Stopping Spambots: A Spambot Trap

Neil Gunton writes "Having been hit by a load of spambots on my community site, I decided to write a Spambot Trap which uses Linux, Apache, mod_perl, MySQL, ipchains and Embperl to quickly block spambots that fall into the trap. "

1st Spam

FS !!

Elements of good design I'd missed

[Dark+Paladin]

Looking at my Day Job and personal web site, other than the very cool technical achievement of the trap (I'll have to see if I can rewrite this for my Checkpoint FW system), there were one things I learned about good design from this article:

Eliminate mailto - makes sense. You should have an http based "send me a message system" - force a live person to type stuff in instead of letting a program pick out addresses.

Eliminating mailto alone would probably help in mot of my spam problems (as I have my "contact me" address right on the first page).

Re:Elements of good design I'd missed

[Dark+Paladin]

Good point - some sites (I think AOL did once) can get sued if you're a large enough business and don't make your site accessable to the blind. (Americans with Disabilities Act thing.)

Re:Elements of good design I'd missed

[Permission+Denied]

I put my email address in a jpeg image. Haven't found a spambot yet that can decipher that.

But neither could blind internet users...

Add an alt tag that describes how to email you. Eg, "The first part of my email address is 'username' and the second part is 'host.com' - the two parts are separated by an '@' sign." I've been doing the jpeg thing for three years; works great.

Re:Elements of good design I'd missed

[Technician]

I like the way geocaching.com handles the problem. To email a user, you have to click on a link containing the user profile. A link in the profile provides a contact user option which provides a form to fill out - if you are also a regisered user of the site. If you are not a user of the site, then you are prompted to log in or become a user. If you are a user and contacting another user, there is a checkbox when if checked will also send your real address to the user you are contacting so then with his permission, contact may be made via regular mail. This is useful for sending graphics and attachments. The best part is your address is not given out unless you specificaly permit it on a case by case basis. I love it.

Take a look in the mirror

[Spackler]

Superior Labs spambot_trap mirror

-Spack

A tip

[anthony_dipierro]

Here's a tip for those of you writing spambot traps... How about not blindly responding to the faked Return-Path address?

Now that should be illegal. You people whine about your 10 spams a day, try 10,000 from 2000 different email addresses. Idiot postmasters should be caught and jailed.

he suggests formmail, another spam tool

[nwc10]

Interestingly within the article he suggests hiding your e-mail addresses by making a feedback page. One of the programs that he suggests is formmail, and he links to Matt's original version.

formmail itself (even the most recent version) can still be abused by spammers to use your webserver as a bulk mail relay - see the advisory at
http://www.monkeys.com/anti-spam/formmail-adviso ry . df

It's a shame he didn't suggest the more robust formmail replacement at nms which is maintained, and attempts to close all the known bugs and insecurities.

my spambot trap

[romco]

The page is already slashdoted. Here is a little
script that traps bots (and others) that use your robots.txt
to find directories to look through. Requires an .htaccess file with mod_rewrite turned on

robots.txt
#################

User-agent: *

Disallow: /dont_go_here
Disallow: /images
Disallow: /cgi-bin

dont_go_here/index.php
############

$now = date ("h:ia m/d/Y");
$IP=getenv(REMOTE_ADDR);
$host=getenv(R EMOTE_HOST);
$your_email_address=you@whatever;

$ban_code =
"\n".
'# '."$host banned $now\n".
'RewriteCond %{REMOTE_ADDR} ^'."$IP\n".
'RewriteRule ^.*$ denied.html [L]'."\n\n";

$fp = fopen ("/path/to/.htaccess", "a");
fwrite($fp, $ban_code);
fclose ($fp);

mail("$your_email_address", "Spambot Whacked!", "$host banned $now\n");

Re:Block? Are you kidding?

[Ralp]

Wpoison does this.

From the website: Wpoison is a free tool that can be used to help reduce the problem of bulk junk e-mail on the Internet in general, and at sites using Wpoison in particular.

It solves the problems of trapped spambots sucking up massive bandwidth/CPU time, as well as sparing legitimate spiders (say, google) from severe confusion.

Other options..

[primetyme]

A pretty good article, but being able to install modules into Apache may not be the best situation for everyone who wants to stop Spambots..

Shameless plug, but I've got an ongoing series in the Apache section of /. that deals with easy ways that administrators *and* regular users can keep Spambots off their sites:
Stopping Spambots with Apache
and
Stopping Spambots II - The Admin Strikes Back

Just some more options and choices to help people out!

Re:Block? Are you kidding?

[richie2000]

Wpoison basically does that; it serves a page with bogus addresses and adds a nasty delay between pages, keeping the spider occupied.

However, the instructions for installating Wpoison more or less assumes that one has a single website to protect. I have around 20 virtual hosts. So instead of creating a renamed cgi-bin in every DocumentRoot, I added a single

ScriptAlias /runme/ "/var/www/cgi-bin/"

to httpd.conf and then linked it like this:

<A HREF="/runme/addresses.ext"><IMG SRC="pixel.gif" BORDER=0></A>

I also added a single transparent pixel to the link to keep it invisible but still fool the spiders. Add the runme directory as excluded in the robots.txt and you should be on your way. Muhahahah, and so on.

Re:Block? Are you kidding?

