{"id":3086,"date":"2005-01-19T18:19:11","date_gmt":"2005-01-20T02:19:11","guid":{"rendered":"http:\/\/michaelhans.com\/eclecticism\/2005\/01\/19\/battling-the-spammers\/"},"modified":"2019-12-12T13:32:00","modified_gmt":"2019-12-12T21:32:00","slug":"battling-the-spammers","status":"publish","type":"post","link":"https:\/\/michaelhans.com\/eclecticism\/2005\/01\/19\/battling-the-spammers\/","title":{"rendered":"Battling the spammers"},"content":{"rendered":"<div class='__iawmlf-post-loop-links' style='display:none;' data-iawmlf-post-links='[{&quot;id&quot;:7289,&quot;href&quot;:&quot;http:\\\/\\\/www.movabletype.org&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20260306004502\\\/https:\\\/\\\/movabletype.org\\\/&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[{&quot;date&quot;:&quot;2026-03-09 20:10:06&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-03-15 05:52:16&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-03-24 17:25:01&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-03-28 03:37:19&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-03-31 10:45:45&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-04-03 16:49:20&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-04-07 00:00:33&quot;,&quot;http_code&quot;:503},{&quot;date&quot;:&quot;2026-04-10 05:19:44&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-04-13 07:08:16&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-04-16 07:33:11&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-04-19 14:36:29&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-04-23 02:36:55&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-04-26 14:33:35&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-04-30 01:59:58&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-05-03 05:24:45&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-05-06 13:04:07&quot;,&quot;http_code&quot;:200}],&quot;broken&quot;:false,&quot;last_checked&quot;:{&quot;date&quot;:&quot;2026-05-06 13:04:07&quot;,&quot;http_code&quot;:200},&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:9195,&quot;href&quot;:&quot;http:\\\/\\\/www.jayallen.org\\\/projects\\\/mt-blacklist&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;http:\\\/\\\/www.jayallen.org\\\/projects\\\/mt-blacklist\\\/&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;}]'><\/div>\n<p>Over the past few days, I&#8217;ve noticed off and on that my webserver has been <em>extremely<\/em> slow to respond &#8212; less obviously when just browsing pages, but attempting to connect to the <a href=\"http:\/\/www.movabletype.org\/\" title=\"Movable Type\">Movable Type<\/a> interface was increasingly difficult, often resulting in nothing but timeouts and connection failures.<\/p>\n<p>I had a hunch that I knew what was going on, but I wasn&#8217;t entirely sure at first. I logged in to the server locally &#8212; something I haven&#8217;t had to do in a while &#8212; and realized just how badly the machine was bogged down when the OS X user interface was almost as unresponsive as Movable Type. Not a good sign. Once I made it in and got a terminal window up, I ran <code>top -u 15<\/code> to see what was going on.<\/p>\n<p>Not surprisingly, every entry that <code>top<\/code> displayed was a <code>perl<\/code> process, with <code>mysqld<\/code> occasionally clawing its way to the top for a moment or two. Now I was almost entirely sure that one or more of the sites I host was under a major automated comment spam attack, as even with <a href=\"http:\/\/www.jayallen.org\/projects\/mt-blacklist\/\" title=\"MT-Blacklist\">MT-Blacklist<\/a> installed and refusing the majority of the submitted comments, it would require a certain amount of processing for each request, and while I&#8217;m not sure just how many a minute were being submitted, it was obviously enough to bring my server to its knees.<\/p>\n<p>So, seeing if I could kill two birds with one stone, I renamed all the comment and trackback scripts on the webserver, figuring that this would kill any in-progress attack and in doing so, confirm that it <em>was<\/em> a spam attack. Sure enough, as the multitudes of <code>perl<\/code> processes slowly worked their way through to completion, <code>top<\/code> started running faster (it had been updating once every 6-10 seconds, rather than once a second) and other processes started to show up on the display. After about two minutes, there wasn&#8217;t a single <code>perl<\/code> process on <code>top<\/code>&#8216;s list, <code>top<\/code> was updating at its standard once-per-second frequency, and the computer&#8217;s UI was responding as it should.<\/p>\n<p>The downside to this technique is that it breaks comment and trackback ability. Easy enough to fix, though, with a quick change to MT&#8217;s config file and a rebuild of the sites. So, the comment scripts have been renamed, and I&#8217;m in the process of rebuilding the sites to reflect the new script locations.<\/p>\n<p>And you know what?<\/p>\n<p>Even in mid-rebuild, I&#8217;m already starting to watch the number of <code>perl<\/code> process climb. One or two I&#8217;d expect while rebuilding the site, but I&#8217;m currently seeing anywhere from two to ten at a time. I&#8217;ve got a really bad feeling that whatever spammer has me targeted has a script smart enough to scrape the pages to find the script locations, no matter what they are named.<\/p>\n<p>This &#8212; in a word &#8212; <em>sucks<\/em>. Outside of turning comments off entirely for the targeted sites, which really doesn&#8217;t thrill me, I&#8217;m not sure where to go next.<\/p>\n<p>Guess for now I&#8217;ll just have to keep an eye on things and see how they go.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>After a comment spam attack brings my server to its knees, I rename the comment and trackback scripts only to have the attacks begin again as soon as the files are rebuilt and the spamming scripts target the new script location. This sucks a lot, and I&#8217;m really not sure where to go from here outside of disabling comments entirely on the affected sites.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2040],"tags":[25],"class_list":["post-3086","post","type-post","status-publish","format-standard","hentry","category-blog","tag-website"],"_links":{"self":[{"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/posts\/3086","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/comments?post=3086"}],"version-history":[{"count":0,"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/posts\/3086\/revisions"}],"wp:attachment":[{"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/media?parent=3086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/categories?post=3086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michaelhans.com\/eclecticism\/wp-json\/wp\/v2\/tags?post=3086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}