Comments on: Stop the Topsites Spam!

By: wattaman

wattaman — Sat, 07 Jun 2008 09:57:16 +0000

Doesn’t work for me. Neither blocking or redirecting to a custom page or URL.
I’m using the .htaccess from the top pf the page, not the one in the .zip.
Is it possible that it could be due to server’s configuration? I know they don’t allow php code (for example) in the .htaccess file.
Anyway, the biggest spammer of mine (sevgibar.com/soft.php) still displays my button and not the redirected page.

By: Die Green

Die Green — Sat, 19 Apr 2008 21:30:24 +0000

Well my hosting has hotlink protection.. it’s been set-up already w/ some of the big spammers.. this is how my hotlink protection list looks like.. (all set-up by host =] no spam!)

^http(s)?://(www\.)?aklimdasin.net
^http(s)?://(www\.)?almanyachat.com
^http(s)?://(www\.)?altdudak.com
^http(s)?://(www\.)?anonym.to
^http(s)?://(www\.)?ara-bul.org
^http(s)?://(www\.)?arkadasohbet.com
^http(s)?://(www\.)?asksokagi.net
^http(s)?://(www\.)?askyeri.net
^http(s)?://(www\.)?astroloji.ws
^http(s)?://(www\.)?bahisci.net
^http(s)?://(www\.)?baysohbet.com
^http(s)?://(www\.)?bedava.mirctr.org
^http(s)?://(www\.)?bedavasohbet.org
^http(s)?://(www\.)?bizimmekan.com
^http(s)?://(www\.)?bizimonline.com
^http(s)?://(www\.)?cafeyurt.com
^http(s)?://(www\.)?cetsohbet.com
^http(s)?://(www\.)?chatchat.gen.tr
^http(s)?://(www\.)?dominacja.najlepsze.net
^http(s)?://(www\.)?dost-chat.com
^http(s)?://(www\.)?e-iklan.net
^http(s)?://(www\.)?egecafe.com
^http(s)?://(www\.)?elmaliseker.net
^http(s)?://(www\.)?foxchat.org
^http(s)?://(www\.)?freehitwebcounters.com
^http(s)?://(www\.)?galatasaray.gen.tr
^http(s)?://(www\.)?geceninrengi.net
^http(s)?://(www\.)?gulum.net
^http(s)?://(www\.)?hadigel.net
^http(s)?://(www\.)?iddaamac.com
^http(s)?://(www\.)?ircstar.net
^http(s)?://(www\.)?itirafsitesi.com
^http(s)?://(www\.)?kacaksohbet.net
^http(s)?://(www\.)?kadersizim.com
^http(s)?://(www\.)?kardelen.gen.tr
^http(s)?://(www\.)?kayip.com
^http(s)?://(www\.)?kodes.com
^http(s)?://(www\.)?kralgazete.com
^http(s)?://(www\.)?kurtlarvadisiteror.org
^http(s)?://(www\.)?kvteror.com
^http(s)?://(www\.)?kvteror.net
^http(s)?://(www\.)?liseliguzeller.net
^http(s)?://(www\.)?meyilli.com
^http(s)?://(www\.)?mirc-irc.com
^http(s)?://(www\.)?mirc.gen.tr
^http(s)?://(www\.)?mircarsivi.com
^http(s)?://(www\.)?mirchit.net
^http(s)?://(www\.)?mircland.com
^http(s)?://(www\.)?mirctr.org
^http(s)?://(www\.)?mircturk.gen.tr
^http(s)?://(www\.)?mircyukle.org
^http(s)?://(www\.)?moviesmammoth.blogspot.com
^http(s)?://(www\.)?musiqueray.org
^http(s)?://(www\.)?myuitm.com
^http(s)?://(www\.)?nazlimcafe.com
^http(s)?://(www\.)?netlek.com
^http(s)?://(www\.)?oyunyolu.net
^http(s)?://(www\.)?pcforumlari.com
^http(s)?://(www\.)?pornolar.org
^http(s)?://(www\.)?radyo.mircturkey.com
^http(s)?://(www\.)?rockdays.net
^http(s)?://(www\.)?sevelim.com
^http(s)?://(www\.)?site.name.tr
^http(s)?://(www\.)?sohbet.gen.tr
^http(s)?://(www\.)?sohbet.kenthaber.com
^http(s)?://(www\.)?sohbet.org
^http(s)?://(www\.)?sohbet.sevgi.net
^http(s)?://(www\.)?sohbet24.net
^http(s)?://(www\.)?sohbet27.com
^http(s)?://(www\.)?sohbet27.net
^http(s)?://(www\.)?sohbet35.org
^http(s)?://(www\.)?sohbetani.com
^http(s)?://(www\.)?sohbetara.com
^http(s)?://(www\.)?sohbetbol.net
^http(s)?://(www\.)?sohbetcafe.com
^http(s)?://(www\.)?sohbetchat.tc
^http(s)?://(www\.)?sohbetedin.net
^http(s)?://(www\.)?sohbetyap.com
^http(s)?://(www\.)?soyle.net
^http(s)?://(www\.)?the-cloak.com
^http(s)?://(www\.)?topsohbet.com
^http(s)?://(www\.)?tr.cc
^http(s)?://(www\.)?trsohbet.com
^http(s)?://(www\.)?tsohbet.com
^http(s)?://(www\.)?turk-sohbet.org
^http(s)?://(www\.)?turkbul.org
^http(s)?://(www\.)?turkmirc.com
^http(s)?://(www\.)?turkmuhabbet.com
^http(s)?://(www\.)?webalem.net
^http(s)?://(www\.)?yapma.net
^http(s)?://(www\.)?yuzukchat.net

