Sponsorship for feature tracker item #290 - Spammer database
|
Posted
|
|
|---|---|
ocStaff (admin) |
If I answered something that you think should be in the documentation, please take the initiative and add it to the community documentation. We really need people to help out here and build a well-organised large support resource. |
|
|
|
Posted
|
|
Community saint |
Bob |
|
|
|
|
Posted
|
|
|
ocStaff (admin) |
If I answered something that you think should be in the documentation, please take the initiative and add it to the community documentation. We really need people to help out here and build a well-organised large support resource. |
|
|
|
|
Posted
|
|
|
ocStaff (admin) |
Sorry about that. If I answered something that you think should be in the documentation, please take the initiative and add it to the community documentation. We really need people to help out here and build a well-organised large support resource. |
|
|
|
|
Posted
|
|
|
Community saint |
On the bright side, I just saw the first block of a comment spammer from Columbia. Bob |
|
|
|
|
Posted
|
|
|
Community saint |
Damn, you're fast, Chris. Nothing to be sorry about. This implementation is really slick and the reason I wanted to test in a live environment is that I figured thare could be a bug or three. I've uploaded the new file and we should see results here shortly. Bob |
|
|
|
|
Posted
|
|
|
ocStaff (admin) |
 !Actually these do have threat scores, so I can save face somewhat. Probably the HTTP:BL frontend you're looking at is putting them into groups and rounding it off to the lowest, but the Google one I checked had a 2% one. The way we calculate it is we consider anything above zero something with 100% confidence block. That is because it is a threat level, not a confidence level; I'm actually going to fudge this a bit now that I see it's not reported as accurately as I expected – I'm going to multiply the 'threat' by 4 and call that the confidence, i.e. if it hits 25% threat it will consider that 100% confidence of threat. That is to try and normalise it against the confidence levels that other services are returning. Messy, but necessary. If I answered something that you think should be in the documentation, please take the initiative and add it to the community documentation. We really need people to help out here and build a well-organised large support resource. |
|
|
|
|
Posted
|
|
|
Community saint |
I've just uploaded the latest revision and will check to make sure that the MSNbot drops and that my legitimate comment spammer is left on the list. Bob |
|
|
|
|
Posted
|
|
|
Community saint |
The IP 190.90.36.8 was blocked by HTTP:BL blacklist but aged off due to the short cache time. However, this IP is a current spammer in the Stop Forum Spam and there was no mention of that. Does the IP get blocked based on the first list checked and then other checks are not performed? If the IP had been blocked because it was on the Stop Forum Spam list, would it age off using the same cache time as HTTP:BL? Should all blocklists be considered equal in their reporting? Should being listed on Stop Forum Spam carry more weight since none of this reporting is automatic? Bob |
|
|
|
|
Posted
|
|
|
ocStaff (admin) |
If I answered something that you think should be in the documentation, please take the initiative and add it to the community documentation. We really need people to help out here and build a well-organised large support resource. |
|
|
|
|
Posted
|
|
|
Community saint |
I am going to let this run until the next software upgrade and then I will rip it out and get back on the regular cycle. But, at least, I will lnow that this works properly. Bob |
|
|
|
|
Posted
|
|
|
Community saint |
Bob |
|
|
|
|
Posted
|
|
|
ocStaff (admin) |
If I answered something that you think should be in the documentation, please take the initiative and add it to the community documentation. We really need people to help out here and build a well-organised large support resource. |
|
|
|
|
Posted
|
|
|
Community saint |
I am manually reviewing all the IPs in cPanel's "Visitors log" against SFS to see if any are not being blocked. IP 46.21.144.223 is listed in SFS for as recently as 5/9 and dating back into April but this IP was not added to the blocklist. The IP hit /help.htm sometime this morning (forgot to note the time but it was after midnight so no more than 9 hours passed). I currently have my blocklist set to cache for 18 hours to give me plenty of time to check if IPs were added. This IP was not added. Bob |
|
|
|
|
Posted
|
|
|
ocStaff (admin) |
If I answered something that you think should be in the documentation, please take the initiative and add it to the community documentation. We really need people to help out here and build a well-organised large support resource. |
|
|
|
|
Posted
|
|
|
Community saint |
I have been thinking how I might best handle these and I think I may just eliminate all banned IP addresses and let the new antispam feature handle all of these. this would, of course, be after the official release of the antispam feature. I think if I have any IPs that are particularly troublesome, I will block them in CloudFlare, however, it is troublesome that CloudFlare didn't catch this. I wonder if CloudFlare uses the tornevall blocklist? Off to ask the fine people at CloudFlare. Thanks for your help, Chris. It appears that this is working fine (and I now know to check my previously banned IPs). Bob |
|
|
|
|
Posted
|
|
|
Community saint |
I suspect this could just be a timing/syndication issue since the entry at SFS is very recent but just wanted to make sure. Bob |
|
|
|
|
Posted
|
|
|
ocStaff (admin) |
You need to open up a terminal, reverse the IP segments in a command like this: Code
dig 231.189.207.190.opm.tornevall.org
If there is an 'ANSWER' section, it's listed. This one is: Code
;; ANSWER SECTION:
tornevall has no confidence/threat level, but '67' means something. It is larger than the number '64' which means it is seen as a threat (it's not a scale, it's 64+2+1, where 64 means threat, 2 means a working proxy server, and 1 means it was checked as a proxy server). If I answered something that you think should be in the documentation, please take the initiative and add it to the community documentation. We really need people to help out here and build a well-organised large support resource. |
|
|
|
|
Posted
|
|
|
Community saint |
Using your example above, it seems that this IP should have been blocked since it's seen as a threat and it is not previously banned. Then, again, it was not listed in HTTP:BL so maybe I am just misunderstanding how you assess the implied threat level and confidence level. I think that timing was the only reason an SFS check showed nothing; I think that it was just reported to SFS. I should be happy to know that I'm seeing less of a problem than I was over the past week to 10 days but I just want to make sure I thoroughly test this prior to yanking it before upgrading to the next release. @sholzy Are you using CloudFlare. Since the HTTP:BL checks would be redundant, that would explain things getting blocked before they ever hit my server. In the above case, checking HTTP:BL would have green-lighted the IP but it seems it should have been caught on the Tornevall BL. Then, again, we do not know how recent that report is – it could have been reported arounf the same time it was on SFS. Bob |
|
|
|
|
Posted
|
|
|
ocStaff (admin) |
If I answered something that you think should be in the documentation, please take the initiative and add it to the community documentation. We really need people to help out here and build a well-organised large support resource. |
|
|
|
1 guests and 0 members have just viewed this: None
Control functions: