block the whole range. I did just a simple compare of the IP's with out anything fancy.... I am not real sure on the progression of the numbers in a range of numbers... like in the 203.152.128.0 - 203.152.159.255 range... it wouldn't just be like counting up a number would it the next in line being 203.152.128.001?

I guess I need to do a bit of reaserch.

torrin
08-27-2003, 01:13 PM
Yes, you are correct.

The numbers go from 0 to 255.

Here are a few example sequences . . .


203.152.128.255
203.152.129.0
203.152.129.1


200.150.255.255
200.151.0.0
200.151.0.1


I'm not sure how westhost's new (westhost 2.0) ip address blocking works, but if we have access to iptables, it's pretty easy to set a range of ip addresses to block. When my domain gets converted, I'll be able to say more.

wildjokerdesign
08-28-2003, 07:06 PM
Thanks torrin I can always rely on you for an answer :) .

gbanse
09-04-2003, 02:49 PM
>> I just had not had the time to figure out how to block the whole range.

Just use htaccess.

RewriteCond %{REMOTE_ADDR} ^64\.156\.198\.(6[89]7[4-8]80)$
RewriteRule !^forbidden\.html$ - [F]

where the REMOTE_ADDR is the regex for the IP range.

wildjokerdesign
09-04-2003, 06:03 PM
Wow cool sounds like that is easier... opps one problem you lost me..


where the REMOTE_ADDR is the regex for the IP range

regex I can figure that it stands for regular expression but not really sure what that means.

I am going to feel real stupid when I get the answer to that question I bet :oops: .

gbanse
09-04-2003, 07:04 PM
regex I can figure that it stands for regular expression but not really sure what that means.

You're correct. Visit http://gnosis.cx/publish/programming/regular_expressions.html to learn more about Regex. You simply add the two lines of code I posted to your .htaccess file. The line:

^64\.156\.198\.(6[89]7[4-8]80)$

I'm no expert with regex myself but I believe that line actually says all include IPs from 64.156. (68 or 69) or ( 74 thru 78 ) or ( 80 ).xxx

Regular expressions are simply a way of identifying complex variable patterns within a string of text. This is conjunction with the Apache directives in the htaccess file make for a very powerful tool But be careful. Each call to the webserver initiates execution of the htaccess file first. So if it's long - or isn't written correctly - you can break your website. Not irreperable but you'll need to delete the file in order to see your site again.

Learn more about htaccess here http://httpd.apache.org/docs/howto/htaccess.html

wildjokerdesign
09-04-2003, 07:33 PM
Thank You qbanse for the information. I'll give both your links a look see. :)

jsdoyle
09-05-2003, 10:12 AM
just put a text file named .htaccess in your cgi-bin folder and include the following only:

deny from 203.151.
deny from 200.150.


That's it. Now all IP in those ranges will be blocked. You can add the third set of numbers to reduce the number of blocked IPs.

I had the same problem and this would keep them out.

I also just removed the url field in my guestbooks. That's all they are interested in anyway. Without that field they could care less. (so far).

Scott

radioman
09-05-2003, 10:40 AM
JSDoyle:

When your spammers are denied, what does their browser show?

Thank you.

Bill

gbanse
09-05-2003, 10:47 AM
With the code I posted they'll get a Forbidden message. I think they'll get the same with what jsdoyle posted.

radioman
09-05-2003, 10:54 AM
Yes, that makes sense.

Hey, thanks!

jsdoyle
09-05-2003, 11:26 AM
They are using guestbook bots to spam everyones guestbooks now so I'm sure the bot just keeps on going. I even doubt getting the forbidden message matters. I'd say once they have the guestbook in their list it will stay there.

I was getting a lot from Mexico and England. I tried sending letters to their domain abuse addresses but it was a waste of time. They kept using different IP's so I was constantly adding more IP blocks to my .htaccess folder.

Since removing the url field in my addbook page I've not received anymore spam.

Scott

gbanse
09-05-2003, 11:48 AM
Alternately you could tell the bots that the page no longer exists as far as they're concerned. In either case they get the server response headers. They may ignore them but they DO get the message.

SJP
09-08-2003, 11:10 PM
>Since removing the url field in my addbook page I've not received anymore spam.

Spammers use programs that scan web-sites for addresses. If you want to give users contact information make a graphic. Don't make it easy.

SJP