Recently we were reviewing the measures we could take to reduce the spam hitting the email accounts we manage and the blogs we are responsible for overseeing. It will probably come as no surprise to most of you, but it was very easy to identify some obvious trends. Fortunately a response was equally easy. By and large, with wordpress blogs, plugins such as Akismet work wonders and prevent mountains of spam getting through. The concern raised with us was bots searching for email addresses or other such information. (Ideally, the blogs will not have this sort of data available, we always recommend using a properly designed contact form rather than leaving a contact email address)

In a nutshell, we reviewed the site access logs and blog plugins such as “Firestats” to identify anything which seemed to be unusual activity. While this is not easy to determine with 100% accuracy, the things we looked for were along the lines as the same IP address hitting a page every fraction of a second (faster than a human could read), IP addresses which spoofed a user agent (UA) string (the most common example of this seems to be a UA string which presents itself as a random string of letters), and IP addresses which are already identified as posting spam comments / trackbacks.

During the early stages of looking at this, one of the things which immediately jumped out at us was the “owner” of the vast majority of the IPs which were being flagged. On one of the blogs, hits were being generated by a UA which was identifying itself with variations of “Sentxmcuk nlbhr crtyoqb” (and other strings of letters, another example used “Himq nwfjrztb dtsuw”). The way this UA was visiting was certainly different from the more normal user agents and there was a massive similarity in the IP addresses. By and large they were coming from 72.232.234.xxx and 72.232.83.xxx (for example the Sentxmcuk UA used IP address 72.232.234.138.)

These addresses belong to a company called LayeredTech, and a quick google search brought up two posts on Village-idiot.org (post 1 and post 2), which went a long way to confirm our initial suspicions. It seems lots of people have been getting quantities of spam from IP addresses which resolve to LayeredTech.com.

At the moment, we here at Compuskills are using a reactive policy of dealing with this: in the .htaccess file we have a section which reads:

order allow,deny
…
deny from 72.232.234.
deny from 72.232.83.
…
allow from all

and we would strongly recommend you institute a similar approach on your site if you have not already done so. Obviously this is hampered by only blocking the addresses after they have been detected hitting the site, and has the risk of blocking genuine visitors, but until we can collect more data it seems overkill to block all of LayeredTech’s IP addresses.