[erc]

Way too much work. Here's similar Escapade [escapade.org] code:

<QUIET ON>
<html><head><title>Members area</title></head><body>
<p>Hello random visitor. There is a big chance you are a robot collecting mail
addresses and have no place being here.
Therefore you will get some random generated email addresses and some random links
to follow endlessly.</p>
<p>Please be aware that your IP has been logged and will be reported to proper
authorities if required.</p>
<DBOPEN "SpamFood", "localhost", "login", "password">
<FOR I=1 TO 100 STEP 1>
<SQL select * from names order by rand() limit 1>
<LET FN="$Name">
</SQL>
<SQL select * from lasts order by rand() limit 1>
<LET LN="$Last">
</SQL>
<SQL select * from addresses order by rand() limit 1>
<LET AD="$Address">
</SQL>
<a href="mailto:$FN.$LN@$AD">$FN.$LN@$AD</a> <br>
</FOR>
</body>
</html>

Problem with wpoison...

[wideangle]

is that some of the fake emails it generates will be real.

Re:Simple solution!

[fanatic]

Congratulations. You just ensured you can't be emailed by anyone not running Internet Explorer.

This seems to work fine (the window comes upo with the right email address in the to: line and the '[Question]' tag in the subject: line) in Netscape 4.76

and Lynx Version 2.8.3rel.1

and Mozilla 0.9.7, which implies Netscape 6.x, and Galeon will work as well, though I haven't tested these.

the danger of mailing lists.. esp. SuSE user list

[SethJohnson]

Another way your e-mail address can be susceptible to spambots is if you participate in any mailing list. If the administrator decides to archive the list on a website, in many cases the email addresses of the participants will be there in plain text. I found this out after doing a google search for my own email address and having it turn up on the SuSE web site. I sent an e-mail asking that they do a regsub on the archive to substitute the '@' with [at] or something similar. That was more than six months ago and the SuSE website admin still hasn't done it.

Re:A better solution: obfuscate the mailto: link

Paul Gregg has posted a PHP deal he's written that'll allow you to generate obscured mailto:s - can be configured to generate obfuscation that is or isn't javascript dependant.

Find it at: http://www.pgregg.com/projects/encode/htmlemail.ph p

A usable page for those without access to their own php aware servers as well as source code.

MIRROR MIRROR

[jsimon12]

http://www.xemu.org/mirrors/spambot_trap.html

Here's a Javascript that writes mailto: links...

[Artifice_Eternity]

...so that you can leave them out of your HTML source:

http://artificeeternity.com/includes/linkwrite.j s

Instructions for use are included in comments. The script fragment that replaces mailto: links in the page will actually shorten your code -- it only requires entering the username and domain once. Also, the @ sign is added in by the script, so the address itself never appears in your HTML.

http://www.mailwasher.net/

[jasonk3]

It's actually http://www.mailwasher.net/.

Build up the mailto with javascript

[maddugan]

Here is what I do on my website to protect email address

Javascript:
function sendmail()
{
var string = 'mail'
string += 'to:'
string += 'webmaster'
string += '@'
string += 'domain'
string += '.com'
open(string)
}

Usage:
<a href="JavaScript:sendmail()">webmaster</a&gt ;

This could be expanded to pass the values need to build up the email address.

Better Addresses To Feed Spiders

[billstewart]

I've posted a separate article about fun tricks with round-robin DNS to feed spammers FQDNs that resolve to open relays, which will forward to other open relays. And if you know machines running Teergrubes, they're excellent addresses to feed spiders.*

If you're not messing with DNS, though, there are lots of addresses that can cause trouble:

• sales@spammerdomain.com, where the domain may be your spammer (if you customize your spidertrap) or a random spammer. They'll probably reject abuse@ and other obvious administrators, but names like "sales" and "purchasing" and "marketing" and anything that might get a real user is good.
• randomjunkuser@spammerdomain.com. If they're not verifying the list before using it, this is good.
• randomjunkuser@randomjunksubdomain.spammerdomain .c om
• randomjunkuser@spamhausdomain.com, at some site that encourages spammer customers.
  
• randomjunkuser@randomjunksubdomain.spammers-ISP. ne t - does the spammer's ISP check for bad DNS hits?
• randomjunkuser@othercustomer-of-spammers-hosting -I SP.net. Your mission is to get the spammer's ISP to throw off the spammer. If you want to be much ruder, you can use real-presidents-name@othercustomer-of-spammers-hos ting-ISP.net .but both of those attacks require more customization to hit spammers you're having ongoing problems with, as opposed to shotgunning them all.
• unsubscribeme-address@unsubscribemedomain.com - anything not immediately recognizable as "remove@". Give some other spammer's list builder a bunch of addresses to work with.
  

Teergrubes and other traps for spammers

[billstewart]

Teergrubes are tarpits to stick spammers in. They look like perfectly correct SMTP servers, e.x.c.e.p.t. t.h.e.y. a.n.s.w.e.r. v..e..r..y.. s..l..o..w..l..y.. and maybe generate lots of error messages requiring repetition, and basically they leave the spammer's machine tied up for a long time with very little effort. A legitimate mailing list server that encounters a teergrube will normally survive, because it's usually multithreaded, or at least has almost all its recipients as legitimate users, but an occasional few minutes of one thread stuck in a trap isn't a major problem. But a spammer who's encountering a large number of teergrubes (especially if he picked them all up at once from a spidertrap) will have lots of threads tied up for a long time and may not have enough spare capacity to bother real targets. There are a number of implementations around.

And somewhere out there is a far nastier variant on a teergrube that can keep a typical smtp session up for hours with only a few kilobits/minute, using tricks like setting TCP windows very small, NAKing lots of packets so TCP retransmits them, etc. (It basically works by saying "No, SMTP/TCP/IP isn't a set of protocol drivers in my Linux kernel, it's a definition of a set of messages and there's no reason I should user a bunch of well-tuned efficient reliable kernel routines when I can send raw IP packets myself designed for maximal ugliness."

• Spamido is an automated tool for collecting spammers' addresses so they can be fed back to other spammers.
  
• Wpoison and Sugarplum are spidertraps that generate lots of fake addresses for a long time.