P.S.
your spam protection for comment is really good.. it took me 5.4 seconds to figure out ^^

By: Will.Spencer

Will.Spencer — Sun, 24 Feb 2008 10:54:58 +0000

Here’s a better .htaccess file to block traffic from Turkey.

order allow,deny
deny from 62.29.0.0/17
deny from 62.68.192.0/19
deny from 62.85.128.0/19
deny from 62.108.64.0/19
deny from 62.113.0.0/19
deny from 62.201.192.0/18
deny from 62.244.192.0/18
deny from 62.248.0.0/17
deny from 77.67.128.0/17
deny from 77.72.184.0/21
deny from 77.73.216.0/21
deny from 77.75.32.0/21
deny from 77.75.216.0/21
deny from 77.79.64.0/18
deny from 77.92.0.0/19
deny from 77.92.96.0/19
deny from 77.92.128.0/19
deny from 77.223.128.0/19
deny from 77.245.144.0/20
deny from 78.135.0.0/17
deny from 78.160.0.0/11
deny from 80.71.128.0/20
deny from 80.87.48.0/20
deny from 80.93.208.0/20
deny from 80.245.80.0/20
deny from 80.251.0.0/20
deny from 80.251.32.0/20
deny from 81.6.64.0/18
deny from 81.8.0.0/17
deny from 81.21.160.0/20
deny from 81.22.96.0/20
deny from 81.91.16.0/20
deny from 81.91.112.0/20
deny from 81.212.0.0/14
deny from 82.145.224.0/19
deny from 82.151.128.0/19
deny from 82.222.0.0/16
deny from 83.66.0.0/16
deny from 84.17.64.0/19
deny from 84.44.0.0/17
deny from 84.51.0.0/18
deny from 85.29.0.0/18
deny from 85.96.0.0/12
deny from 85.119.32.0/21
deny from 85.119.64.0/21
deny from 85.153.0.0/16
deny from 85.158.96.0/21
deny from 85.159.64.0/21
deny from 85.159.72.0/21
deny from 85.235.64.0/19
deny from 86.108.128.0/17
deny from 87.236.96.0/21
deny from 87.251.0.0/19
deny from 88.151.232.0/21
deny from 88.224.0.0/11
deny from 89.19.0.0/19
deny from 89.106.0.0/19
deny from 89.252.128.0/18
deny from 90.158.0.0/15
deny from 91.93.0.0/16
deny from 91.102.160.0/21
deny from 91.151.80.0/20
deny from 91.188.192.0/18
deny from 91.191.160.0/20
deny from 193.0.61.0/24
deny from 193.23.156.0/24
deny from 193.25.124.0/23
deny from 193.34.132.0/23
deny from 193.36.0.0/24
deny from 193.36.184.0/24
deny from 193.37.135.0/24
deny from 193.37.154.0/24
deny from 193.41.2.0/23
deny from 193.42.216.0/24
deny from 193.58.236.0/24
deny from 193.108.213.0/24
deny from 193.110.170.0/23
deny from 193.110.208.0/21
deny from 193.138.30.0/24
deny from 193.140.0.0/16
deny from 193.143.226.0/24
deny from 193.150.165.0/24
deny from 193.164.9.0/24
deny from 193.188.198.0/23
deny from 193.189.142.0/24
deny from 193.192.96.0/19
deny from 193.200.134.0/24
deny from 193.200.170.0/24
deny from 193.200.180.0/24
deny from 193.200.188.0/24
deny from 193.201.128.0/22
deny from 193.201.149.192/26
deny from 193.201.157.0/25
deny from 193.202.18.0/24
deny from 193.202.120.0/24
deny from 193.218.113.0/24
deny from 193.218.200.0/24
deny from 193.223.76.0/24
deny from 193.243.192.0/19
deny from 193.254.228.0/23
deny from 193.254.252.0/23
deny from 193.255.0.0/16
deny from 194.0.130.0/24
deny from 194.0.142.0/24
deny from 194.0.178.0/24
deny from 194.0.202.0/24
deny from 194.9.174.0/24
deny from 194.24.168.0/23
deny from 194.24.224.0/23
