I’ve got a version of Ray’s BlogCFC for another blog with an entry that some spammers latched onto awhile back. Despite that trackbacks were never actually displayed, they were spamming it a couple times per minute. Every day.
First, I switched mod_security (on Apache) to return a 403 Forbidden using the following code:
SecFilterSelective REQUEST_URI "/news/trackback.cfm" status:403
They didn’t stop. Almost 3 weeks ago, I made it return a 404 instead. Here’s the log from last night:
/news/trackback.cfm?668BFD92-A994-6C6A-82E806F56E7D0019: 6315 Time(s)
They are using a bot network so I can’t block IP addresses very easily. Is there a way with mod_security to make it just return nothing? No error code, no response, no nothing? Just close the connection? That’s probably not “right” according to the HTTP spec, but sometimes you have to fight fire with fire. In the mean time, I’m going to try this:
SecFilterSelective REQUEST_URI "/news/trackback.cfm" "redirect:http://www.whitehouse.gov"
Make it someone else’s problem. I should figure out how to integrate mod_security with the firewall so requesting trackback.cfm would shut you off at the firewall for an hour. There is the exec command but I’m not sure how to pass the environment variables to iptables:
SecFilterSelective REQUEST_URI "/news/trackback.cfm" "exec:/sbin/iptables ???"
It looks like the guy who wrote mod_security has some tools to help with this but I found very little in my Google searches. Anyone using these?
x said:
on August 31, 2007 at 10:22 pm
hi