DrBacchus' Journal

A week or so ago I observed that the sole purpose of my secondary MXes seemed to be to send me spam a second time after I had rejected it the first time. So I removed all secondary MXes from my DNS zone. This resulted immediately in a lower load on my mail server, and no obvious ill effects.

Of course, the purpose of a secondary MX is to take over if and when my mail server goes down. But since most mail server will keep trying for several days anyway, it seems pretty unlikely that this is going to ever be a concern. So I'll leave them off for now, and put them back on when I get ready to move, in case there's an extended outage.

Meanwhile, my hard drive is spinning a lot less, and is thus much quieter.

Since Sunday morning, mod_security has blocked 816 attempts to post spam content in the comments on this web site. Two of those have happened while I was typing this note. Additionally, I've received about 20 or 30 apparent "test" messages, where people posted harmless, but off-topic, nonsense, apparently in attempts to see if comments were enabled, or working, or if their address was blocked, apparently.

Almost all of these attempts were on the same small handful of topics (a card game and a diet pill) although there were also plenty for other topics like financial advice of one variety or another.

Are other people getting assaulted to this same degree? It continues to amaze me the enormous amount of time and money we spend combatting this kind of unethical behavior, which is all done in the name of the Great God Capitalism.

Come on, folks. Cut it out. It's just annoying. and it is theft of services to advertise your product on my website, so it's probably illegal. If you want to advertise on my website, just send me a cheque, ok?

Because spammers are dumb, they keep trying the same thing over and over. But they tend to slightly vary from day to day. If you're using mod_security to block them, you might like to occasionally look at my blogspam_rules.txt file that I'm Includeing into my vhost configs, updating it each time there's a new attack mounted. It appears that the attack du jour is debt consolidation.

Over the last 48 hours or so, I've gotten upwards of 400 identical comments on my blog. Fortunately, comment spammers are really really stupid, so they were all identical.

I've got mod_security installed. I put the following block into my vhost block:

<LocationMatch comment>
SecFilterEngine On
SecFilterScanPOST On
SecAuditLog /dev/null
SecFilterDefaultAction "deny,log,status:402"
SecFilter "your[[:space:]]fat[[:space:]]ass"
SecFilter "poker"
SecFilter "phentermine"
SecFilter "craps strategy"
SecFilter "seend a card"
</LocationMatch>

This has blocked all attempts in the last 10 hours or so. And, when they change their tactics, you can alter the rules appropriately.

I had a teflon tape moment (to borrow a metaphor from MJD) recently in discovering the watch command.

You know how you run the same command repeatedly, trying to see if it changed? Like ls -la file.name to see when it's done downloading, or ps ax | grep foo to see if a particular process has terminated, or whatever. Well, turns out that the watch command does exactly that:

watch -n 10 ls -la file.name

Now, you were already aware of that, and have been using it for years, or it's a completely new thing to you, and you'll wonder why you never knew about it. Like teflon tape.

I now use this command several times a day, and can't imagine how I put up with all that extra typing before. Right now, I'm using it to watch my firewall ruleset change as the spam pours in. The spammers seem extra busy this week.