MT-DSBL - Open proxy comment filter

DSBL is dead. Long live SpamLookup.

I happened across a WordPress plugin for checking the IP of a commenter against dsbl.org list and it was one of those "why didn't I think of that?" moments. So naturally, I ported it to MT.

Download: mtdsbl-1_1.zip

Requirements: Movable Type 3.1 or later (since it uses the MT 3 callback system and I think the ones I'm using here are new with 3.1). You should also have the CPAN Net::DNS package installed. It can also use the nslookup utility, but it's less efficient that way.

Installation is easy, just drop either dsbl_deny.pl or dsbl_moderate.pl (the one you install determines what becomes of the ill-fated comment) in your MT "plugins" directory. It will redirect anyone using an open proxy to a dsbl.org page explaining why they have been blacklisted.

It is compatible (and complements nicely) MT-Blacklist 2.

There are no MT tags with this one. On occasion, you may see a MT log message saying that a comment was blocked because it came from a known open proxy. That's how you know it works. You can also configure your computer to use an open proxy and try to leave a comment. I will leave that as an exercise for the reader (this is how I tested it myself).

Update: 1.1 was just released to allow you the choice between denying the comment or simply forcing it to be moderated.

I must say, MT callbacks are awesome and you're going to see more and more of them popup in the most interesting places...

TrackBack

Listed below are links to weblogs that reference MT-DSBL - Open proxy comment filter:

» トラックバックSPAM from LAN板とソレ以外の日々
ちょっと気を抜いてたら、強烈な量のトラックバックSPAMの洗礼が(;´Д`) たしか対処してたはずだけどな~ どうして通り抜けてるんだ?と 弄ったMTのソース見たら… 対処してませんでした... [Read More]

» Fighting Trackback Spam with Email Blacklists from NetWizard's Blog
Overnight I got slammed by two trackback spam attacks to my blog, both lasting about two hours and originating from over 20 IPs. I added all of them to my banned list to prevent further occurrences. HOWEVER, I also sat... [Read More]

» Trackback Spammers from Musings
Blocking automated trackback spammers. [Read More]

» Fighting Trackback Spam with Email Blacklists from NetWizard's Blog
(For MT-Banned-List plugin for publishing the internal MT IP ban list, please see this post) Overnight I got slammed by two trackback spam attacks to my blog, both lasting about two hours and originating from over 20 IPs. I added... [Read More]

» イヤね…あまりにも多いからさ from gaspanik weblog
BlackList入れるかどうしようか悩みながらも面倒だから... [Read More]

» Dealing with spam from Imablog
From MT's ProNet comes some very good tips for dealing ith spam at the webserver level. I'd just implemented mod_security a little while ago on my server, and while it hasn't stopped the flood of spammy referrers, it has kept... [Read More]

» Brad Choate: MT-DSBL - Open proxy comment filter from Tutorials
Brad Choate: MT-DSBL - Open proxy comment filter... [Read More]

» Comment Spam, update I from Then each went to his own home
I installed Brad Choates MT-DSBL Movable Type plugin (very very easy to install). It seems to work since I tested to add a comment via anonymizer (a free anonymizer proxy) and the comment is set for moderation now..... [Read More]

» Trying to Block the Bad People from Don't Back Down
I've received only a small taste of the trackback spam that has been floating around. Yet it's still enough to be annoying. Especially since I didn't really have any good way of addressing it. With comments, I can moderate them. I can make sure they ha... [Read More]

» A Few Upgrades from Director's Log
Just upgraded our install of MT up to 3.15. While I was at it, I upgraded MT-Blacklist and installed Brad Choate's MT-DBSL. Unfortunately weblogs are prime targets for comment and trackback SPAM and since this site runs on MT, we're... [Read More]

» Upgrades Away! from mashby.com
I just upgraded the weblog software that I use for mashby.com, MovableType, to version 3.15. While I was at it, I also upgraded MT-Blacklist to the latest version and additionally installed MT-DBSL, which is a new plugin for this site. [Read More]

