On Forum Spam
Date: September 28th, 2006 - Categories: Spam, Tip, Viewpoint - Comments: 0
Apparently I picked a ripe moment to start hosting a forum. Forum spam has been a problem for quite a while, but it seems to have hit a new pitch this month. Perhaps the automated spamming tools with imaginative names like “Forum Poster” have hit the mainstream. These generate a maximum amount of damage (in the euphemistic name of “search engine optimisation”) with a minimum amount of user interaction.
Fortunately I’ve managed to fend off the spam for now. After one or two attempts with limited success, I’ve found an approach which neutralises the bot-generated spam without noticably impacting normal operation. I’m using phpBB, but this technique isn’t specific to that software.
The technique involves adding one line of Javascript to the main template for the forum, and a couple of lines of Apache “.htaccess” configuration (or equivalent). The one line of Javascript sets a session cookie. It doesn’t really matter what the cookie is called or what value it holds: make something up. The Javascript code looks like the following.
document.cookie = 'foo=bar;PATH=/';
In this particular case, a cookie named ‘foo’ obtains the value ‘bar’. Next, create or modify the “.htaccess” file for the forum (assuming that it’s served by Apache) to deny POST operations except where this cookie is present. The configuration might look like the following.
SetEnvIf Request_Method "^POST$" posting
SetEnvIf Cookie "foo=bar" javascript
Order Deny,Allow
Deny from env=posting
Allow from env=javascript
If a client attempts to POST anything to the server (as it would in leaving a message or creating a user account), it will receive a “403 Access Denied” response unless the appropriate cookie is set. This should filter out anything that lacks Javascript support, including the forum posting spamware (at this point in time). If the technique becomes widespread, the arms race will progress, and the spamware authors will adjust accordingly. Such is life. It’s an excellent measure to take right at the moment, however.
While I’m on the subject of forum spam, I’d like to blow a big raspberry in the direction of “TOT Corporation” in Thailand for the netblock 203.113.13.0/24, and “Telefonica de Espana” in Spain for the netblock 80.58.205.0/24. Several addresses in these ranges are, at this time, using (or proxying) forum spamming software which is blocked by my filter. Given that they hit my forum on the order of ten times a day, I hate to think how much crap they generate on a global scale. A quick Google search for “203.113.13.” shows it to be a notorious source of Wiki and guestbook spam as well.
Food for misanthropy.
Further updates on this subject can be found in a dedicated thread in the forum itself. There you can see what abuse has occurred since inventing this technique, and what additional measures have been necessary. Also, you can comment there. Guest posting is enabled.