Saturday, November 17, 2007

Don't Just Block Spam, Block Spammers Too!

Most modern blog anti-spam efforts are based on just protecting the comment forms which is a very narrow focus. When some spambot or someone posts something bad it's automatically trapped and discarded by tools like Askimet. However, I don't think this solution goes far enough to solve the problem as it only puts a band-aid on the comments page.

What I'm going to suggest, which I recently did to a few of my sites, is to go a step beyond just the comments page and punish bad behavior with banishment.

Why not ban the spammer?

You've trapped the spam and you know he/she/it is up to no good so why let them continue to access your site at all?

What if tools like Askimet not only blocked the spam but locked the spammer out of every site running Askimet worldwide?

If Askimet and a bunch of the other anti-spam tools could pool their spammer data then you could effectively block them from ever accessing any website ever again.

Now THAT's how you punish a spammer, ban him from the worldwide community!

This is not a new concept as RBL lists have been used for things like this in the past as spammers IP's were not only used to block incoming mail but added to the server firewall as well. However, the more recent web-based technologies have tended to be very narrow focused and missed the bigger opportunity to thwart problem spammers in a better way such as ACCESS DENIED to the web in general.

Consider that many modern well protected websites that are cranking up security block access from data centers and proxy servers leaving spammers few options besides direct residential connections and botnets. Assuming spammers might rent out botnets it would have to be hijacked residential PC's since servers from blocked data centers won't do them much good being often blocked already. Therefore, assuming spammers were forced to use botnets to do their bidding, they would unwittingly block innocent people that would shortly discover their machines are infected and get them fixed.

What a concept!

Ostracizing spammers could even get people with compromised PC's off the botnet too!

Spammers would think twice about ever spamming again if each attempt permanently cost them more and more access to the web so maybe, just maybe, we can end spam in our lifetime just by changing the anti-spam technology being deployed as a complete front-end security system for the website after the comment form triggers the alarm and alerts the entire anti-spam community.

OK, there could be a few innocent casualties but the greater good to permanently eradicate spam and even botnets completely outweighs the impact of a little friendly fire.

I'm banning spammers to clean up the online environment, how about you?

15 comments:

Anonymous said...

While my first response is 'yeah! right on!', upon reflection I have to disagree - the only way I can think of to 'tag' a spammer for blocking is by IP and the RBLs have shown that is a problem in the real world.
The world is full of dynamic IPs - I'd hate to be blocked for my neighbours actions, and the world is full of corporations all appearing to come from 1 IP.
It would work, but it could well kill the internet, as an ever increasing number of IPs was locked out of the net, while the skilled spammers just move onto a new IP.
Sorry to disagree :(

IncrediBILL said...

I address these same issues in my bot blocking so some IPs on dynamic services such as AOL are only shut down for a brief period where others are shut down for a much longer period of time, or indefinitely.

It can be done with quite a bit of accuracy and some innocents will be temporarily caught in the cross fire.

However, did you ever think that the innocents caught like yourselves would be screaming at their ISPs and the ISP would get sick of all the fuss and whack the people causing the problem?

Like I said, collateral damage is expected but it's a win-win in the end.

Anonymous said...

This is unacceptable. Things like Akismet have way too high a rate of false positives for this to not cause insane amounts of trouble. *Everybody* posting comments to blogs would get nailed eventually. I've plenty of times had innocent posts disappear at various blogs merely because they contained a URL or two, or simply were lengthy, or I'd posted two in fairly rapid succession. Most often though I could not discern any plausible triggering factor.

IncrediBILL said...

I used Askimet as an example but it's a simple thing to have a human review it and verify it's SPAM before adding the SPAMMER to the block list.

FWIW, my anti-spam code doesn't seem to generate false positives so my list of spammers should be pretty clean.

I can donate over 3K IPs to kick off the project :)

Anonymous said...

"It's a simple thing to have a human review it and verify it's SPAM before adding the SPAMMER to the block list."

That's fortunate, because that's the bare minimum due diligence required before potentially banning someone from being able to read just one blog, let alone a whole interconnected bunch of 'em.

P.S. the captcha on THIS blog is once again giving false positives ... or false negatives ... or whatever you want to call it when you enter the letters correctly and it behaves as if you did not.
Blocks would have to expire in a relatively short time as well, the shorter the broader their scope, since IP addresses are in general fairly often reused or reassigned, and victims of botnet infection should not have permanent consequences lingering long after they've cleaned their systems.

On the whole, though, I don't think this is a very good idea at all. Blocking comment posting on an affiliated network of blogs, instead of just the one blog, perhaps; blocking even reading the blogs seems somewhat excessive.

IncrediBILL said...

You have some wacky ideas because I can ban anyone I want from any of my sites without any due diligence whatsoever.

However, for an interconnected system, it's not banning people, it's banning behavior associated with an IP address. If you drop a viagra link *POOF!* you're gone from the internet, I like it.

Who said anything about just blocking access to posting on blogs?

They should be banned from everything from Google to Uncle Jim's Fishing site.