» Trying to Block the Bad People from Don't Back Down
I've received only a small taste of the trackback spam that has been floating around. Yet it's still enough to be annoying. Especially since I didn't really have any good way of addressing it. With comments, I can moderate them. I can make sure they ha... [Read More]

» Front-end and Back-end Changes from Procrastination
There have been a lot of changes here recently, most of them on the back-end. Most of this work was related to having a bilingual (English and Urdu) blog along with MathML equations. This required valid XHTML 1.1 and serving... [Read More]

» Update on Spam from Matt's Missives
I've mostly given up. After cleaning off 68 pieces of comment-spam this morning, I've decided enough is enough. The open proxy plugin I was using helped some (it caught about 40%), but I am still getting way too much comment-spam...... [Read More]

» Antispam from Radovan Janecek: Nothing Impersonal
So far, I use these plugins to prevent spam. Btw, many thanks to their developers! MT-Blacklist v2.0x Nofollow support MT-TrackBackAntispam MT Captcha MT-DSBL Would you suggest anything else?... [Read More]

» Spam from Sans Telos
I got out of my New Testament Literature exam today with a mission: update MovableType, spam-proof it per [this article](http://www.sixapart.com/pronet/comment_spam.html "Six Apart Guide to Comment Spam"), and write a post about it. Commence phase thre... [Read More]

» links for 2005-02-17 from ...pickhits...
Christo Gates from Space Satellite imagery of Central Park showing the Gates installation (categories: theGates christo nyc via:vielmetti) Brad... [Read More]

» RichardZ.com Revamp from RichardZ.com
Welcome to a familiar yet different looking RichardZ.com. I've made some changes where some you'll notice while others you won't (but I will). Here's the low-down (or 611 as they say on the street); Blog software upgrade: I've upgraded my... [Read More]

» Javascript Required from This Space Intentionally Left Blank
Having disabled the MT-DSBL plugin after it blocked valid comments, I've since decided to try another plugin to lower the amount of spam that even gets to the blacklist. As such, I have installed MT-Keystroke, a plugin that is supposed... [Read More]

» The setup at leyton.org from leyton.org
A colleague at my current employer had cause to ask about this site earlier today. I promised him I'd write up my notes about my hosting provider, software solution and so on. I then thought it'd actually make a useful... [Read More]

» Field Notes on Comment Registration from birdhouse.org
From the perspective of a web host with a dozen customers running MT weblogs, I can confirm what many hosts have reported before: At the server level, massive comment spam blitzriegs are effectively denial-of-service attacks. Every comment submission i... [Read More]

» Field Notes on Comment Registration from birdhouse.org
In order to respond to Birdhouse customers who want an answer to the question: "Why are you enforcing comment registration on Movable Type weblogs? Have you really exhausted all other options?," I've put together this Brief History of Our Battle With C... [Read More]

» MT pi from Virtuelvis
About upgrading to MT 3.14 as preparatory action for moving to DreamHost. [Read More]

» Comments and Spam from skitz.org
Since deciding to allow comments on the site, I figured I should probably do my best to stem the flow... [Read More]

» MovableType plugin - SpamLookup from The Maelström
Brad Choate nous refait ça et publie un nouveau plugin fort utile pour Movable Type. SpamLookup permet de filtrer les commentaires laissés sur votre blog MT et éliminer (ou forcer l’approbation) dès le départ des commentaires douteux. Les cr... [Read More]

» Yet Another Comment Flood from Obnoxious
I got comment-spammed again on New Year’s Eve with over a hundred garbage comments. Since moderation was on, none made it to the site, but if I had as many readers as comment spammers, I’d be a happy guy. Comments will be off for the rest o... [Read More]

» Brad Choate: MT-DSBL - Open proxy comment filter from Tutorials
Brad Choate: MT-DSBL - Open proxy comment filter... [Read More]

