It seems that since a day or two sites listed at the drupal page get a lot of comment spam. The comment is an off topic quote from some database followed by a link towards a casino site. What follows is partly a technical analysis of the spam attack towards the drupal sites, a start for a "how to prevent comment spam" ans some ideas how we can fight this together. Room for discussion, so put your comments in this thread (as long as you dont mention the war^H^H^Hcasino :-)
TECHNICAL
The spammer is using lots of IP addresses. These Ip addresses are most likely not associated with the spammer, but are bad configured proxy servers that are misused or boxes that have been cracked and the cracker installed a proxy server for him/her on it. So you might want to complain at the abuse desk of the ISP of the IP address but that wont solve the problem.
The spam it self is a short off topic quote with a link to a casino site. The quote is most likely from a database. The plugged sites have the form of www. a casino term 3 digits .com, for example www. poker-rooms-777.com. Some of the plugged sites are already out of the whois database. It seems that the sites are hosted in China, or at least that is what the APCIC returns on 222.47.62.198 (reverse for www. poker-rooms-777.com)
inetnum: 222.32.0.0 - 222.63.255.255
netname: CRTC
descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER
descr: 22F Yuetan Mansion,Xicheng District,Beijing,P.R.China
country: CN
.
The registrant of the sites seems to be Russian people, at least that is what they filled in in the whois database.
Domain name: poker-rooms-777.com
Registrant:
Inna Fridman (2PH7Q) gazelhofman@yahoo.com
SilverStar
balshaya nikitskaya 23
Moscow, RU 52333
Russian Federation
Phone: +7 (095)2917973
The useragent of the poster is
Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
It seems that the lame spammer starts with a low nid and works its way up. So you will likely find the spam at your first posting (nid=1) and then it will increment. Sometimes there are two comments spams on a nid (from different IP addresses), but mostly you will find one spam message.
The action of the script is:
POST /myblog/comment/reply/32? HTTP/1.0
So far I have seen the spam from 1648 IP addresses. I thought about adding the list here so people can drop this list in their firewall, but others might misuse the list so I am not posting it here
WHAT TO DO
You might want to drop the offending IP addresses in your firewall table to stop them from using your service. This will not work, as long as there are misconfigured proxy servers are boxes that can be cracked, you will loose this way. For the time being you might want to tun off the option for anonymous users to post comments. This will stop the bot but will make your site less attractive for visitors since they have to make an account to interact with the content on your site.
You should install the excellent spam filter of jeremy and try to feed it with spam words. This is a good solution though there are some issues with the tracker. Spam wont be published but the tracker will still show the posting where the spam was attached to as new. The spam that is already in the database can be deleted from the command propmt in MySQL or from within phpmyadmin. There is no easy way to get rid of bulk comments in an easy way within drupal yet, but work is underway. To delete mass spam messages search for an exclusive word and enter to MySQL
mysql - user -ppassword databasename
mysql> DELETE FROM `comments` WHERE `comment` LIKE '%free-casino-games%';
DDEV is the official local development tool of Drupal. And like Drupal, DDEV depends on the support of the open source community.
