Fighting Comments Spam, weird HTTP GET requests and blocking IP Addresses on Apache
June 24th, 2005
About a week ago something annoying started to happen to my Web site.
All of a sudden many of my posts were being hammered with user comments.
Normally, that would be a good thing.
However, all of these comments were actually advertising casinos and porn sites…
Spam. This is simply spam.
I remembered reading about it, but I've just realized my own little site was hit by comments Spam.
Comments Spam, much like "regular" Spam, are automatic posts advertising casinos/porn/Viagra/etc where visitors to a Web site usually post their comments on articles and posts.
These evil bots can do that since many Web sites do not really build their sites from scratch like it was done once, but rather use CMS - Content Management System.
CMS are packages of ready to use, after some configuring, dynamic Web pages, database structures etc.
This way, one could set-up quite a sophisticated Web site relatively easily.
Some of the more popular CMS packages are Mambo (Which I'm using), PHPNuke, Wordpress (Which I'm really considering to switch to) and so on.
Now back to our story - What the hell should I be doing with these posts?!
There are a couple of ways to fight them:
1. Allow comment posting only to registered users.
This is something I wouldn't like to do as visitors usually don't even bother registering, and I actually WANT people to comment on posts.
2. Install some sort of a plug-in, or software solution, to the commenting system that looks for and bans comments with certain words (I.e. casino).
Unfortunately there is no such solution for the system I'm using… 
So what the hell should I do?!
I opened up my Apache Web server log file, and I've noticed that all the Spam comments in the last week were coming from the same three alternating IP addresses.
Moreover, and unrelated to the comments issue, I've found that in the last few days there are really weird HTTP GET request from the same IP addresses.
Once every few minutes there is a "GET / HTTP/1.0" request, with no user agent(Browser indicator) or referring site information.
Also, a browser would normally continue to request more objects that the initial page calls for, such as images etc.
This obviously looks like some sort of a program, not a known browser, that kind of checks if my Web site is alive or not…
I can't think of any other information..!
So I had comment spammers, and weird-ass HTTP requests attacking me every few minutes for the last few days - All of them for a small bunch of IP addresses.
I've decided, at this stage, to simply block these IP addresses from accessing my Web server.
It's a great solution, at least for the Comments Spam - Simply stop these fuckers from accessing my Web server.
I've opened up the Apache configuration file httpd.conf, and entered the following directive:
order deny, allow
deny from 80.178.167.71
deny from 81.218.13.28
deny from 81.218.113.96
deny from 81.218.249.102
deny from 81.218.51.209
deny from 81.218.54.246
deny from 81.218.142.4
This would allow all visitors EXCEPT the above IP addresses.
So yes, that would need updating when the IP addresses will change -
But NOW it works, and I'm really happy with myself! 
March 17th, 2008 at 6:48
The best defense is to keep your CMS updated regularly. There might be mods that will check updates for you and notify you by email when a new one is up.
Blocking IPs is only going to work temporarily I’m afraid as spammers can easily disguise their IP in various ways. Glad to hear you have it taken care of for now, but I would consider dumping (backing up) your content database to your local computer, keep the template if you modified it - and starting with a fresh install of your CMS. It’s a bit of time, I know, but it might help to keep you set up against future attacks (and there will be future attacks, as always).
~Raj