» コメントとトラックバックのSPAM対策をしました from Sketchbook
コメントとトラックバックのSPAM対策をしました。 MT-DSBL - Open... [Read More]

» Security Upgrades from Joey Coleman's Blog
1215CDT I have added MT-Keystrokes: This plugin will cut down on the amount of Comment Spam I receive. Due to slanderous comments directed again UMSU Councillors that are often posted anonymously from an IP address located in Tache Hall, I... [Read More]

» MovableType plugin - SpamLookup from The Maelström
Brad Choate nous refait ça et publie un nouveau plugin fort utile pour Movable Type. SpamLookup permet de filtrer les commentaires laissés sur votre blog MT et éliminer (ou forcer l’approbation) dès le départ des commentaires douteux. Les cr... [Read More]

» Comments Should Be Fixed from mashby.com
It was brought to my attention that some of you may have been having difficulty posting comments to the site. It seems the culprit was a plugin I installed to help throttle comment spammers called MT-DBSL. If you tried to... [Read More]

» Comments Should Be Fixed from mashby.com
It was brought to my attention that some of you may have been having difficulty posting comments to the site. It seems the culprit was a plugin I installed to help throttle comment spammers called MT-DBSL. If you tried to... [Read More]

» コメントスパム対策 2 from 株主優待フラッシュ
コメントスパム対策として以前、MT-DSBLを導入しました。  これは、Open... [Read More]

» コメントスパム対策 2 MTHash編 from 株主優待フラッシュ
コメントスパム対策として以前、MT-DSBLを導入しました。  これは、Open... [Read More]

» コメントスパム対策 2 MTHash編 from 株主優待フラッシュ
コメントスパム対策として以前、MT-DSBLを導入しました。  これは、Open... [Read More]

» Winds' Guide to Fighting Comment Spam from Winds of Change.NET
Six apart has a good guide. Winds adds some general principles of blog defence, talks about our own measures, and concludes by talking about the source of this comment problem and what can be done. [Read More]

» コメントスパム対策 2 MTHash編 from 株主優待フラッシュ
コメントスパム対策として以前、MT-DSBLを導入しました。  これは、Open... [Read More]

» コメントスパム対策 2 MTHash編 from 株主優待フラッシュ
コメントスパム対策として以前、MT-DSBLを導入しました。  これは、Open... [Read More]

» New Look, More Protection from Kai's Weblog
Starting yesterday afternoon, I completed a set of upgrades and installations to this weblog. I upgraded the templates and decided to stick with a white background (much easier to read), and installed a bunch of plug-ins to protect the weblog... [Read More]

» Field Notes on Comment Registration from birdhouse.org
In order to respond to Birdhouse customers who want an answer to the question: "Why are you enforcing comment registration on Movable Type weblogs? Have you really exhausted all other options?," I've put together this Brief History of Our Battle With C... [Read More]

» mod_security for protecting your blog from ProNet
In light of the coverage that the Register's interview with a link spammer is getting, it's worth reviewing some of the host-level changes that can be made to protect against these attacks. Foremost among the options is mod_security. You can... [Read More]

29 Comments

Arvind said:

Neato, was thinking of hacking something up myself yesterday!

Matt Haughey said:

Can you have it block trackbacks as well as comments?

Nate Silva said:

I'm glad to see this! Just to be clear, DSBL isn't a list of open proxies; it's a list of servers which can be abused to send mail on behalf of spammers. Of course most are open proxies, but it also lists insecure SMTP servers and a few oddballs like bad formmail scripts. There should be a nice overlap between the insecure hosts listed by DSBL and those hosts that are posting comment spam.

Jake said:

How much does this lookup take? Will it slow down comment posting? What happens if the DSBL list is down?

andersja said:

Genius. I have seen TypePad having something similar in place for a while (I once in a while access the web through a proxy that's blacklisted) but it's good to see this thing for MT! Thanks for sharing!

