May 4, 2005

The end of blog spam?

With my limited Mod_Security experience I’m psyched. Most mornings I wake up and check both the MT Blacklist and SpamLookup’s logs. The 24 hours between checks, the plugins have blocked well over 500 ping or comment spam attempts. Not today. Not a single spam has made it through Mod Security since its install.

With the two spam plugins working so well, why is ModSecurity important? Every comment or trackback spam attempt spawns Perl processes on the server. When this little box gets attacked with 60 spam hits a minute- everything slows down. ModSecurity effectively stops the spam attempt before the Movable Type spam filters need to fire up a Perl process.

Another observation that will help those of you on shared hosting accounts without access to Mod_Security: As far as I can tell 99% of all blog spam attacks are coming from an IP spoofer called the pinappleproxy (more info). Adding the following Mod Rewrite rule to your .htaccess or httpd.conf should effectively stop this uber-spammer and reduce your spam load in a very noticeable way:

RewriteEngine on
RewriteCond %{HTTP:VIA} ^.+pinappleproxy
RewriteRule .* - [L,F]

And that’s not all Bob! With every Mod_Security install you also get: an end to referrer spam and ShortStat stats spam!


No question, Pinappleproxy is a bad one - but crunch your numbers again, and I think you'll be surprised. I'm only seeing 1/4 of my spam hits as coming from it. The big chunk, almost 60%, comes from the HTML tags in parameter filter: SecFilter "<(.|\n)+>"


try putting pin appleproxy at the top of your rules- so it gets checked (and hit) first. I think you'll find the same results as me.

Leave a comment