Stopping Spambots: A Spambot Trap

Neil Gunton writes "Having been hit by a load of spambots on my community site, I decided to write a Spambot Trap which uses Linux, Apache, mod_perl, MySQL, ipchains and Embperl to quickly block spambots that fall into the trap. "

Elements of good design I'd missed

[Dark+Paladin]

Looking at my Day Job and personal web site, other than the very cool technical achievement of the trap (I'll have to see if I can rewrite this for my Checkpoint FW system), there were one things I learned about good design from this article:

Eliminate mailto - makes sense. You should have an http based "send me a message system" - force a live person to type stuff in instead of letting a program pick out addresses.

Eliminating mailto alone would probably help in mot of my spam problems (as I have my "contact me" address right on the first page).

Take a look in the mirror

[Spackler]

Superior Labs spambot_trap mirror

-Spack

A tip

[anthony_dipierro]

Here's a tip for those of you writing spambot traps... How about not blindly responding to the faked Return-Path address?

Now that should be illegal. You people whine about your 10 spams a day, try 10,000 from 2000 different email addresses. Idiot postmasters should be caught and jailed.

he suggests formmail, another spam tool

[nwc10]

Interestingly within the article he suggests hiding your e-mail addresses by making a feedback page. One of the programs that he suggests is formmail, and he links to Matt's original version.

formmail itself (even the most recent version) can still be abused by spammers to use your webserver as a bulk mail relay - see the advisory at
http://www.monkeys.com/anti-spam/formmail-adviso ry . df

It's a shame he didn't suggest the more robust formmail replacement at nms which is maintained, and attempts to close all the known bugs and insecurities.

my spambot trap

[romco]

The page is already slashdoted. Here is a little
script that traps bots (and others) that use your robots.txt
to find directories to look through. Requires an .htaccess file with mod_rewrite turned on

robots.txt
#################

User-agent: *

Disallow: /dont_go_here
Disallow: /images
Disallow: /cgi-bin

dont_go_here/index.php
############

$now = date ("h:ia m/d/Y");
$IP=getenv(REMOTE_ADDR);
$host=getenv(R EMOTE_HOST);
$your_email_address=you@whatever;

$ban_code =
"\n".
'# '."$host banned $now\n".
'RewriteCond %{REMOTE_ADDR} ^'."$IP\n".
'RewriteRule ^.*$ denied.html [L]'."\n\n";

$fp = fopen ("/path/to/.htaccess", "a");
fwrite($fp, $ban_code);
fclose ($fp);

mail("$your_email_address", "Spambot Whacked!", "$host banned $now\n");

Other options..

[primetyme]

A pretty good article, but being able to install modules into Apache may not be the best situation for everyone who wants to stop Spambots..

Shameless plug, but I've got an ongoing series in the Apache section of /. that deals with easy ways that administrators *and* regular users can keep Spambots off their sites:
Stopping Spambots with Apache
and
Stopping Spambots II - The Admin Strikes Back

Just some more options and choices to help people out!

Re:Block? Are you kidding?

[erc]

Way too much work. Here's similar Escapade [escapade.org] code:

<QUIET ON>
<html><head><title>Members area</title></head><body>
<p>Hello random visitor. There is a big chance you are a robot collecting mail
addresses and have no place being here.
Therefore you will get some random generated email addresses and some random links
to follow endlessly.</p>
<p>Please be aware that your IP has been logged and will be reported to proper
authorities if required.</p>
<DBOPEN "SpamFood", "localhost", "login", "password">
<FOR I=1 TO 100 STEP 1>
<SQL select * from names order by rand() limit 1>
<LET FN="$Name">
</SQL>
<SQL select * from lasts order by rand() limit 1>
<LET LN="$Last">
</SQL>
<SQL select * from addresses order by rand() limit 1>
<LET AD="$Address">
</SQL>
<a href="mailto:$FN.$LN@$AD">$FN.$LN@$AD</a> <br>
</FOR>
</body>
</html>