petervanderdoes / avh-first-defense-against-spam Goto Github PK

AVH stops the majority of spam on my blogs. However, what I've been noticing as of late is that all the spam comments that make it through AVH have used new IPs that haven't been blacklisted yet but have used usernames and/or email addresses that appear multiple times on one or more blacklists.

In one case, a spammer that managed to get through AVH on my blogs used a username that appeared 32 times in one blacklist alone, but because the IP he used was "fresh", he managed to get his comment through to moderation.

Another spammer that got through used a username that appeared 3 times, in combination with an email address that appeared 6 times, both within the same blacklist. But since the IP used during the spam attempt was fresh and unblacklisted, the spammer still got through.

It would be great if you'd consider adding an option to AVH that enables it to take into account the frequency of usernames and emails on a blacklist when a visitor attempts to post a comment.

AVH is commonly used for blocking access from IP to web pages and it uses (among others) Spamhaus XBL database. That database contains IPs from CBL, however provider of that database (http://cbl.abuseat.org) clearly states that "The CBL is intended to be used only on inbound email from the Internet.
If you are being blocked from IRC, Chat, web sites, web email interfaces (eg: you're using Internet Explorer or Firefox to send email) or anything other than basic email with a mail reader like Exchange, Thunderbird etc, the provider of this service is using the CBL against our recommendations. Contact the provider and refer them to http://cbl.abuseat.org/tandc.html and refer them to item 2 and 7."
The above mentioned item 7 reads:
"If, inspite of 3, 4, 5 or 6 above you still want to use the CBL in an unsupported fashion (eg: block blog, web, IRC access, block on full received line traverse, derive other blocking heuristics, or block MSA submissions), you must take full responsibility yourself for the decision.
This means that you must remove all mention of the CBL (or Spamhaus) from any error messages or communications the user may see, and direct all support questions to your own support infrastructure."
The item 3 referred in the above text reads:
"If you want to use the CBL to block protocols other than SMTP on port 25 (ie: IRC), realize this is officially UNSUPPORTED by the CBL team.
We appreciate that this is a useful thing to do, but you MUST NOT mention the CBL as being the source of a block and you should be prepared to provide "first contact" assistance for users encountering a block and potentially whitelisting on your service.
It should be absolutely clear that there will be a potentially large number of affected users who, through no fault of their own, will NOT be able to delist due to NAT, dynamic IPs, or other similar issues. Anyone using the CBL for blocking IRC, blog comments or whatever needs to know that they will get collateral damage and they will either have to manage that themselves with whitelisting or live with it."

I would like to inform you that attempt of browsing the page http://blog.earth-works.com/category/linux/centos-linux/ have given the following result:
"Access has been blocked.
Your IP [x.x.x.x] is found at Spamhaus .
If you feel this is incorrect please contact them.

Protected by: AVH First Defense Against Spam" (true IP has been replaced by x.x.x.x).

Subsequent check for the IP in question in Spamhaus returned information, that this IP isn't listed in any of their databases except CBL.

Since terms and conditions for using the CBL begin with the clause:
"You are given permission to use the CBL as long as it complies with these guidelines. Violation of this may result in revoking permission for you using the CBL.
WARNING: All of the restrictions documented in these terms and conditions apply equally to using the CBL portion of the XBL, SBL-XBL and Zen from Spamhaus. Note that the PBL has similar technical restrictions."
thus your programmed into your plugin logic is clearly against requirements of the provider of the database.

I would suggest you to reconsider the use the Spamhaus XBL database in your plugin or to include in its description very clear warning that use of that plugin violates the terms and conditions of using the CBL.

W.Rakoczy

When an IP is on the local white or black list there's no need to add them to the cache as well.