deny from 194.27.0.0/16
deny from 194.29.208.0/21
deny from 194.36.160.0/24
deny from 194.50.84.0/24
deny from 194.50.179.0/24
deny from 194.54.32.0/19
deny from 194.60.73.0/24
deny from 194.69.206.0/24
deny from 194.110.150.0/24
deny from 194.110.213.0/24
deny from 194.125.232.0/22
deny from 194.126.230.0/24
deny from 194.140.227.0/24
deny from 194.169.253.0/24
deny from 194.242.32.0/24
deny from 195.8.109.0/24
deny from 195.14.19.0/24
deny from 195.33.192.0/18
deny from 195.39.224.0/23
deny from 195.46.128.0/19
deny from 195.49.216.0/21
deny from 195.85.242.0/24
deny from 195.85.255.0/24
deny from 195.87.0.0/16
deny from 195.95.149.0/24
deny from 195.95.160.0/24
deny from 195.95.179.0/24
deny from 195.112.128.0/19
deny from 195.114.108.0/23
deny from 195.128.32.0/21
deny from 195.128.254.0/23
deny from 195.137.222.0/23
deny from 195.138.222.0/24
deny from 195.140.196.0/22
deny from 195.142.0.0/16
deny from 195.149.85.0/24
deny from 195.149.116.0/24
deny from 195.155.0.0/16
deny from 195.174.0.0/16
deny from 195.175.0.0/16
deny from 195.177.206.0/23
deny from 195.177.230.0/23
deny from 195.182.25.0/24
deny from 195.200.222.0/24
deny from 195.214.128.0/18
deny from 195.234.52.0/24
deny from 195.234.165.0/24
deny from 195.242.122.0/23
deny from 195.244.32.0/19
deny from 195.245.227.0/24
deny from 212.2.192.0/19
deny from 212.12.128.0/19
deny from 212.15.0.0/19
deny from 212.29.64.0/18
deny from 212.31.0.0/19
deny from 212.48.224.0/19
deny from 212.50.32.0/19
deny from 212.57.0.0/19
deny from 212.58.0.0/19
deny from 212.64.192.0/19
deny from 212.65.128.0/19
deny from 212.79.96.0/19
deny from 212.98.0.0/19
deny from 212.98.192.0/18
deny from 212.101.96.0/19
deny from 212.108.128.0/19
deny from 212.109.96.0/19
deny from 212.109.224.0/19
deny from 212.115.0.0/19
deny from 212.125.0.0/19
deny from 212.127.96.0/19
deny from 212.133.128.0/17
deny from 212.146.128.0/17
deny from 212.154.0.0/17
deny from 212.156.0.0/16
deny from 212.174.0.0/16
deny from 212.175.0.0/16
deny from 212.252.0.0/16
deny from 212.253.0.0/16
deny from 213.14.0.0/16
deny from 213.43.0.0/16
deny from 213.74.0.0/16
deny from 213.138.0.0/19
deny from 213.139.192.0/19
deny from 213.139.224.0/19
deny from 213.143.224.0/19
deny from 213.144.96.0/19
deny from 213.148.64.0/19
deny from 213.153.128.0/19
deny from 213.153.160.0/19
deny from 213.153.192.0/18
deny from 213.155.96.0/19
deny from 213.159.32.0/19
deny from 213.161.128.0/19
deny from 213.186.128.0/19
deny from 213.194.64.0/18
deny from 213.202.0.0/19
deny from 213.204.64.0/18
deny from 213.232.0.0/18
deny from 213.236.32.0/19
deny from 213.238.128.0/18
deny from 213.243.0.0/19
deny from 213.243.32.0/19
deny from 213.248.128.0/18
deny from 213.254.128.0/19
deny from 217.17.144.0/20
deny from 217.31.224.0/20
deny from 217.31.240.0/20
deny from 217.64.144.0/20
deny from 217.64.208.0/20
deny from 217.68.208.0/20
deny from 217.131.0.0/16
deny from 217.169.192.0/20
deny from 217.174.32.0/20
deny from 217.195.192.0/20
allow from all

