(For MT-Banned-List plugin for publishing the internal MT IP ban list, please see GitHub)
Overnight I got slammed by two trackback spam attacks to my blog, both lasting about two hours and originating from over 20 IPs. I added all of them to my banned list to prevent further occurrences. HOWEVER, I also sat down and analyzed the data to see if it correlates with email spam. Logically speaking it is highly unlikely that comment spammers have so many machines so the most logical conclusions is that they are either using open proxies or infected residential machines. Incidentally the same type of machines are also used for email spam, so it is logical to assume that the data will crossmatch.
WARNING: The amount of data that I collected is probably not statistically sufficient to draw conclusions
To get my results, I collated a list of IPs used in the first attack, did a reverse DNS check on them and looked them up in SenderBase. Out of 28 IPs, only 13 had rDNS entries (46%), out of which about 8 looked like straight broadband or dialup (28%). All of the IPs were located all over the world including universities, companies, and regular users, leading me further to believe that these were hijacked machines.
The most interesting data came from SenderBase: 17 IPs (60%) were listed in at least one spam blacklist as follows:
DSBL open proxy - 8 (28%)
CBL open proxy - 10 (35%)
SORBS open proxy - 4 (14%)
Blitzed open proxy - 4 (14%)
SpamCop spam - 5 (17%)
SORBS spam - 1 (3%)
Out of the remaining 11 IPs, 4 (14%) had their mail volume spiked in the past 30 days, with some spiking as high as over 1500% in the past day. All together, only 7 (25%) were not listed in any blacklist or had volume spikes.
What this means is that we can successfully use email spam blacklists for blocking comment and trackback spam, especially the ones that check for open proxies NOT spam. For example, using the four blacklists that detect open proxies (CBL, DSBL, SORBS and Blitzed) would take care of 16 IPs (57%) of trackback spam I got. Unfortunately, the current plugins (MT-DSBL and WP-DSBL) only check against one list - DSBL which in my case catches only 28% of spam. Of course, adding URL blacklists such as SURL makes this stuff work even better.
UPDATE #1: For MT 2.6 there is currently no way to check blacklists since Brad's MT-DSBL plugin is only for MT v3. For MT v2.6, do the following:
1. In your blog directory, go to lib/MT/App/.
2. Open "Trackback.pm" in a text editor (backup first!).
3. Find a line starting "## Check if user has pinged recently".
4. Insert the following right above that line:
## Check blacklists
my $rem_ip = $app->remote_ip;
my ($a, $b, $c, $d) = split(/./, $rem_ip);
my $rev = "$d.$c.$b.$a";
## DSBL list
my $lookup = "$rev.list.dsbl.org";
if(gethostbyname($lookup))
{ return $app->_response(Error =>
$app->translate("Your IP is blacklisted by DSBL, $lookup see http://dsbl.org/listing?$rem_ip."));
}
You can easily change it for any other blacklist as well.
UPDATE #2: As per Andy Newton's comment, keep in mind that blacklists for email have not been all that good so caution is advised (also see this draft).
In any case, here is my raw data:
| 61.11.26.134 | static26-134.dsl-pun.eth.net | DSBL, CBL, SORBS (open proxy) |
| 68.107.121.185 | ip68-107-121-185.sd.sd.cox.net | |
| 68.157.149.39 | adsl-068-157-149-039.sip.asm.bellsouth.net | Blitzed (open proxy) |
| 80.200.243.153 | 153.243-200-80.adsl-fix.skynet.be | Blitzed (open proxy) |
| 80.248.1.3 | Nigeria | Blitzed, SORBS (open proxy) |
| 81.115.31.217 | host217-31.pool81115.interbusiness.it | SenderBase (Last Day : 2528%, Last 30 days: 765%) |
| 82.194.62.16 | Bahrain | DSBL, CBL (openproxy); SpamCop (spam) |
| 82.194.62.17 | Bahrain | DSBL, CBL (openproxy); SpamCop (spam) |
| 161.53.86.10 | Croatia | |
| 163.21.40.5 | tpws126.jcjh.tp.edu.tw | CBL (open proxy) |
| 163.23.130.9 | Taiwan | CBL, DSBL, Blitzed (open proxy) |
| 193.188.105.16 | Bahrain | DSBL, CBL (openproxy); SpamCop (spam) |
| 193.188.105.17 | Bahrain | DSBL, CBL (openproxy); SpamCop (spam) |
| 194.217.46.57 | no-dns-yet.demon.co.uk | SenderBase (Last 30 days : 584%) |
| 194.63.235.139 | cache1.lar.sch.gr | |
| 194.63.235.156 | cache2.thess.sch.gr | |
| 200.93.135.227 | extremo_pool_93135-227.etb.net.co | SenderBase (Last day: 7080%, Last 30 days: 744%) |
| 202.101.32.9 | China | CBL (open proxy) |
| 203.177.51.237 | Phillipines | |
| 203.197.169.19 | tataelxsi.co.in | DSBL, Blitzed (open proxy) |
| 205.206.61.233 | s205-206-61-233.ab.hsia.telus.net | |
| 208.62.7.133 | USA | SenderBase (Last day: 1791%) |
| 208.63.116.194 | USA | Blitzed (open proxy) |
| 212.69.231.226 | nycc-pool.vitalisp.co.uk | |
| 216.208.223.67 | Canada | CBL (open proxy) |
| 217.219.216.3 | Iran | DSBL, SORBS (open proxy) |
| 219.140.161.24 | China | SORBS (spam) |
| 219.235.236.225 | China | DSBL, CBL, SORBS (open proxy); SpamCop (spam) |