Blocking web SPAM with Apache and Wordpress
Ignorance is bliss, right? After many years of publishing traditional web pages I moved to using Wordpress for some of my web content. This led to the need to deal with some new annoyances, namely automated (mostly) Blog SPAM postings.
I have been building some Web SPAM statistics for the past few months. After making a few changes (shown at the bottom of this post) I am hoping to drastically reduce the need for any admin intervention when dealing with Web SPAM – keeping up with application patches and updating rules to avert web root-kit or other malicious activities will probably always be needed.
The first step was to install an Apache module that allows for content filtering (mod_security.) If you decide to try this module then I suggest that you start by simply having it log suspected connections instead of blocking them… After some time passed I reviewed the logs to see what sorts of activities might warrant content or IP blocking (essentially you are installing a web-application-firewall (WAF) when using mod_security.)
As my data built I was able to isolate 9 IP address ranges that were responsible for repeated web SPAM/malicious attempts – I now block all 9 sub-nets. As web SPAMMERs and their bot-nets move I expect that more sub-nets will be added. I am also noting that I see far more SPAM postings from Europe and Asia than from other areas. NOTE: before you block an IP address or IP sub-net range you need to be comfortable with limiting access to your web server.
Web Ban Stats: 1530 blocked IP addresses | Blocking IP sub-net Ranges: 9
Update 4/2/09: Web Ban Stats: 1983 blocked IP addresses | sub-net Ranges: 11 (2 more ranges from Europe); After implementing CAPTCHA blog SPAM has been significantly reduced. The use of bot-kits/root-kits, however seems to be never ending (with European IP space leading the bad-bot traffic)…
Geographical Locations of Blocked Sub-nets
| US | 2 |
| Europe | 7 |
| Latin America | 1 |
| Asia Pacific | 1 |
Summary of Web SPAM by type
| Blog SPAM | ~1000 |
| PHP rootkit type attempts | ~800 |
| Other | ~130 |
Breakdown by Months
| Sep | ~190 |
| Oct | ~40 |
| Nov | ~190 |
| Dec | ~500 |
| Jan | ~610 |
| Feb> | ~224 |
| Mar | ~177 |
| Apr | ~47 |
I automated the process of blocking web SPAM in December – that is part of the reason for the increases in December and January. Since I prefer a layered approach to security (I treat web SPAM as a security item) I have taken the following steps:
- using Apache with mod_security and default rules
- adding new rules based on SPAM posts (filter for content)
- adding new rules based on the IP addresses of Web SPAMMERs and malicious attackers
- adding two comment modules/plugins to Wordpress that provide **CAPTCHA and some level of auto-mated/auto-magic SPAM filtering
The changes to my Wordpress install including adding a CAPTCHA module as well as a secondary SPAM module. While some folks feel that CAPTCHA is an annoyance I don’t see it as a problem – it is an indication that the web site owner is concerned about providing quality content to visitors.
**CAPTCHA - the use of tools that automatically generate some sort of ‘test’ (in this case, a visual test) that must be successfully ‘passed’ prior to web form submission (i.e. using the comment form on this web – there should be an image with letters from which you must identify the letters and/or numbers before your comment is accepted.)
I have two previous posts about mod_security that may be of interest:
Note – you can manage to block some things using customized .htaccess files – mod_security works with both .htaccess AND at the Apache configuration level (httpd.conf or similar.) I prefer managing this once so I work with httpd.conf for my changes.
As always, your milage should vary with these techniques and, testing! is always advised.
Related posts:
- GeoIP Blocking – examples for Apache The GOOD news – using the GeoIP module (mod_geoip.c.) can...
- 2010 Link-Referral log SPAM Link/Referrer SPAM: For some reason this seems to have started...
- Apache, mod_security & GEO-IP I previously posted about using the mod_geoip Apache module to...
- Apache & mod_security – resolving false positives I recently found that some users could not access this...
- Dealing with Email SPAM Dealing with Email SPAM - options for your email server...