By: Will Spencer

Will Spencer — Wed, 30 Jan 2008 01:49:27 +0000

I took down Aardvark Topsites. I don’t want to waste the precious moments of my life dealing with these morons.

I’ve replaced button.php with this photo from the Armenian Genocide: http://www.armeniangenocide.com/photos/data/504/medium/armenian_genocide.jpg

By: Erika

Erika — Sat, 26 Jan 2008 15:56:44 +0000

I forgot to say that I added these to my htaccess file:
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?gazeteler.tv/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?canlitv.gen.tr/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?trsohbet.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?oyunlar1.gen.tr/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?plazacentre.net/.*$ [NC,OR]

By: Erika

Erika — Sat, 26 Jan 2008 15:54:56 +0000

I just added this code to my topsites folder … how long does it take to work? I am still not able to access my website… my server said I was getting over 100 people at my site at one time and it was overloading them…. thanks to the spammers =o( Does this take time to work? Also, is this something I should to do my main folder of my site?
I am new to this spamming business and I have such a headache from it. Thanks for putting this up!

By: Rob

Rob — Tue, 22 Jan 2008 21:11:55 +0000

I’m getting a ton from trsohbet.com - might want to add that to your list. thanks for the .htaccess thing

By: youtube

youtube — Fri, 14 Dec 2007 06:47:21 +0000

Matthieu de Groot, first try to upgrade the topsite to the latest version (v.5.2.0). It has a lot of improvements and has better spam protection.

By: Storage

Storage — Thu, 13 Dec 2007 10:36:32 +0000

Nice ,any one tell me how can I find this type blog.

By: spam_hater

spam_hater — Thu, 22 Nov 2007 15:12:59 +0000

I would also suggest for who don’t use any special capabilities of Apache or even if you have to use Apache, to try Lighttpd.

http://www.lighttpd.net/

It is much much leaner than Apache, uses much less memory and faster.
Where our site will become completely unresponsive under the spam attack while using Apache, with Lighttpd it just slows down a little, with around 220meg of RAM used total, and that’s under heavy load.

