War on Spam

For those who may not have realized, I've been participating in Project Honey Pot and have contributed to the identification of several email harvesters and comment spammers. Most of the ones I had a hand in were attackers directed at this blog. If you have no idea what I'm talking about, go look up Project Honey Pot in Google. It's a pretty big deal.

I received an email today from the good folks at the project today inviting me to participate in a closed beta of something new they've cooked up to escalate the war against spammers and botnets. I won't spill the details, but you can probably find the information out easily enough. I wouldn't even be mentioning it except for the fact that it required some back end changes to how the domain is resolved through the DNS system.

If you are having difficulty reaching the site to post, or are getting unexpectedly challenged in some way by software that doesn't look familiar, it may be part of this system. In addition to the service it provides in defending against such things, it also offers additional statistics on just what bots are visiting, friendly or otherwise. So it's sort of a complement to Google Analytics in that regard.

Since this operates at the root domain level, the subdomains elderscrolls.iguanadons.net and pdsadmin.iguanadons.net also fall under the system's protection.

There's also some lofty claims about how this will make the site faster, but that remains to be seen, and I'd never know the difference anyway so I'll have to let you guys judge that one.
"It is pointless to resist, my son." -- Darth Vader
"Resistance is futile." -- The Borg
"Mother's coming for me in the dragon ships. I don't like these itchy clothes, but I have to wear them or it frightens the fish." -- Thurindil

Well. I guess that's that then.

« AFK Mods
Warrantless »

Posted on Sep 10, 2010 12:08 am by Samson in: | 21 comment(s) [Closed]
Sounds like great news. I've had no troubles accessing your sites tonight, but I also can't say that I've noticed a speed change either. That latter facet could be tied into the inherent lag in my satellite feed though. Is it just going to be the iguanadons.net domain or will you also be adding this to your other domains?

Planning to add it to the others too but wanted to make sure it wasn't going to cause disruptions. The dashboard for the service has already listed numerous attempts that were put down and since activating it earlier no more Akismet alerts have gone off. So it's apparently working :)

That makes good sense.
Hearing that, within the first few hours of activation, it's already making a noticeable difference certainly bodes well for the long run. :)

So is this the reason I'm seeing strange "transferring data from..." messages at the bottom of my browser?
I've seen dementedrabbits.net and something.zapto.org (isn't that Conners?)

Well there is some kind of caching going on too, which I wasn't exactly bargaining for. I'm mainly interested in the spam bot filtration. So if you're seeing odd sources for transmission then it's probably from that.

Oh, the irony. Just noticed Akismet saying there were ~50 spam attempts. Every last one from this service I'm testing. May as well identify it since Google already knows all about it - it's called CloudFlare. The idea being they take the hits for all the bad bots and spammers and such for your web sites. How unfortunate for them though that their IP is now being flagged as a spam source because THEIR IP is listed with the pill spam instead of the real source. Oops.

Edited by Samson on Sep 11, 2010 1:08 am
Yup, tcdbbs.zapto.org is mine.

So, they're masking their IPs as that of the site that's making the greatest new effort to fight them? Sounds like the spammers are clever wiseguys indeed. :lol:

No, I think what's happening is CloudFlare is retransmitting the traffic it doesn't catch and it's ending up in the logs as having originated with them rather than with the true source. I don't exactly know the mechanism behind it.

For example, your own IP on this last post no longer matches the one from your usual location. It also happens to be the same one that Akismet just flagged up with 50 spammers. Which leads to an interesting problem I'm sure you can see coming. What happens if CloudFlare blows it and send tons of spam traffic it should have stopped? The answer is, Akismet identifies them as a spammer and BAM. No more useful service.

Oh, yes, I can easily see where that's a potentially huge problem. Is that something that the Project Honey Pot people are going to be able to address easily?

They apparently already have. There's an apache module (and a Wordpress module too) that will allow it to report the proper IP back to the application. They're having cookie issues with the wiki that has the instructions for how to set those up though. They're also working with Akismet in some way, but I doubt that extends to the problem of their IP becoming associated with all the pill spam.

Sounds like they've got it covered then. Good for them! :)

On a totally unrelated note that I just thought you might find interesting, CNET's reporting that GoDaddy is for sale...

Ok. Got the wiki cookie issue sorted and have installed the apache module. Time will tell if the IP information corrects itself properly. Installing apache modules from source is a somewhat convoluted process. Big surprise, right? Nothing in linux is ever straightforward :)

Also, interesting, GoDaddy for sale. Wonder if anyone will actually buy it :P

Edited by Samson on Sep 11, 2010 3:55 pm
If my post helps towards testing, I'll be very glad to have helped. :)
No, very little in linux is every truly straightforward, but it's often no more challenging than in Windows if you're using one of the various desktops. :shrug:

At the price they're asking, I can say definitively that it won't be me. :lol:

Well there we go, apache module is working. No more false IPs showing up. Though I'll probably have to add a CloudFlare awareness check to Sandbox for people who aren't using it in a place they have access to the apache server.

Sounds great and the CloudFlare awareness check sounds like a good idea too.

Ok, CloudFlare just annoyed me. I'm not sure what happened there, but for a brief few minutes it seemed that this site and AFK Mods were both "down" and I could only get this strange black page from CloudFlare informing me that the page I was trying to load wasn't cached and I could exit the offline mode to retry if I wanted. (Clicking on that link didn't do me any good either.) :mad:

Well that's because Apache died and had to be revived again. Seems whatever Apache is pissed about isn't going away despite the massive drop in rogue traffic. CloudFlare is supposed to serve up cached copies of stuff if that happens, but I guess it didn't quite work out? If it should happen again, a screenshot would be nice so I can bug them about it for beta feedback.

A screenshot will be provided with enthusiasm should I get that page again. :)

Well the bandwidth savings appears to be a complete pipe dream. I just checked with the webmin stats and found that despite what CloudFlare's internal stats say, this site has been putting out MORE data since the 9th than it was before then.

It's also interfering with file uploads to the AFK Mods forum, which is a non-starter. So if they don't have some way to allow that to get fixed I'm going to have to drop the service. Which is sad, because despite the bandwidth not being saved, it's blocked a hell of a lot of spam from ever getting here.

That is a shame to have to give up something that's finally really working, but if it's causing as many problems as it's solving, akismet was working too if not quite as well.

Akismet has been more or less perfect for ages. CloudFlare is a nice idea, but they've confirmed that it isn't going to work for domains that need to upload large files, so I'm going to end up having to drop it entirely. It just means I'll have to put up with deleting tons of spam a lot more often is all. It also means their service is going to be of limited value to a lot of places that need to handle files.

No kidding. That means it's not going to work for most of the sites that would run QSFP to begin with. I suppose it still could potentially work for Sandbox sites, as long as they're the only thing being hosted on that domain. Maybe that's something CloudFlare should be looking into how to resolve as a major priority, even if it means that they need to come up with a downloadable app for web server hosts to run locally instead.

<< prev 1 next >>
Comments Closed
Comments for this entry have been closed.

Forgot Password?

 1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30