CompuSkills Blog

Although it is very early to make any conclusions, it is worth noticing that in the 24 hours since we instituted a small change to the .htaccess rules on one of the blogs we manage (talked about in previous post), the volume of spam comments being held by Akismet has dropped by almost 75%. Comparing the last 24 hours with the same 24 hour period over the last six weeks (all we have data for at this time) it seems the spam comments have dropped from around 240 a day to around 70.

Now, we are not for a second saying that blocking out LayeredTech.com is the sole reason for this reduction but it is the only change we have instituted. We will continue to monitor this and report any other findings as and when they occur.
[tags]Wordpress, Spam, Bot, spam bot, LayeredTech, Akismet, Technology, Badbot, Spammers, Compuskills[/tags]

Recently we were reviewing the measures we could take to reduce the spam hitting the email accounts we manage and the blogs we are responsible for overseeing. It will probably come as no surprise to most of you, but it was very easy to identify some obvious trends. Fortunately a response was equally easy. By and large, with wordpress blogs, plugins such as Akismet work wonders and prevent mountains of spam getting through. The concern raised with us was bots searching for email addresses or other such information. (Ideally, the blogs will not have this sort of data available, we always recommend using a properly designed contact form rather than leaving a contact email address)

In a nutshell, we reviewed the site access logs and blog plugins such as “Firestats” to identify anything which seemed to be unusual activity. While this is not easy to determine with 100% accuracy, the things we looked for were along the lines as the same IP address hitting a page every fraction of a second (faster than a human could read), IP addresses which spoofed a user agent (UA) string (the most common example of this seems to be a UA string which presents itself as a random string of letters), and IP addresses which are already identified as posting spam comments / trackbacks.

During the early stages of looking at this, one of the things which immediately jumped out at us was the “owner” of the vast majority of the IPs which were being flagged. On one of the blogs, hits were being generated by a UA which was identifying itself with variations of “Sentxmcuk nlbhr crtyoqb” (and other strings of letters, another example used “Himq nwfjrztb dtsuw”). The way this UA was visiting was certainly different from the more normal user agents and there was a massive similarity in the IP addresses. By and large they were coming from 72.232.234.xxx and 72.232.83.xxx (for example the Sentxmcuk UA used IP address 72.232.234.138.)

These addresses belong to a company called LayeredTech, and a quick google search brought up two posts on Village-idiot.org (post 1 and post 2), which went a long way to confirm our initial suspicions. It seems lots of people have been getting quantities of spam from IP addresses which resolve to LayeredTech.com.

At the moment, we here at Compuskills are using a reactive policy of dealing with this: in the .htaccess file we have a section which reads:

order allow,deny
…
deny from 72.232.234.
deny from 72.232.83.
…
allow from all

and we would strongly recommend you institute a similar approach on your site if you have not already done so. Obviously this is hampered by only blocking the addresses after they have been detected hitting the site, and has the risk of blocking genuine visitors, but until we can collect more data it seems overkill to block all of LayeredTech’s IP addresses.
[tags]Wordpress, Spam, Bot, spam bot, LayeredTech, Akismet, Technology, Badbot, Spammers, Compuskills[/tags]