By: spam_hater

spam_hater — Tue, 09 Oct 2007 03:38:22 +0000

Hello all,

Yes, I found out since that my iptables blacklisting was too broad. I have started using the Geoip database of IP addresses mapped to countries and can selectively block the offending networks and/or countries.

http://www.maxmind.com/app/geoip_country

There is a module for Apache that can help with that, but without iptables it isn’t pariculary helpfull. The module is called mod_geoip.

http://www.maxmind.com/app/mod_geoip

What I have done is blacklisted the bad or unimportant to our site countries (we primarily serve Russian/Ukrainian content) using mod_geoip for Apache. Although mod_geoip denies access to your site, a lot of processing power is still used up reading and then denying the bad requests. mod_geoip reports each denied request in the error_log file. I am using that information to block the IPs. I scan the error_log file for “denied” error messages and extract the IP address from each and blacklist it using iptables. In my situation the resourses (memory) are very limited so I cannot always blacklist per IP address, since iptables runs out of memory at around 1000 entries. So I blacklist networks but make sure it’s not too broad. In my previous post I had selected a huge IP ranges to blacklist (88.0.0.0/8) which effectively blocks all requests starting with 88. Right now I do 88.101.0.0/16 blacklisting which is a much finer selection (it will block IPs starting with 88.101). Also, I clear the blacklist every 6 hours or so and start over. If there are a lot of spam request coming in, it slows them down considerably in about 5-10 minutes after restarting/flashing iptables.

You can also scan whatever the main log file for your domain is for keywords, like sohbet etc. and extract the IP address from each of those lines and blacklist it. So, if you are receiving a lot of spam traffic, monitor your log file for a while, find out who the offending referrer is and start blacklisting each IP or network ( — for example: 88.101.22.53/16 will blacklist all 88.101.x.x IPs, if you want even finer selection, do ip/24 blacklisting, with will blacklist all 88.101.22.x ips but from my experience its not very effective) coming in from that referrer.

EXAMPLE LOG LINE:

82.236.215.32 - - [08/Oct/2007:12:55:59 -0500] “GET /top/button.php?id=1149 HTTP/1.1″ 200 38 “http://www.5sohbet.net/s1/89.htm” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; winfx; .NET CLR 1.1.4322)”

So, in Linux/Unix do:

cat mylogfile.log | grep sohbet | awk ‘{print $1}’

which will print out the IPs.

Of course, it all depends on the format of your log file and if you know Unix/Linux at all you will figure it out.

I do not use the above commands to extract the IPs, it’s just an example. I wrote my own script that scans the logs continually and updates the iptables.

And to Turkish people — we do not hate Turks, we just needs to find some means of protecting our servers. Although we might blacklist the entire country, it’s just our site that does it. You still have access to the rest of Internet. If we thought that Turks can read Russian and needed to access our site, we would never blacklist Turkey. We also get some spam from Russia, not as much but with our too broad block we have also blocked most of Russia (we were happy for a while that there was no load on our server and then figured out that we get almost no traffic from Russia because of our blacklist, so we had to fix that quickly).
The problem is that we cannot complain to the law authorities in Turkey or do anything legally to someone in any other country, so we have to find other means of fighting it. DDOS (Distributed Denial Of Service) attacks are very very difficult to fight so we have to do whatever we can.

Good Bless,

spam_hater

By: evden eve nakliyat

evden eve nakliyat — Sun, 07 Oct 2007 20:50:14 +0000

this is very bad…

By: kensplace

kensplace — Sun, 07 Oct 2007 11:46:40 +0000

Joost is correct, the range 80 to 91 contains more than just Turkish IP’s
Im in the UK, and my IP starts with 86.whatever

So the blocking a wide range like that will block out a lot of people from Europe….

By: Joost

Joost — Sun, 07 Oct 2007 07:25:50 +0000

spam_hater you’re blocking whole Europe. I’m from the Netherlands and I have a 8******** ip.

By: Nick Jean

Nick Jean — Sat, 29 Sep 2007 07:17:45 +0000

spam_hater i’m not sure how I can apply your solution using iptables. Can you please guide me?