So I was enjoying my relaxing Thanksgiving (well, not really, but that's another story), and I get emails about spam comments. That's the first in a year or more, so I glance at the logs to see how it evaded the setup. It appears it followed a link from googleblog, and was acting as a fully compliant browser (executing javascript, etc.). So either it was a manual attempt, or a really advanced script. To make the rest of my day easier, I implemented an XBL check (after making sure it would have helped in this case), which is something I'd seen as an interesting idea to prevent spam. As I didn't want to bother with Net::DNS for such a simple check that doesn't run often, this should be pretty portable in case anyone else uses perl and wants to try it.
if ($ENV{'REMOTE_ADDR'} =~ m/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/) {
my $xblresult = qx!/usr/bin/host $4.$3.$2.$1.xbl.spamhaus.org!;
if ($xblresult =~ m/\b127\.0\.0\.\d+\b/) {
print "Content-type: text/plain\n\n";
print "Rejected due to xbl\n";
exit;
}
}
Hey, I use Perl and I might need that!
Thanks, Mooney. That'll go in my next round of updates.
Pete, You need to get an RSS Feed too. I never remember to check your site.
Apparently you must have removed it from your reader or something - it started working a couple days ago.
Of course then there's the time where someone controls a botnet and hits from a half dozen IPs at a time, only one of which is in XBL... Luckily odd behavior is still something that can be recognized.
I checked my Reader this morning and it said 12 new articles, then I saw they were spam.... that mad me sad.
Copyright ©2000-2008 Jeremy Mooney (jeremy-at-qux-dot-net)
What is XBL?