Jan 13 2005

Deny Comment Spam from open proxies in MovableType

Update 2005/01/15: Please consider using mt-proxyplug instead of this plugin below.

Along the same lines as yesterday’s SpamAssassin and MovableType entry, here’s another weapon against the “texas hold’em” and “football–betting” idiots.

Those morons have a tendency to conceal their identity. They are hiding behind public proxy servers and bombard your servers with their crap from there. So all we have to do is to check for a public proxy when somebody tries to submit a comment. If I detect a submission through a public proxy server it will not end up on the site, but will be ignored silently.

The proxy check is done in two stages:

  • if we find the HTTP_X_FORWARDED_FOR environment variable we assume that a proxy has handled the request and we don’t even look any further.
  • if no HTTP_X_FORWARDED_FOR is found, we grab Apache’s REMOTE_ADDR environment variable (the ip-address of the system who sent the current request) and use the HTTP::CheckProxy module to test whether the submitting system is a public proxy server

If a comment submission is coming from a public proxy we drop a line in the server’s error_log. Here are just some of the entries I captured since I installed it:

[Thu Jan 13 08:35:21 2005] comment denied - using proxy: 216.49.49.118 80.25.156.151 -
poker/bushmills1614@rocketmail.com/80.58.4.111
[Thu Jan 13 08:35:46 2005] comment denied - using proxy: 24.215.40.47 -
football betting/bob@y6322o.com/63.110.140.28
[Thu Jan 13 08:39:00 2005] comment denied - using proxy: 58.40.89.127 -
phentermine/gocha9985@see.it/203.199.92.158
[Thu Jan 13 08:48:59 2005] comment denied - using proxy: 115.120.174.78, 127.0.0.1 -
online poker/absolut5129@freemail.com/80.255.49.222

And before somebody points me at Brad’s DBSL plugin: I’ve tested all the proxies listed above and they do not appear in the DSBL.

In order to use the plugin you will need to have the perl module HTTP::CheckProxy on your system. Drop the perl-code below into your MT plugins folder and you should be ready to go. Again, this has only been tested under Apache!

You can download the compressed version here: mt-commentproxyblock.pl.gz (1 Kb,gzip)

#!/usr/bin/perl -w
package MT::Plugin::CommentProxyBlock;

use strict;
use lib '../lib';
use vars qw ($VERSION);
$VERSION='0.2';

use constant ACCEPT_RESPONSE => 1;
use constant DENY_RESPONSE => 0;

use MT;
use MT::App::Comments;
use HTTP::CheckProxy;

eval{ require MT::Plugin };
unless ($@) {
    my $plugin = {
        name => qq{Comment Proxy Block for Movable Type v$VERSION},
        description => qq{Will block attempts to post a comment via a proxy server},
    };
    MT->add_plugin(new MT::Plugin($plugin));
    # tell MT that we want to be called to filter comments
    MT->add_callback('CommentFilter', 1, $plugin, \&proxyCheck_filter);
}

# proxyCheck_filter
#
# checks environment for an entry which indicates we are handling a request that
# came from a proxy server (HTTP_X_FORWARDED_FOR). If environment does not give
# any indication, check REMOTE_ADDR and see if it proxies requests for us. If
# either is true we deny the comment posting attempt. Tested in Apache only!

sub proxyCheck_filter {
    my($eh,$app,$comment)=@_;
    my($isProxy,$proxy)=(0,'');

    # uncomment to get a complete dump of the environment
    # dumpEnv();
    # check environment
    $proxy=$ENV{HTTP_X_FORWARDED_FOR};
    if(defined($proxy) && length($proxy)) {
        print STDERR "[".scalar(localtime())."] proxy request forwarded for: $proxy\n";
        # if we have a X-Forwarded-For header, it was most likely
        # added by the system that sent the request
        $proxy=$ENV{REMOTE_ADDR};
        $isProxy++;
    }
    # check remote address
    unless($isProxy) {
        $proxy=$ENV{REMOTE_ADDR};
        print STDERR "[".scalar(localtime())."] probing for open proxy: $proxy\n";
        my $p=HTTP::CheckProxy->new($proxy,qq{http://www.google.com/});
        $isProxy++ if($p->guilty());
    }
    if($isProxy) {
        print STDERR "[".scalar(localtime())."] comment denied - " .
          "using proxy: $proxy - " .
          join("/",$comment->author,$comment->email,$comment->ip) .
          "\n";
        return DENY_RESPONSE;
    }
    return ACCEPT_RESPONSE;
}

sub dumpEnv {
    print STDERR "[".scalar(localtime())."] environment for $0:\n";
    foreach my $key (sort keys %ENV) {
        print STDERR "[".scalar(localtime())."] $key = ",$ENV{$key},"\n";
    }
}

1;

2 Responses to “Deny Comment Spam from open proxies in MovableType”

  • IO ERROR Says:

    Be careful with the DSBL. I have gotten so many false positives from it, and complaints from legitimate users, that I ultimately had to remove it from my blacklists. The basic problem with the DSBL is it lists open proxies on dynamic addresses, which then get reassigned to someone else, and it is virtually impossible to get an address removed.

    They use automated testing against computers to list addresses, but they don’t use automated testing to remove addresses; instead, they require the ISP to manually intervene, and they rarely do.

  • Caroline Says:

    Me too I installed DSBL last night and it forces EVERY comment to moderation. I’ll be taking it out tonight as soon as I get to where I can FTP into my host.
    Does this proxyplug work on Windows hosts? I’m stuck with one of those.
    Thanks! I am so appreciative of all the great work folks are doing to combat this spam problem.

Leave a Reply