home links tools blog about

AngryPets Blog

home

ReverseDOS: Past, Present, Future


When I first created ReverseDOS I was really hoping that I'd be able to 'trap' spammers and other miscreants with a slow stream of bits that would bring their vile clients to their knees. 

That was a cool fantasy. Spammers, obviously, weren't dumb enough to wait around for a complete HTTP response, let alone a slow stream of bits designed to 'DOS' their spambots. But the detection algoritms were simple, and worked amazingly well.

Bloggers using Community Server and .Text have already seen great results:
Chris Frazier saw it remove his comment spam problems in a jiffy.
David Hayden also saw it destroy his problems with referrer spam.
(And I saw it destroy my referrer spam problem too.)

Some unexpected benefits:
Because ReverseDOS was built as a framework, it's quite flexible. I never anticipated turning it against CommentAPI spam, or against TrackBack spam, but it will work fine against both.

Some room for growth, and the coming arms race:
_If_ word gets out, and _if_ people begin to use ReverseDOS, it will put a major dent in comment, referrer, and trackback spam. But if that happens, spammers aren't likely to rollover and play dead. I expect to see spammers regroup, and launch newer, nastier attacks. In other words, I expect an arms race. In fact David Hayden has already seen hints of that on his site - he reported seeing referrer spammers change their referrals to trackbacks after he blocked them from referring on his site.

Now the good news is that ReverseDOS can handle trackback spam, but it may be a bit clunky (because trackbacks can be done as either POST or GET -- so you'll need two filter definitions for ReverseDOS to catch them (a querystring filter, and a post filter). And that clunkiness got me thinking: if ReverseDOS is going to be able to compete in an 'arms race' with spammers, it needs to be very easy to configure. So I've decided to begin work on version 1.2 as soon as I can.

I'll announce the details of version 1.2 shortly, but for now the main point to get across is that functionality will still be very similar to what it is now, but a greater focus will be placed on making filters much more powerful (as well as letting them work in tandem towards an overall threashold/rating), and making them much more easy to manage and configure.)

 


posted on Friday, June 24, 2005 9:28 PM
 

Existing Comments:

# re: ReverseDOS: Past, Present, Future - Posted: 6/28/2005 1:14 AM - By: Jay
   Good job on this little utility :) This works 90% of the time, but now I see spam coming with nothing to filter on... but this is not the majority.

Btw, your filter has a little problem with the InputStream that is not reset to zero when checking the post data. Only the first post filter is tested :)

-- Jay


# re: ReverseDOS: Past, Present, Future - Posted: 6/28/2005 10:16 AM - By: Michael K. Campbell
   Thanks for the compliments. I'm curious about your spam that arrives with nothing to filter against. ReverseDOS should be able to handle it - everything 'posted' to your site ends up being either a POST or a GET and is scan-able, so there should be a way to block it.

Thanks for the heads-up/confirmation on the POST filter bug. The fix for that will be part of the upcoming release...

(then I'm taking my CAPTCHA offline...)


# re: ReverseDOS: Past, Present, Future - Posted: 6/28/2005 3:32 PM - By: Jay
   By nothing, I don't mean that there is nothing to filter, I just mean that the content is too general and does not contain enough "spam" material... Maybe I'll try to filter on the number of links inside of it.

Here is an example :

--- Sample Begin ---
Sender: doorway
Url: http://realestate.anotheruniversesucks.org/wjog3f7j/
IP Address: 65.114.243.167
=====================================
re:
curlingsteadyvideotapes
--- Sample End ---

That's it.

With this kind of spam... this is getting hard to filter. Maybe with realestate :)


# re: ReverseDOS: Past, Present, Future - Posted: 6/28/2005 3:44 PM - By: Michael K. Campbell
   Ahhhh, I've got you now. Yeah, that kind of spam sucks.
Scott Mitchell blocks that kind of spam by limiting the number of hrefs allowable per post: http://scottonwriting.net/sowblog/posts/3083.aspx (though he's not using ReverseDOS - yet >:P )

The next release of ReverseDOS will change the way that Regex filters work, and EACH match of a given regex pattern will help boost the 'suspect' nature of any action taken against the site - if the action (post/get) crosses a pre-defined threshold, the action is denied. Here's a sneak peek of how this would be addressed in the upcoming version:

<add type="commentspam" pattern="href=" isRegex="true" />

The other option, of course, is just to BLOCK the entire site, or any offending site. That's obviously a bit of work to keep up with, but from what I've seen, there are only a few sites (currently) doing the majority of the spam... nuke them, nuke most of the problem.


# ReverseDOS 2.0 - Feature Complete - Posted: 7/8/2005 12:56 AM - By: AngryPets.com :: Blog
   


Add your own comment:


Go to http://blog.angrypets.com where comments are enabled.