spam protection (Re: A note to Red Hat about spam.)

[Bernhard Rosenkraenzer <bero redhat de>]

On Tue, 1 Jan 2002, E Nigma wrote:

> Do I need to remind Red Hat that the sending of unsolicited, unwelcome email 
> costs the recipient money, time dealing with it, and reduces bandwidth for 
> the purpose for which it's bought.

We're quite aware of that; as at least all tracable spammers who dared 
spamming me in the last year will be able to tell you.

> In making subscribers's email addresses available from its web pages, Red Hat 
> is a party to this theft.

I've asked IS to turn this off, but of course, spammers can still 
subscribe to mailing lists to get a load of email addresses by indexing 
all addresses.
On the other hand, I think the spammer stole Red Hat's resources. By any 
chance, did you trace this spammer?


Anyway, here's a couple of tricks I'm using on bero.org and its various 
virtual hosts to prevent spammers from getting email addresses off the 
sites even if they're mentioned - this stuff may be useful to other 
people running web servers:

httpd.conf:
# Kill all spammers...
LoadModule rewrite_module     modules/mod_rewrite.so
AddModule mod_rewrite.c
RewriteEngine On
RewriteLog /var/log/spammers.log
# The user agents listed below are known spambots. They
# Can't possibly do anything good.
RewriteCond %{HTTP_USER_AGENT} ^Extractor.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*NEWT.*ActiveX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Crescent [OR]
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Cc]ollector [OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb.*[Mm]ole [OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Ww]easel [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*[Ee]mail.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [OR]
RewriteCond %{HTTP_USER_AGENT} ^Telesoft [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/3.Mozilla/2.01
RewriteRule ^.*$ http://www.linux-easy.com:81/useragent.php [L]

In short, at least the most common spambots (My estimate is roughly 
90% of all spambot scans) don't get any of the actual pages on the server, 
instead they're redirected to useragent.php, which automatically notifies 
their uplink and supplies them with a nice list of addresses they 
almost certainly DON'T want to spam:

<html>
<head>
<title>You asked for it...</title>
</head>
<body>
<?php
$IP = $HTTP_X_FORWARDED_FOR;
if ( $IP == "")
  $IP = $REMOTE_ADDR;
$hn = @gethostbyaddr($IP);
$domain = $hn;
if($hn != $IP) {
        # We want just the domain name, e.g. bigisp.com rather than
        # dialup-123.dsl.foo-subnet.de.eu.bigisp.com
        while(strchr($domain, ".") != strrchr($domain, "."))
                $domain = substr(strchr($domain, "."), 1);
} else {
        $hn = "[".$hn."]";
        $domain = $hn;
}
$abuse = "abuse@".$domain;
$user = "root@".$hn;
$abusetext="Hello,\nSomeone coming from your IP $IP at (".date("D d F Y H:i:s T").")
has just scanned our servers with an email address
harvesting application. This message was autogenerated
by a script checking for known spambots.
Your user tried to harvest our server
using $HTTP_USER_AGENT.
If you need further information, please contact abuse bero org \n";
mail($abuse, "Spammer at your IP ".$IP, $abusetext, "From: abuse bero org\nX-Mailer: Autoreply");
mail("postmaster@".$domain, "Spammer at your IP ".$IP, $abusetext, "From: abuse bero org\nX-Mailer: Autoreply");
?>
Hello, s pam bo t!
<br/>Welcome to our trap! Your uplink has been informed of your actions.
<br/>Furthermore, here's some nice email addresses, just what you've been 
looking for!
<br/><a href="mailto:uce ftc gov">uce ftc gov</a>
<br/><a href="mailto:abuse localhost">abuse localhost</a>
<br/><a href="mailto:postmaster localhost">postmaster localhost</a>
<br/><a href="mailto:abuse [127 0 0 1]">abuse [127 0 0 1]</a>
<br/><a href="mailto:postmaster [127 0 0 1]">postmaster [127 0 0 1]</a>
<br/><a href="mailto:abuse@<?php echo $domain ?>">abuse@<?php echo $domain ?></a>
<br/><a href="mailto:postmaster@<?php echo $domain ?>">postmaster@<?php echo $domain ?></a>
<br/><a href="mailto:abuse [<?php echo $REMOTE_ADDR ?>]">abuse [<?php echo $REMOTE_ADDR ?>]</a>
<br/><a href="mailto:postmaster [<?php echo $REMOTE_ADDR ?>]">postmaster [<?php echo $REMOTE_ADDR ?>]</a>
<br/>
<br/>If you think you're seeing this page in error, please contact "ab u 
se AT ber o DOT org.stophere DOT com", explaining what you have been 
trying to do.
</body>


Some other spambots can be caught with a robots.txt file - any real search 
engine will either respect or completely ignore Disallow: settings.
Spambots, on the other hand, will harvest anything they can find, 
incluiding stuff they can't find anywhere instead of in the Disallow: line 
of a robots.txt file.

So, create a directory that isn't linked to from any page, and that 
doesn't resemble a valid directory so closely that anyone would guess the 
URL exists without reading the robots.txt files and being up to mischief.

I use

User-agent: *
Disallow: /dOnTlOoK/

on linux-easy.com, where /dOnTlOoK/index.php is a script that does pretty 
much the same thing as useragent.php above, just with a slightly different 
text.


-- 
This message is provided to you under the terms outlined at
http://www.bero.org/terms.html