1. Home
  2. Blogs
  3. George Boobyer's blog
  4. Blocking Spam Comments

Blocking Spam Comments

Wednesday, November 28, 2012 - 10:30
Tags: PerformanceSecurityWeb ServerDrupalApache

One of the housekeeping tasks that I undertake is to review the activity of comment spammers on our websites.
All of our Drupal sites use Mollom to keep us almost Spam free (big thumbs up to Mollom!)
But if you review the logs you can see that Mollom is protecting you from an alarming rate of attack and it would be good to not bother ourselves or Mollom with such traffic is possible. So the solution is to drop the traffic upstream of our web sites.
There are many ways of doing this from Firewalls to Drupal modules.
But the issue I'm covering here is determining which IP addresses to block.

I run the following SQL script to view the big hitters in the mollom watchdog:

/**
 * Get a list of Mollom entries from the Drupal Watchdog 
 * summarised by IP address 
 */
SELECT hostname, count(wid)
FROM `watchdog`
where type = 'mollom' and message like 'Spam%'
group by hostname
order by count(wid) desc

Lets say this gives us:

IP Address # of Mollom Watchdog entries
Results of query to find Spammer IP Addresses
91.232.96.19 62
5.167.182.32 49
125.79.65.108 42
178.137.83.159 26
184.154.149.194 18
192.210.62.162 18
199.15.234.20 16
199.15.234.15 15
199.15.234.145 12

Select the IP address of the big hitters and add them to your firewall rules
If you find that a range of IP addresses is being used like 199.15.234.20, 199.15.234.15, 199.15.234.145
Then use CIDR notation to block the subnet - e.g. 199.15.234.0/24
This will block 254 addresses at 199.15.234.1 to 199.15.234.254

This will then reject the big spammers before they bootstrap your site and no need to bother Mollom each time once you have identified them.

However things to bear in mind are that Spammers may use dynamic addresses (and therefore you may block some innocent user who picks up that address later on) and spammers may also use botnets (so you may block innocent people who have been infected) - But in general that is a price worth paying to avoid wasting CPU and bandwidth on such traffic.

Most of the firewalls, Deny Hosts, IP Deny Managers etc will allow ranges to be used.
Be careful with CIDR ranges as you can end up blocking more than you think.
Try out these online calculators to test your masks:
http://bonomo.info/coyote/cidr-calculator.php
http://www.subnet-calculator.com/cidr.php

If you want to check on how you are doing - get a summary of the Spam Watchdog entries by day:

 

/**
 * Get a summary of Mollom spam events by day from the Drupal Watchdog 
 */
select DATE_FORMAT(FROM_UNIXTIME(timestamp) , '%Y-%m-%d') as day, count(*)
 from `watchdog` 
 where message like 'Spam%'
 group by DATE_FORMAT(FROM_UNIXTIME(timestamp) , '%Y-%m-%d')
 order by DATE_FORMAT(FROM_UNIXTIME(timestamp) , '%Y-%m-%d')

This will give you a table of count of spam entries by day (hopefully diminishing over time):

Day Count
Mollom 'Spam' entries in the Watchdog
2012-11-20 88
2012-11-21 262
2012-11-22 248
2012-11-23 87
2012-11-24 26

 

Contact Details

Blue-Bag Ltd

  •  info [at] blue-bag.com
  •  Telephone: 0843 2894522
  •  Blue-Bag HQ:
          The Garage, Manor Farm
          Chilcompton, Radstock
          Somerset, BA3 4HP, United Kingdom
  •  Telephone: (+44) 01761 411542
  •  Blue-Bag Brighton:
          Unit 35 Level 6 North, New England House
          New England Street, Brighton
          BN1 4GH United Kingdom
  •  Telephone: (+44) 07944 938204
  • VAT GB 748125034
  • UK Company Reg: 3932829

Contact