You are here: Home > Publications > RIPE Labs > Mirjam Kühne > Fighting Spam on RIPE Labs
Content by this author

Fighting Spam on RIPE Labs

Mirjam Kühne — Dec 2009
When I returned to work after Christmas, I found a lot of activity in the forums on the RIPE Labs site.

Finally some more participation, I thought! But unfortunately I had to discover that all of it was spam.

Someone had spammed RIPE Labs massively by creating numerous new forum topics filled with advertisement. This was done through a whole list of bogus user accounts that were created on RIPE Labs. I immediately blocked all those users (most likely created by a robot) and deleted the forum topics. However, I was worried that those users who subscribed to the rss feeds of the forums would have received all that spam in their mailbox.

Of course all that happened while all the technical web site administrators were on holidays..

I decided to take a drastic measure and change the registration page such that it requires administrator's approval. This is against the idea of openness on RIPE Labs, but I thought this was better than risking to annoy all the legitimate users on RIPE Labs by spamming them.

After closing the registration page, the detective work started (Thanks to my colleagues who jumped in to help):

We tracked down the spamming to a list of 438 source IP addresses. It looks like our spammer has a lot of spammer-friends, has a list of open proxies he's using, or rented a sliver of a botnet to masquerade his activities. Using our REX tool and it's backend database INRDB we figured out there was no obvious connection between these addresses from 47 different countries. We found 250 of the source IP addresses are on the http://www.stopforumspam.com/ forum-spam blacklist, that is not (yet!) incorporated into REX.

As a next step we will look at improving the security on the registration page and possibly installing an anti-spam module on RIPE Labs (will still have to investigate if that module would have caught the recent spammer).

Until we can be reasonably sure that we have blocked this particular spammer and can prevent similar cases from happening in the future, I am afraid we will have to moderate user registrations. Since this is done manually, it means that approval can take a day or two depending on the time of day.

Sorry for this inconvenience and thanks for your understanding.

 

0 Comments

Add comment

You can add a comment by filling out the form below. Only plain text is possible. Web and email addresses will be transformed into clickable links. Comments are moderated so they won't appear immediately.