Fighting Trackback Spam with Email Blacklists (February 1st, 2005)

(For MT-Banned-List plugin for publishing the internal MT IP ban list, please see GitHub)

Overnight I got slammed by two trackback spam attacks to my blog, both lasting about two hours and originating from over 20 IPs. I added all of them to my banned list to prevent further occurrences. HOWEVER, I also sat down and analyzed the data to see if it correlates with email spam. Logically speaking it is highly unlikely that comment spammers have so many machines so the most logical conclusions is that they are either using open proxies or infected residential machines. Incidentally the same type of machines are also used for email spam, so it is logical to assume that the data will crossmatch.

WARNING: The amount of data that I collected is probably not statistically sufficient to draw conclusions

To get my results, I collated a list of IPs used in the first attack, did a reverse DNS check on them and looked them up in SenderBase. Out of 28 IPs, only 13 had rDNS entries (46%), out of which about 8 looked like straight broadband or dialup (28%). All of the IPs were located all over the world including universities, companies, and regular users, leading me further to believe that these were hijacked machines.

The most interesting data came from SenderBase: 17 IPs (60%) were listed in at least one spam blacklist as follows:

DSBL open proxy – 8 (28%)
CBL open proxy – 10 (35%)
SORBS open proxy – 4 (14%)
Blitzed open proxy – 4 (14%)
SpamCop spam – 5 (17%)
SORBS spam – 1 (3%)

Out of the remaining 11 IPs, 4 (14%) had their mail volume spiked in the past 30 days, with some spiking as high as over 1500% in the past day. All together, only 7 (25%) were not listed in any blacklist or had volume spikes.

What this means is that we can successfully use email spam blacklists for blocking comment and trackback spam, especially the ones that check for open proxies NOT spam. For example, using the four blacklists that detect open proxies (CBL, DSBL, SORBS and Blitzed) would take care of 16 IPs (57%) of trackback spam I got. Unfortunately, the current plugins (MT-DSBL and WP-DSBL) only check against one list – DSBL which in my case catches only 28% of spam. Of course, adding URL blacklists such as SURL makes this stuff work even better.

UPDATE #1: For MT 2.6 there is currently no way to check blacklists since Brad’s MT-DSBL plugin is only for MT v3. For MT v2.6, do the following:
1. In your blog directory, go to lib/MT/App/.
2. Open “Trackback.pm” in a text editor (backup first!).
3. Find a line starting “## Check if user has pinged recently”.
4. Insert the following right above that line:

## Check blacklists
my $rem_ip = $app->remote_ip;
my ($a, $b, $c, $d) = split(/./, $rem_ip);
my $rev = “$d.$c.$b.$a”;
## DSBL list
my $lookup = “$rev.list.dsbl.org”;
if(gethostbyname($lookup))
{ return $app->_response(Error =>
$app->translate(“Your IP is blacklisted by DSBL, $lookup see http://dsbl.org/listing?$rem_ip.”));
}

You can easily change it for any other blacklist as well.

UPDATE #2: As per Andy Newton’s comment, keep in mind that blacklists for email have not been all that good so caution is advised (also see this draft).


In any case, here is my raw data:

61.11.26.134 static26-134.dsl-pun.eth.net DSBL, CBL, SORBS (open proxy)
68.107.121.185 ip68-107-121-185.sd.sd.cox.net
68.157.149.39 adsl-068-157-149-039.sip.asm.bellsouth.net Blitzed (open proxy)
80.200.243.153 153.243-200-80.adsl-fix.skynet.be Blitzed (open proxy)
80.248.1.3 Nigeria Blitzed, SORBS (open proxy)
81.115.31.217 host217-31.pool81115.interbusiness.it SenderBase (Last Day : 2528%, Last 30 days: 765%)
82.194.62.16 Bahrain DSBL, CBL (openproxy); SpamCop (spam)
82.194.62.17 Bahrain DSBL, CBL (openproxy); SpamCop (spam)
161.53.86.10 Croatia
163.21.40.5 tpws126.jcjh.tp.edu.tw CBL (open proxy)
163.23.130.9 Taiwan CBL, DSBL, Blitzed (open proxy)
193.188.105.16 Bahrain DSBL, CBL (openproxy); SpamCop (spam)
193.188.105.17 Bahrain DSBL, CBL (openproxy); SpamCop (spam)
194.217.46.57 no-dns-yet.demon.co.uk SenderBase (Last 30 days : 584%)
194.63.235.139 cache1.lar.sch.gr
194.63.235.156 cache2.thess.sch.gr
200.93.135.227 extremo_pool_93135-227.etb.net.co SenderBase (Last day: 7080%, Last 30 days: 744%)
202.101.32.9 China CBL (open proxy)
203.177.51.237 Phillipines
203.197.169.19 tataelxsi.co.in DSBL, Blitzed (open proxy)
205.206.61.233 s205-206-61-233.ab.hsia.telus.net
208.62.7.133 USA SenderBase (Last day: 1791%)
208.63.116.194 USA Blitzed (open proxy)
212.69.231.226 nycc-pool.vitalisp.co.uk
216.208.223.67 Canada CBL (open proxy)
217.219.216.3 Iran DSBL, SORBS (open proxy)
219.140.161.24 China SORBS (spam)
219.235.236.225 China DSBL, CBL, SORBS (open proxy); SpamCop (spam)

Comments?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s