Blocking Malicious Bots

Over the past few months, we’ve watched as customer sites at Birdhouse Hosting seemed to hit their monthly bandwidth allotments sooner and sooner. At a certain point, it became obvious that this could not be explained by upticks in popularity – upon closer study of awstats logs, it became apparent that a great deal of that traffic was coming from malicious bots.

And the traffic was not just attempts to post spam into weblog comment forms either – this was traffic on images, random pages, RSS feeds, PDFs, everything.

A few days ago, a new suite of ModSecurity rule management tools landed in cPanel (cPanel is the hosting platform I use to run Birdhouse). I went looking for mod_sec rules intended to curb bad bot traffic, and seem to have hit the jackpot with a rule that consults the spamhaus Malicious Bot RBL. And because it’s installed globally, it protects all of my customer sites simultaneously. Here’s the rule I used (all on one line of course):

SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" "phase:1,id:'981138',t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"

Over the past 24 hours it’s blocked  over 150,000 requests by bad bots to all of my customer sites. Absolutely incredible.

I’d  like to thank the fine folks  at spamhaus for doing what they do, and for helping to make the internet a better place – for free!

The Spamhaus Project is an international nonprofit organization whose mission is to track the Internet’s spam operations and sources, to provide dependable realtime anti-spam protection for Internet networks, to work with Law Enforcement Agencies to identify and pursue spam and malware gangs worldwide, and to lobby governments for effective anti-spam legislation.

 

Leave a Reply

Your email address will not be published. Required fields are marked *