Stupid Blog Trackback Spammers Don't Understand Server 403 Responses
The title of this article tells it all: "Stupid Blog Spammers Don't Understand Server 403 Responses!" Many months ago I discovered that although comments and trackbacks were not being posted to my blog, due to automatic moderation and classification of them as spam, nonetheless they kept on a-comin'. The comments spammers gave up a couple of months ago when they searched my blog only to learn that their bullshit comments had not been posted and never would be (I told them so on the search results page). However, the idiots who are trying to post trackback spam messages don't bother to search the blogs they are posting to, nor do they apparently read the responses sent by the script they are aimed at. If they did all they would see from my blog is a steady stream of server 403 responses; "Access Denied!" I don't even have the comments or trackbacks Perl modules installed anymore, so even I can't post comments or trackbacks to my own blog! I removed them when it became obvious that only spammers were commenting or tracking back.
If you run a MovableType blog and don't care to allow comments or trackbacks, yet you are seeing numerous attempts to spam your blog (in the list of junk comments and trackbacks), you can do what I did and disable them altogether, then delete or rename the files used to post these comments. To disable them in MovableType, log into your MT installation, then click on the left sidebar item "Settings" then click on the "New Entry Defaults" tab, then under "Default settings for new entries" uncheck both "Accept Comments" and "Accept Trackbacks," then scroll down to the bottom of the page and click on the "Save Changes" button. This will remove the Comments and Trackbacks links under all of your posts. You may still have to manually remove existing comments and trackbacks from old topics, or delete the old topics entirely if they have a lot of useless commenting in them.
Despite the fact that you have disabled accepting comments the spammers may still try to go straight to your Perl scripts that handle comments and trackbacks, bypassing the choices you made to exclude them. To prevent this you can either remove or rename these two files that are in the standard MT installation, under the CGI folder/MT (typically cgi-bin/MT/):
mt-comments.cgi
mt-tb.cgi
Without those files nobody is going to Post a spam comment to your blog and you can never accidentally re-enable comments or trackbacks unless you upgrade, or replace those files.
As I said in the beginning these spammers are not reading the results of their attempted trackback messages (success or failure), thus they are probably using automated scripts to send them out blindly from a spam list supplied to them by somebody even dumber than they are, without any concern about success or failure of their efforts. If you run your blog on an Apache hosted web server and want to deny access to these assholes read the technical details in my extended comments.
Here is evidence from today's raw access log showing that a trackback spammer, using rotating hijacked proxy IP addresses, repeatedly tries and fails to Post to my blog, gets a 403 response and keeps coming back having never read the failure report in his software (dumb software from Russia).
69.89.25.184 - - [04/Aug/2007:01:21:35 -0600] "POST /cgi-bin/mt/mt-tb.cgi/46 HTTP/1.0" 403 457 "-" "TrackBack/1.02"
66.79.163.173 - - [04/Aug/2007:01:27:40 -0600] "POST /cgi-bin/mt/mt-tb.cgi/49 HTTP/1.0" 403 264 "-" "TrackBack/1.02"
195.12.48.41 - - [04/Aug/2007:04:27:20 -0600] "POST /cgi-bin/mt/mt-tb.cgi/51 HTTP/1.0" 403 273 "-" "TrackBack/1.02"
85.234.144.215 - - [04/Aug/2007:04:29:19 -0600] "POST /cgi-bin/mt/mt-tb.cgi/2 HTTP/1.0" 403 363 "-" "TrackBack/1.02"
64.151.124.5 - - [04/Aug/2007:04:31:59 -0600] "POST /cgi-bin/mt/mt-tb.cgi/30 HTTP/1.0" 403 449 "-" "TrackBack/1.02"
69.50.210.8 - - [04/Aug/2007:04:41:28 -0600] "POST /cgi-bin/mt/mt-tb.cgi/47 HTTP/1.0" 403 404 "-" "TrackBack/1.02"
217.160.230.182 - - [04/Aug/2007:05:33:54 -0600] "POST /cgi-bin/mt/mt-tb.cgi/33 HTTP/1.0" 403 391 "-" "TrackBack/1.02"
64.202.165.132 - - [04/Aug/2007:05:34:21 -0600] "POST /cgi-bin/mt/mt-tb.cgi/35 HTTP/1.0" 403 326 "-" "TrackBack/1.02"
67.159.45.54 - - [04/Aug/2007:06:35:06 -0600] "POST /cgi-bin/mt/mt-tb.cgi/9 HTTP/1.0" 403 492 "-" "TrackBack/1.02"
70.87.244.242 - - [04/Aug/2007:07:18:00 -0600] "POST /cgi-bin/mt/mt-tb.cgi/38 HTTP/1.0" 403 286 "-" "TrackBack/1.02"
67.159.45.54 - - [04/Aug/2007:07:44:08 -0600] "POST /cgi-bin/mt/mt-tb.cgi/21 HTTP/1.0" 403 377 "-" "TrackBack/1.02"
64.202.165.201 - - [04/Aug/2007:10:02:30 -0600] "POST /cgi-bin/mt/mt-tb.cgi/19 HTTP/1.0" 403 271 "-" "TrackBack/1.02"
207.58.179.71 - - [04/Aug/2007:13:11:56 -0600] "POST /cgi-bin/mt/mt-tb.cgi/48 HTTP/1.0" 403 317 "-" "TrackBack/1.02"
70.87.34.146 - - [04/Aug/2007:13:49:46 -0600] "POST /cgi-bin/mt/mt-tb.cgi/_1016 HTTP/1.0" 403 189 "-" "Snoopy v1.2.3"
70.87.34.146 - - [04/Aug/2007:14:03:06 -0600] "POST /cgi-bin/mt/mt-tb.cgi/_1060 HTTP/1.0" 403 189 "-" "Snoopy v1.2.3"
70.87.34.146 - - [04/Aug/2007:14:46:10 -0600] "POST /cgi-bin/mt/mt-tb.cgi/_1461 HTTP/1.0" 403 207 "-" "Snoopy v1.2.3"
Despite the fact that these hits all come from IP addresses in the different countries I have previously tracked most of them down to spammers in Russia and The Ukraine. I won't tell you how I did that; just trust me on this.
If you are wondering how I managed to send every one of these attempts a server 403 Forbidden response, the answer lies in the Apache web server module Mod_Rewrite. In my previous article I wrote about my .htaccess blocklists, where I showed how to block unwanted traffic based on IP addresses. Those blocklists use the Apache Mod_Access module inside a file called ".htaccess." This method is very effective as long as the spammers are using computers or servers from within the countries, or IP ranges that are on those blocklists, especially the Russia and Exploited Server Blocklist. So how do I block the ones that use proxy servers in non-blocked locations like the ISPs in the USA?
In order to block people or scripts that use rotating hijacked computers, or open proxy servers to spam your blog you need to add another weapon to your arsenal. That weapon is the Apache module "Mod_Rewrite." I will write about using Mod_Rewrite in my next article in this series about blocking spammers and scammers and exploitation attempts using .htaccess. In the meantime, if you haven't read the previous article about using .htaccess blocklists, read it now. It will bring you up to speed so you can grok what is coming in the next installment.
Gotta go for now. Look for more details in the next day or two.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.