Recently I had a SPAMer here in my blog, who wanted to place his links here. I don’t know why he had chosen this blog, in particular, I also don’t know what he expected from it, because all entries here are moderated. I have always approved all entries, that had been professionally appropriate, but I do not allow SPAM. But, of course, it’s overhead for me.
Anyway, no matter why, he wanted it and refused to give up. He used different IP addresses to do it. I own a Citrix ADC / NetScaler, so I have a mighty tool in my hand. I decided to block this kind of attack.
First I created a responder policy that forbade access from these IP addresses, but he used many different ones that were on completely different networks. If I blocked 10, he had another 10 new ones.
I had stored these IP addresses in a data set that was getting longer and longer.
add policy dataset block_spamers ipv4
bind policy dataset block_spamers 141.98.84.79 -index 1
bind policy dataset block_spamers 185.102.113.214 -index 2
bind policy dataset block_spamers 185.81.144.156 -index 3
bind policy dataset block_spamers 213.108.3.133 -index 4
bind policy dataset block_spamers 45.10.167.128 -index 5
bind policy dataset block_spamers 45.10.167.68 -index 6
bind policy dataset block_spamers 5.183.252.21 -index 7
bind policy dataset block_spamers 62.210.127.188 -index 8
bind policy dataset block_spamers 62.210.178.249 -index 9
bind policy dataset block_spamers 77.220.192.115 -index 10
bind policy dataset block_spamers 91.222.236.248 -index 11
bind policy dataset block_spamers 185.68.246.95 -index 12
bind policy dataset block_spamers 193.202.80.91 -index 13
bind policy dataset block_spamers 46.161.60.191 -index 14
bind policy dataset block_spamers 88.218.47.212 -index 15
bind policy dataset block_spamers 37.44.196.113 -index 16
bind policy dataset block_spamers 185.96.37.21 -index 17
bind policy dataset block_spamers 5.183.252.61 -index 18
bind policy dataset block_spamers 185.102.113.209 -index 19
That’s the responder policy I had created for this guy:
add responder policy res_pol_dropSPAM "CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"block_spamers\") DROP
This policy checks, if the IP address is in the list, and drops the request if it is.
It had not been successful in any way: Even though my policy got hit, he still posted his non-sense here, and I had to dis-approve his SPAM. On the cost of my valuable time, of course. In the end, there had been a total of 86 successful posts and 125 blocked ones.
So I found out, my approach had been totally wrong. There are several billions of IP addresses, and I can’t (and don’t want to) block all of them. What does this guy really want? Correct, he wants to post his hyperlink! It’s not about IP addresses, it’s about hyperlinks. So in the end, I stopped him by blocking his link (I changed the name of the domain):
add responder policy res_pol_blogSPAM "HTTP.REQ.METHOD.EQ(\"POST\") && HTTP.REQ.BODY(10240).CONTAINS(\"xxxx.net\")" DROP
I check if it’s an HPPT POST and if the URL is (somewhere) in the first 10 k of the HTTP POST body. If it is, I drop the request. Problem solved! No more SPAM from this side. There could be a more flexible version of this policy: If this kind of attack goes on using different links, I could use a Pattern Set to store all URLs into it and change the policy expression to "HTTP.REQ.METHOD.EQ(\"POST\") && HTTP.REQ.BODY(10240).CONTAINS_ANY(\"list_of_blocked_URLs\")"
. I hope, my victory is a permanent one and he will give up.
Just posted it, in case somebody else suffers from similar attacks. Citrix ADC/NetScaler still Rocks!