Blog Spamming

As I was leaving work this evening, I noticed the load on one of our servers was quite high (~10)... I had a quick head scratch, and thought it was just a Zope process misbehaving, and thought no more about it (after all, it was 18:30, and time to go home)

Fast forward a couple of hours, after cycling/dog walking/eating tea, and I notice the load is still ~ 10... "Not good".

A quick bit of investigation showed Apache and PostgreSQL to be the main culprits... and one Apache log file was filled with requests similar to :

81.177.14.26 - - [04/Apr/2007:21:43:21 +0100] "POST /comment/reply/133 HTTP/1.1" 200 13580 "http://codepoets.co.uk/comment/reply/133" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

So, being slightly more curious, I thought I'd make sure it was spamming, as opposed to something more sinister (like some weird PHP/Drupal hack) happening :

tcpdump -i eth0 -s 0 -A src 84.16.227.76

Gave ...

POST /comment/reply/293 HTTP/1.1
Host: codepoets.co.uk
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Referer: http://codepoets.co.uk/comment/reply/293
Content-Type: application/x-www-form-urlencoded
Content-Length: 17159
Connection: close

edit%5Bform_id%5D=comment_form&edit%5Bname%5D=Avg+Anti+Spyware&edit%5Bmail%5D=lola.sukova%40mail.com&edit%5Bhomepage%5D=http%
3A%2F%2Fyain.com%2Fproducts%2Fcache%2Fn%2Fview.php%3Fblog%3Dspyware%26name%3DAvg-Anti-Spyware&edit%5Bsubject%5D=Avg+Anti+Spyw
are&edit%5Bspam_block%5D=Moskva&edit%5Bcomment%5D=Cool%21..+Nice+work%21%0D%0A+%5BURL%3D+http%3A%2F%2Fyain.com%2Fproducts%2Fc
ache%2Fn%2Fview.php%3Fblog%3Dspyware%26name%3DAvg-Anti-Spyware+%5DAvg+Anti+Spyware%5B%2FURL%5D++Microsoft+Spyware+%5BURL%3D+h
ttp%3A%2F%2Fyain.com%2Fproducts%2Fcache%2Fn%2Fview.php%3Fblog%3Dspyware%26name%3DMicrosoft-Spyware+%5DMicrosoft+Spyware%5B%2F
URL%5D++Anti+Spyware+Download+%5BURL%3D+http%3A%2F%2Fyain.com%2Fproducts%2Fcache%2Fn%2Fview.php%3Fblog%3Dspyware%26name%3DAnt
i-Spyware-Download+%5DAnti+Spyware+Download%5B%2FURL%5D++Spyware+Protection+%5BURL%3D+http%3A%2F%2Fyain.com%2Fproducts%2Fcach
e%2Fn%2Fview.php%3Fblog%3
....

Smells like spam to me... so, all I could do next was a :

iptables -I INPUT -i eth0 -s 84.16.227.76 -j DROP

I suspect I should be quite glad I have my minor Drupal hack to defeat comment spam, as none of the crap managed to get into the database itself. :-)

Problem solved...

(This server logs all Apache requests to a PostgreSQL database; so along with every request causing Drupal to query PostgreSQL, so was Apache .... I know this sucks in terms of scalability... but it's not been an issue yet. Once the server load approaches ~4 other things (i.e. Zope) tend to stack up waiting for CPU time... This is one reason why the server will soon get upgraded to some dual core whizz bang thing)

Technorati Tags: drupal spam