Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Understanding RSS
Digital ID Policies
Understanding VoIP
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2006 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« Le Web | Main | Limit Simultaneous Connections in Apache »

Comment Spam Storms

Update: Be sure to read the comments. There are lots of good suggestions on solving this problem. Here’s what I did to stop spam storms

About three times per day my server gets hit my a comment storm. Someone with a botnet is trying to spam my blog and they’re going about it stupidly. They don’t get any comments through because of a simple textual CAPTCHA that I installed in June.

The storm occurs because the spammers try to post over 100 comments in the space of about 1 minute from five or six different IP addresses. Naturally, the load average on my server shoots up to unacceptable levels. I’m stymied about how to combat this. The IP addresses are different every time. The browse tag is MSIE, so you can’t filter on that. If you have ideas, let me know.

Posted by windley on December 14, 2006 9:56 AM

See related posts:

 Share this article on Facebook
 Email this article to a friend
  Post this article to del.icio.us
 Format this article for printing
 Get the SNUrlfor this page

10 Comments

Comment from Joseph Hall at December 14, 2006 10:11 AM

Can't you set Apache to block requests from a specific IP address if they make too many requests within a certain amount of time? Or perhaps too many of a certain type of request within a certain amount of time? For instance, if somebody tries to post a comment from a particular IP address more than once a minute, you could present them with a short, text-only page that tells them that they are only allowed one comment per minute. Serving such a page, with a status code of, say, 406 uses up a lot fewer resources than serving up a graphic-intense page with your standard site layout and graphics and a captcha error. As long as your comment spammers aren't using 100 different IP addresses per minute, that should at least help a little.

Comment from Jeremy Zawodny at December 14, 2006 10:57 AM

Phil,

I used to have that problem too, but then I implemented mod_security. Now I just laugh at all the errors in my log and watch the CPU idle. :-)

http://jeremy.zawodny.com/blog/archives/007442.html

Comment from Timothy Appnel at December 14, 2006 11:18 AM

The magic trifecta for this situation is MT-Akismet, MTAutoBan and FastCGI.

MT-Akismet trasnparently hooks MT into Akismet. Akismet is set-it-and-forget in addition to being adaptive based on the feedback of other users. This alone stops spam from being published like your captcha solution, but does not address the load issue you are experiencing.

MTAutoBan periodically looks at the IP addresses of junked comments and trackbacks and then generates the necessary blocks and writes it out to a .htaccess file. This way MT doesn't have to startup to evaluate what is almost definitely spam. This is similar to mod_security, but it leverages the adaptive nature of the Akismet service. Its also easier to install and is an option with shared hosting accounts. (Most ISPs do not support mod_security and won't install it for you either.) The solution is tied to Apache and it doesn't stop a spammer who is using a large number of different IPs. That seems to be an exception then the norm though.

FastCGI gets rid of the overhead baggage CGI brings. Besides making MT snappier (one rough bookmark estimates 18x faster), it can more efficiently handle all the request coming in during the initial phase of a comment spam flood.

Comment from Timothy Appnel at December 14, 2006 11:20 AM

I forgot to mention this in my previous comment:

Disclosure: I wrote (and maintain) MT-Akismet for Automattic.

Comment from Tieg at December 14, 2006 1:03 PM

I had the same problem earlier this week and it got so bad that my blog was *never* up (despite the fact that it's low-to-no-traffic otherwise) and was blaming it on the software (Typo) taking up too much memory on a shared host, but after looking in the logs found out it was the same problem you're having. I turned on Typo's Spam Filter and it worked really well and it hasn't gone down at all since then. What software are you using?

I'd be careful to specify mod_security for comment requests only; we unknowingly had it running on an application (on Textdrive) and when the client was getting mysterious application errors posting to their CMS we tracked it down: the word "hecho" in their Spanish text was being blocked by mod_security.

Comment from Jesse at December 14, 2006 2:31 PM

Akismet has been great at catching spam without the need for CAPTCHAs (which, by the way, I hate), though the holy grail of "leave me alone" came from the Bad Behavior plugin for WordPress. While it's a WordPress plugin, they do provide instructions for hooking it into other platforms. I can't imagine that MT would be too tough.

What it does is look for "spammy" behavior and generates a simple 403 error to the client. For humans, they can read the instructions if they get it unintentionally. For bots, they consume a small piece of resources and can't get through. It blocks about 100 bad requests a week to my personal blog, and I don't even get that much traffic. I highly recommend it.

Comment from Danno Ferrin at December 14, 2006 2:54 PM

Have you considered hacking the moveable type blog code and moving the comment CGIs to a different URI?

They must not be mining the web page or they wold mine your Captcha value, so you could add a quick forbidden on the old URIs.

Comment from Pat at December 14, 2006 5:48 PM

"The browser tag in the HTTP request is MSIE, so you can’t filter on that" - um - why not? Doesn't anyone who has a clue use Firefox? ;-)

Comment from Aaron Toponce at December 15, 2006 8:38 AM

I would recommend MT Akismet. I use WordPress for my blogging CMS, and Akismet worked flawlessly. I have since moved to Spam Karma 2, as it provides a bit more options, but I would recommend Akismet to any blogger. HTH.

Comment from Abram Catalano at December 15, 2006 11:12 PM

Hey Phil,

I've used apache module mod_evasive in the past to prevent DDoS attacks.

I'd also bet there are more in the extensive modules.apache.org

Thanks for the blog, I appreciate you sharing.

Leave a comment

I encourage you to leave a comment below. Your email address will not be displayed on Technometria, but allows me to communicate with you directly. Your email address won't be displayed, but will be used to compute a MicroID for your comment.