« Finding MTA Market Share An MT Plugin for Banned IP Lists »
Fighting Trackback Spam with Email Blacklists
Posted February 1, 2005 – 1:04 pm by Yakov Shafranovich in Spam and Email(For MT-Banned-List plugin for publishing the internal MT IP ban list, please see this post)
Overnight I got slammed by two trackback spam attacks to my blog, both lasting about two hours and originating from over 20 IPs. I added all of them to my banned list to prevent further occurrences. HOWEVER, I also sat down and analyzed the data to see if it correlates with email spam. Logically speaking it is highly unlikely that comment spammers have so many machines so the most logical conclusions is that they are either using open proxies or infected residential machines. Incidentally the same type of machines are also used for email spam, so it is logical to assume that the data will crossmatch.
WARNING: The amount of data that I collected is probably not statistically sufficient to draw conclusions
To get my results, I collated a list of IPs used in the first attack, did a reverse DNS check on them and looked them up in SenderBase. Out of 28 IPs, only 13 had rDNS entries (46%), out of which about 8 looked like straight broadband or dialup (28%). All of the IPs were located all over the world including universities, companies, and regular users, leading me further to believe that these were hijacked machines.
The most interesting data came from SenderBase: 17 IPs (60%) were listed in at least one spam blacklist as follows:
DSBL open proxy - 8 (28%)
CBL open proxy - 10 (35%)
SORBS open proxy - 4 (14%)
Blitzed open proxy - 4 (14%)
SpamCop spam - 5 (17%)
SORBS spam - 1 (3%)
Out of the remaining 11 IPs, 4 (14%) had their mail volume spiked in the past 30 days, with some spiking as high as over 1500% in the past day. All together, only 7 (25%) were not listed in any blacklist or had volume spikes.
What this means is that we can successfully use email spam blacklists for blocking comment and trackback spam, especially the ones that check for open proxies NOT spam. For example, using the four blacklists that detect open proxies (CBL, DSBL, SORBS and Blitzed) would take care of 16 IPs (57%) of trackback spam I got. Unfortunately, the current plugins (MT-DSBL and WP-DSBL) only check against one list - DSBL which in my case catches only 28% of spam. Of course, adding URL blacklists such as SURL makes this stuff work even better.
UPDATE #1: For MT 2.6 there is currently no way to check blacklists since Brad’s MT-DSBL plugin is only for MT v3. For MT v2.6, do the following:
1. In your blog directory, go to lib/MT/App/.
2. Open “Trackback.pm” in a text editor (backup first!).
3. Find a line starting “## Check if user has pinged recently”.
4. Insert the following right above that line:
## Check blacklists
my $rem_ip = $app->remote_ip;
my ($a, $b, $c, $d) = split(/\./, $rem_ip);
my $rev = “$d.$c.$b.$a”;
## DSBL list
my $lookup = “$rev.list.dsbl.org”;
if(gethostbyname($lookup))
{ return $app->_response(Error =>
$app->translate(”Your IP is blacklisted by DSBL, $lookup see http://dsbl.org/listing?$rem_ip.”));
}
You can easily change it for any other blacklist as well.
UPDATE #2: As per Andy Newton’s comment, keep in mind that blacklists for email have not been all that good so caution is advised (also see this draft).
In any case, here is my raw data:
| 61.11.26.134 | static26-134.dsl-pun.eth.net | DSBL, CBL, SORBS (open proxy) |
| 68.107.121.185 | ip68-107-121-185.sd.sd.cox.net | |
| 68.157.149.39 | adsl-068-157-149-039.sip.asm.bellsouth.net | Blitzed (open proxy) |
| 80.200.243.153 | 153.243-200-80.adsl-fix.skynet.be | Blitzed (open proxy) |
| 80.248.1.3 | Nigeria | Blitzed, SORBS (open proxy) |
| 81.115.31.217 | host217-31.pool81115.interbusiness.it | SenderBase (Last Day : 2528%, Last 30 days: 765%) |
| 82.194.62.16 | Bahrain | DSBL, CBL (openproxy); SpamCop (spam) |
| 82.194.62.17 | Bahrain | DSBL, CBL (openproxy); SpamCop (spam) |
| 161.53.86.10 | Croatia | |
| 163.21.40.5 | tpws126.jcjh.tp.edu.tw | CBL (open proxy) |
| 163.23.130.9 | Taiwan | CBL, DSBL, Blitzed (open proxy) |
| 193.188.105.16 | Bahrain | DSBL, CBL (openproxy); SpamCop (spam) |
| 193.188.105.17 | Bahrain | DSBL, CBL (openproxy); SpamCop (spam) |
| 194.217.46.57 | no-dns-yet.demon.co.uk | SenderBase (Last 30 days : 584%) |
| 194.63.235.139 | cache1.lar.sch.gr | |
| 194.63.235.156 | cache2.thess.sch.gr | |
| 200.93.135.227 | extremo_pool_93135-227.etb.net.co | SenderBase (Last day: 7080%, Last 30 days: 744%) |
| 202.101.32.9 | China | CBL (open proxy) |
| 203.177.51.237 | Phillipines | |
| 203.197.169.19 | tataelxsi.co.in | DSBL, Blitzed (open proxy) |
| 205.206.61.233 | s205-206-61-233.ab.hsia.telus.net | |
| 208.62.7.133 | USA | SenderBase (Last day: 1791%) |
| 208.63.116.194 | USA | Blitzed (open proxy) |
| 212.69.231.226 | nycc-pool.vitalisp.co.uk | |
| 216.208.223.67 | Canada | CBL (open proxy) |
| 217.219.216.3 | Iran | DSBL, SORBS (open proxy) |
| 219.140.161.24 | China | SORBS (spam) |
| 219.235.236.225 | China | DSBL, CBL, SORBS (open proxy); SpamCop (spam) |
Tags: movable type, spam, trackback spam —
Permalink | Trackback URL | This post has
6 Responses to “Fighting Trackback Spam with Email Blacklists”
Another interesting trick you can use is see what IP address the URLs in comments point to - most comment spammers and referrer spammers have there sites at only one or two IP addresses. Simply block the posting if an URL resolves to one of the forbidden IP addresses…
By John on Feb 1, 2005
as of this morning you can also block them by checking http_via for pinappleproxy.
By cindy on Feb 1, 2005
Unfortunatly its only a stop-gap solution EXACTLY like email spam. For an example, see this presentation of how in the early days spamware used to announce itself in email. That is no longer true, and the same will apply here.
By netwizard on Feb 1, 2005
In the email world blacklists are the devil’s spawn. Why would we want to inflict that upon this new medium?
By Grumpy on Feb 1, 2005
I hear you loud and clear, but unfortunatly I am not the first to suggest it. See MT-DSBL and WP-DSBL.
My main point here was to observe how email spammers and comment spammers tend to use the same machines, and attacking both with the same tools is helpful. What is more interesting now is the fact that the tools used to fight comment spam are mirroring exactly the evolution of tools used for email spam. For example, another commenter suggested the filtering of proxy names which is something that SpamAssassin did originally for X-Mailer tags. There is also the TypeKey service from SixApart which is basically authentication. There is also blacklists, Turing tests, Hashcash, etc.
The key is what can we learn from email so we don’t make the same mistakes. I don’t really know if we will.
By netwizard on Feb 1, 2005