ChanoAndersen.DK

It has come to my attention, that some of my articles regarding spammers, has been of interest to an international audience. As such I’ve decided to break the general habit of writing in danish.

This post is mainly a simple guide how to add filtering to your website, it’s based on Apache and .htaccess files, and should work on almost any PHP supporting webhosting service. (Provided that you’ve got permission to limit access to your files through .htaccess files)

If you’re fighting with spammers like the previously mentioned adol77dai51, or any other spammer, here’s a simple how to on making the appropriate filter. (This technique will work on any website, not just a wordpress blog)

You will need:

• A webhost or own webserver, supporting apache style .htaccess files.
• Permission to use the <Files> directive in .htaccess files.
• Access to the server logs for your website.
• A desire to end spammers abuse of your website.

When a user signs up on your blog, you’ll receive an e-mail with the account details, ie. (The to and from addresses have been edited)

To: @chanoandersen.dk
Subject: [ChanoAndersen.DK] New User Registration
Date: Wed, 5 Dec 2007 12:46:39 +0100
From: WordPress < @chanoandersen.dk>

New user registration on your blog ChanoAndersen.DK:

Username: toponlineepornrponv

E-mail: 1@e0theresa.info

The important part of this e-mail is the date, this is when the sign-up was made, we’ll need this to search the logs for the IP adress used to sign up. (Ask the wordpress developers why the IP isn’t included in the mail.)

Once you have the date, it’s time to search the logs. How you search them depends on your options. I have a server I control myself, and therefore have access to the commandline, but most webhosts will NOT provide this kind of access, and you’ll need to use a text-editor to search the downloaded logfiles.

In my case above, the e-mail was received the 5th of December at 12:46 (using 24 hour clock).

The format of the Apache log file is quite simple, the format is described on the Apache website the important part in our case is the date, time and IP address.

The lines in the log file looks somewhat like this:

72.36.115.68 – - [06/Dec/2007:00:01:02 +0100] “GET /2006/12/25/julen-er-slut/ HTTP/1.0″ 200 3756 “-” “CazoodleBot/Nutch-0.9-dev (CazoodleBot Crawler; http://www.cazoodle.com; mqbot@cazoodle.com)”

The 4 dot seperated numbers at the beginning is the IP adress of the request, the two dashes are not important, the next information is the date, the request type (POST or GET, mostly) the URI requested and the client-software (Usually a browser, but here a bot) used.

To find the registration request made by the spammer, I would need to search for 05/Dec/2007:12:46 which is all the information available to me at this stage.

The search returns 6 results, the one I need is a POST request, meaning a from (The registration form) has been submitted.

Once I have the request, I have the IP adress of the spammer.

207.44.147.202 – - [05/Dec/2007:12:46:39 +0100] “POST /wp-login.php?action=register HTTP/1.0″ 302 – “http://chanoandersen.dk/wp-login.php?action=register” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8 Mnenhy/0.6.0.103″

This request is coming from the IP address 207.44.147.202, there are several ways to determine who the IP belongs to and whether it is safe to blok the entire IP range or just the IP address, I won’t go into details on this here, I assume the spammer is in charge of the entire IP block (From 207.44.147.0 through 207.44.147.255) this is actually not the case with this IP address, but as it belongs to a hosting center there won’t be a problem as no one would ever need to register on my blog from a hosted server.

With the IP address at hand, it’s simple to block all requests to the wp-login.php file (The file used to register a new account), just create a new .htaccess file (Windows would most likely NOT let you create a file starting with a dot but then just rename once you’ve transfered the file to the server) and add the following lines:

<Files “wp-login.php”>
Order Allow,Deny
Deny from 77.70.106. # Bulgarian spammer
Deny from 84.23.54. # Russian spammer
Deny from 207.44.147. # Spammer hosted at theplanet.com
Allow from All # Allow access to everyone else.
</Files>

If you need to block another IP adresse, just add a new Deny line, if you would like to block the actual IP address, when add all four parts, not just the first 3.Would you like to completely bloc access to your site, not just the wp-login.php file, just remove the <Files “wp-login.php”> and </Files> lines.

There might also be plugins for wordpress that allows blocking of IP addresses, however I find the above method much easier than installing a plugin.

So far I know of the following blog spammers

• toponlineepornrponv (1@e0theresa.info) 207.44.147.202
• adol77dai51 (adolfodaine77@gmail.com) 77.70.106.4
• A russian spammer, I’ve deleted the account details of. 84.23.54.242

Let me know if you have other spammers.