Umh, why are you using DSBL (which, as already noted, is not an open proxy list), instead of, say, opm.blitzed.org, which is an open proxy list?

Brad Author Profile Page said:

Jacques-- good point. I wasn't aware of blitzed.org, so since it is specific to open proxies. The next update will probably use it instead.

Matt-- Trackback pings will be supported in the next release as well. Unfortunately, there is no way to moderate those, so they will be denied if you enable filtering for trackbacks.

Jake-- it's a quick operation that shouldn't be noticeable. The longest part by far of a comment post is the page rebuilding process.

Brad,

Here's a list of DNSBL lists and what they cover. There are links to the websites of the DNSBL maintainers, where details of the listing (and de-listing!) criteria are given. opm.blitzed.org seems to be the right choice for blocking open HTTP proxies.

andersja said:

Why not use both dsbl AND the Blitzed-list? There are certainly some spammers that aren't registered in both: e.g.

http://www.dnsstuff.com/tools/ip4r.ch?ip=80.58.11.107

Susanna said:

Hi, I am not sure what to do with the Net-DNS-0.48 download that you talked about. I am quite new to this so do I just unzip it and put all the folders and files onto my server? please advice.:)

Lauren Noelle said:

I cannot get the paged content to work. I can't post on that entry, and the ask-you-a-question form isn't working (some error like entry 1212 doesn't exist?)

It doesn't split the pages, on each page like ?page=2 it's still the whole entry.

The suggestion the other person gave had a lot of problems. I fixed one thing, I believe it needs echos instead of ending the php ?> throughout. (I'm a beginner, though) But I couldn't get it to work at all, because the MTEntryBody gave an error, it just wouldn't work with it.

Anyway, if you can help me with the code, could you e-mail me? Oh, and I also don't know where to place the code. And the code the other person gave, it didn't say, but I figured out it goes where the entry should go.

Lauren Noelle said:

It's mee again. I had already found an alternative, but I thought it could only be used for breaking up archives, which I also really wanted to do.

http://www.nonplus.net/software/mt/MTPaginate.htm

padawan said:

I ran the IPs of tens of spams through the same DB and the majority of them are not listed, so most of the spam would get through the controls of this plugin. As with anything that uses IP anyway, since spammers fake IPs (I have examples on my own blog of spam with faked IPs that match legitimate ones). Do you really think that anything based on IP banning is worth pursuing?

Brad Author Profile Page said:

padawan: I'm not suggesting that this is the cure-all for comment spam. There is no such thing. But this is another tool to use against the fight.

padawan said:

I understand Brad. However, to clarify the subliminal message to the Six Apart's developer, I think you'd better find something else than any sort of IP ban to fight against spam. SpamKarma on the WP side seems more interesting to look at, I wish there were something like (or better than) that on MT's side.

Michael Paul said:

Doesn't slow down commenting at all. I did as you said and tried to comment thru a proxy server and got redirected to dsbl. Very cool. I'm getting hit hard right now by some spammers. Blacklist is doing a great job on denials but extra weaponry is always welcome.

Thank you for this port.

Ed said:

Hi Brad,
I installed this plug-in, but haven't actually had anyone that attempted to use a DSBL listed ip. I think that this is since HTTP is stateless, and so IPs can be spoofed incredibly easily. I wondered whether making the comment process a two stage process would help to eliminate this issue.
IDEA: Commenter comments. Comment is automatically moderated. A hash code / random id for the comment is produced and stored. The return page for the comment then asks that person to confirm the submission. The page contains the id. The id from this form and id on the database are checked. If equal, leaves redirects to mt-blacklist/ dsbl as usual.
If not, delete it?

This would ensure that ip spoofing would be reduced, since the posting procedure is a two step process, and hence not stateless.

We could then start removing some of the spammers via their isps.

Bastique said:

Hey there, I installed it and it seems to be blocking _all_ my comments, not just the open proxy server ones. I know this because when I clicked the link, I go to the DBSL site and it told me the server was not known (as an open proxy). A friend tried it and I tried it from my machine too.