If someone is infested with a botnet that machine should be cleaned and verified before letting it have access to the internet in the first place because they do everything from spam, to phishing, to DDoS, so we really don't need them until they can show proof of service, perhaps from someone like Geek Squad.

Maybe, JUST MAYBE, people would learn to stop opening spam email, not running AV and stop going to the underbelly of the internet if they kept getting blackballed every time they got infected again and being blocked from most of the 'net is a good behavior modification incentive.

P.S. Who cares if you can't use the captcha thing on this blog? I'm thinking about solving your problem once and for all and just disable anonymous comments.

Anonymous said...

I've never posted here before and you respond with insults, viciousness, and threats to my perfectly reasonable post?

As for your suggestions that people should have to patronize particular businesses (Geek Squad), be "certified" in various ways, and never visit the "seamy side" of the net, all I can do is ask "who died and made you God?" Oh, and I can be thankful that you aren't King of the Net or anything like it either, so all you can do is rant impotently on your blog and not actually carry out many of those threats.

In any event, the day the internet becomes so heavily regulated (whether by government or some private industry) that you can't drive on it without a license and can't do very much (other than be a "good little consumer") without being pulled over, ticketed, and maybe have that license suspended will be the day that I yank all my web sites, dissolve my two dot-coms, unplug and sell all my networking gear, and get a nice quiet job somewhere as a file clerk or something. :P

Anonymous said...

Yup ....... here we go again. Bill it looks like another one has managed to find you :).

"That's fortunate, because that's the bare minimum due diligence required before potentially banning ....". There has never been any requirement for banning anyone one at anytime. The decision is left to the site owner.

Access Denied, your computer is infected, we suggest appropriate action be taken to remedy your situation

Or, Access Denied, this IP has been associated with attempts to deface websites by posting spam. You need to contact your ISP

The net is becoming no different than the real world. What you do, where you go and how you act, will either open or close doors in both worlds.

Comment spamming is a minor problem for me. Bill if you want to output from:
grep /comment/reply/ my-access.log

I will make it available.

IncrediBILL said...

BWAHAHAHA...

"...so all you can do is rant impotently on your blog and not actually carry out many of those threats."

I just had to comment on this because because some collected data is already out there being used to stop some malicious activities although what's being done isn't public knowledge so keep on dreaming.

These rants aren't all bark and there is some bite here and there to back them up.

IncrediBILL said...

Ban Proxies, thanks for the offer but I'm not quite ready to start merging data sources yet but I am planning on making all 3K spamming assholes IPs a public RBL very soon.

Most are from Asia, Russia and Romania so I don't expect much trouble except the usual hacking and DDoS attempts I already get from Asia, Russia and Romania.

Anonymous said...

" ... except the usual hacking and DDoS attempts I already get from Asia, Russia and Romania."

SANS is recommending this tool Internet Security Monitoring.

Download Completed. Gotta go to play with a new toy :)

IncrediBILL said...

I'm aware of dotDefender and my own homebrew tools do more.

When I talk about hack attempts, I'm talking port scans, SSH and FTP attacks, way more than just HTTP attacks which are trivial to block.

Anonymous said...

"There has never been any requirement for banning anyone one at anytime. The decision is left to the site owner."

This is fine when you're talking about blocking access to just your own site. It's when you start talking blocking access to the whole damn net that things become problematic. I don't want my access to the net at large to be decided arbitrarily by you, for instance.

Making the net useless for a large number of people is what a large net-wide blocking list populated with huge numbers of false positives would do. Oops -- so much for the Internet. Bill singlehandedly destroyed it! Well, fortunately he can only dream of doing so.

P.S. I don't take kindly to namecalling.

IncrediBILL said...

Sorry, but I'm not doing anything new. Many prople use the RBL from SpamHaus and other places in their firewall, not just in the email server.

I'm just pointing out that the blog based anti-spam techniques are missing that finer point of punishment which should be doled out to the idiots that spam.

P.S. I don't give a shit what you take kindly to so stay away if you don't like it.

John Chapman said...

(I know this is a reply to a really old post) :)

@anonymous - the pissed off one.

Long story short, if you behave you will not have a problem. If your computer is NOT a detriment to others, you will not have a problem.

On a highway, (analogy since we are on the Information Superhighway), if you are reckless and a danger to others, you are pulled over (hopefully) and you will suffer various degrees of corrective action.
Your vehicle has to be safe (think computer) as well. Brakes not working, turn signal switch constantly broken... etc, etc.. You are not allowed to put that car on the road.
This is GOVERNMENT doing it.

Proposal by IncrediBILL is one that I have thought of to some extent myself. And guess what. It is a group of people who have their OWN servers, who have the right to regulate WHO visits their servers, since they OWN them and all. Same with the RBL spam.

I ran a small service that blocked Spam/Viruses once upon a time.
Most people thanked me for the service, as we hate this crap.
Anyone that is angry that I am blocking email they are sending has yet to provide a copy of a non-spam email.

I had one customer trying to get email from overseas. I specifically white-listed the IP address for that mailserver in question.

Website owners of the world.. UNITE!! :)