Help!

Anonymous said:

Bastique:

I had the same problem; in my case, my colocation provider had made what I'd consider to be an error in configuring its DNS server. Long story short, the DNS server I was using would return 66.207.160.151 (www.cologuys.com) for any host within the cologuys.com domain. Since Net::DNS does not append a . to queries, all queries made by the plugin would resolve to 66.207.160.151. Thus, everything got blocked.

To fix this, find the line:

if (checkdnsrr("$d.$c.$b.$a.list.dsbl.org")) {

And edit it to read:

if (checkdnsrr("$d.$c.$b.$a.list.dsbl.org.")) {

For version 1.1, it's line 15 in both versions of the plugin.

Caroline said:

I'm having the same experience as Bastique, it's throwing all comments to moderation which is fine for me as I moderate, but not for the other bloggers who share our MT installation. We're hosted on a Windows server in case that makes any difference??

Ken Conley said:

I seem to be having same/similar behavior as Bastique. If I try to comment on my site, I get redirected to http://dsbl.org/listing?xxx.xxx.xxx.xxx (fill in the appropriate IP) which tells me "IP not listed by DSBL."

kwc said:

As a quick addendum, my activity log says "Blocked comment post from known open proxy: xxx.xxx.xxx.xxx" where xxx.. is the same IP address.

kwc said:

Apologies for this being the third comment on the matter, but I seem to have tracked the problem down.

On Windows, it would appear that Net::DNS is required (rather than just suggested). I used ppm to get Net-DNS and commenting appears to be functioning normally once more.

Thanks for the great plugin!

Scott Hanson said:

I just had a legimate comment from the UK (BT customer) blocked by the DBSL, with a listing from Dec 2003

http://dsbl.org/listing?217.43.183.42

The commenter was kind enough to send me a mail. Looking back through my activity logs, I see that MT-DBSL has only blocked one comment since November, so I'm disabling it for now.

I posted instructions for MT v2.6:
For MT v2.6, do the following:
1. In your blog directory, go to lib/MT/App/.
2. Open "Trackback.pm" in a text editor (backup first!).
3. Find a line starting "## Check if user has pinged recently".
4. Insert the following right above that line:


## Check blacklists
my $rem_ip = $app->remote_ip;
my ($a, $b, $c, $d) = split(/\./, $rem_ip);
my $rev = "$d.$c.$b.$a";
## DSBL list
my $lookup = "$rev.list.dsbl.org";
if(gethostbyname($lookup))
{ return $app->_response(Error =>
$app->translate("Your IP is blacklisted by DSBL, $lookup see http://dsbl.org/listing?$rem_ip."));
}

You can easily change it for any other blacklist as well.

To do the same for trackbacks on MT 2.6, see here.

arclight said:

You may want to add sbl-xbl.spamhaus.org to the list of blacklists you query. It contains the CBL and OPM proxies list and is a pretty good indicator of exploited, trojaned, and otherwise abusive hosts.

Also, the very ambitious among you may want to check out rbldnsd (http://www.corpit.ru/mjt/rbldnsd.html) for running your own blacklist. I run both a DNSBL and a RHSBL (domain list) locally and have configured BIND to pass blacklist requests back to it.

I'm working on a larger system to identify and blacklist referer and comment spam sources and beneficiaries - the design docs are at http://wiki.austinimprov.com/aiwiki/DistributedWebserverDefense

I have proof-of-concept code (PHP/MySQL) that analyzes Apache logs; a MT analyzer should not be too difficult to add.

Rahmani said:

please send me a proxy address
in our region more of sites was filtered

Elke Edwards said:

Should dsbl show up, once installed, in the MT main menu under Plugins? It does not ...

About

This article was published on November 5, 2004 5:53 PM.

The article previously posted was MTIfEmpty.

The next article is Introducing SpamLookup.

Many more can be found on the home page or by looking through the archives.

Powered by Movable Type