SearchBliss — Sun, 07 Aug 2005 22:18:21 +0000

Good advice. I'm commenting mainly because I receive several website submissions to SearchBliss from Russian sites that also "sell flowers", but MOST of the flower selling sites are from India. What is with the flowers? Is this a cover for something else?
Anyway, I can't stand spam! - like most of us. I finally implimented a filter to delete the spams automatically. Your site is a forum and probably runs on PHP. I use ASP (NT Server), and cannot run PHP so I never bothered to learn. I'm sorry I can't help, but the above advise sounds good. Let us know how it works out.

AyntRyte — Wed, 03 Aug 2005 03:50:46 +0000

The next thing I would do is ask your host their preferred method of blocking IPs through htaccess. I say this because in my first try, I googled for some code to add to the file and hosed my site (which is why having a backup to restore is so important. htaccess mods are unforgiving in their syntax.)

Next, ftp to your server logs (ususally a level or two up from your root directory) and transfer the daily log(s) from the date that the spammer visited to your computer. Open it up (WordPad is best for this IMO) and get familiar with the columns of info. This is where the patience comes in. Log layouts differ from one host/server to next. If you're lucky, there'll be a column header at the top. One of the first columns will be the visitors' IPs. Also close by will be the column for visit time and date. It can get tricky here if your host is in a different time zone, but the important thing is being able to find the row (hit) from your spammer. Also, you said it only hits one article, so if you have that address, you should be able find it in the column that lists the page that was visited (normally near the end of the row.)

Once you determine the offending IP, copy and save it somewhere. In subsequent visits from the spammer, you can compare the IPs.

Next, transfer (ftp, always ftp) your current htaccess file in the root directory to your computer. {very important} Save a backup as another name (ie: 1.htaccess) If you hose something, delete the file on the server, upload the backup and rename it ".htaccess". (you wont really hose anything, you'll just get a 500 error)

Now, if you don't have a recommendation from your host, open the ".htaccess" (not the backup) with a text editor and add something like the following to the top of the file:

order allow,deny
deny from '203.156.187.225
allow from all

(replace the IP above with the one you isolated) Save it and ftp it to the root directory. Visit your site; if it loads, then the syntax was right. If you get an error, replace with the backup as noted above to make the site viewable again. Google "htaccess block ip", look for some samples and experiment with them.

The location you place the code may be important. I had to place mine below:

To deny a range of IPs, take the above as an example, Change it to:
203.156.187 (this denies 0 through 255)
Depending on your server settings, this may need to be listed as:
203.156.187.*

Remember: YMMV
and I suggest waiting a day or two so the other members can pick this apart (I'm sure there are others who know more on the subject than I)

fifeclub — Wed, 03 Aug 2005 01:31:59 +0000

Yes and Yes. I do have some htaccess files but the extent of my knowledge about them is that if I type "-la" into WS_FTP then I can see them on my server. That's about all I know about them.

AyntRyte — Wed, 03 Aug 2005 01:01:44 +0000

Do you have ftp access? (probably a stupid question, but you never know )
Do you have some patience and the willingness to do some htaccess mods?

I, personally, can't go any further unless you can answer yes to both. With the scripts you are running, there is a good possibility that you already have a htaccess file on your server now. After making a backup copy of that file, a little experimenting will never hurt.

(disclaimer: I'm not an expert on the subject, but after a quick support ticket to my host to get the correct switches for the mod, I was able to get it in place in just few minutes.)

fifeclub — Fri, 29 Jul 2005 18:45:16 +0000

I have cPanel access to my logs but I wouldn't know what to do with them. My past problem with forum spam, I could tell where they were from based on both their signup email addresses and the content of their posts (links to Russian websites). My new problem is with signing comments to my news script, where they post links to russian websites selling stuff completley unrelated to my website subject. My guess is that this is all automated because they keep spamming the same news article (which has a unique url) and not the newer news articles.

Greg K — Fri, 29 Jul 2005 18:30:12 +0000

How are you determining that they are from russia? Is it just based on the email they submit? Do you have log files? ANytime someone signs up for something on our sites, the two key extras we store are a time/date of signup and the IP#.

-Greg

fifeclub — Wed, 27 Jul 2005 21:47:59 +0000

Sorry to resurect an old post but my problem won't go away. Now I'm getting different type of on-site spam but there's still a russian / ukranian connection. I still can't find specific IP addresses and email addresses vary, but is there any way for me to just ban an entire country or area of the world? My particular site doesn't sell anything and 99.9% of my users are US and Canada, so I don't mind disallowing access to other continents if it's possible. Any ideas?

fifeclub — Fri, 06 May 2005 18:07:41 +0000

Actually it's Russia (.ru) and Ukraine (.su). I can't tell what IP they are using but if certain IP ranges are associated with those nations, how do I find out the correct ranges and how do I then block them?

If it matters I have cpanel. Also, my website in question has a handful of international users but is 99.9% targeted to a specific US location, so if done correctly, blocking all Russian and Ukrainian traffic shouldn't affect my targeted visitors.

Thanks.

Assassin — Fri, 06 May 2005 02:20:24 +0000

Sounds to me like you've got yourself a bouncer. I'm sure they aren't actually from the IP that they sound like they're from. You're going to have trouble with this one bud. I'd try blocking Romania for now and work on a better future solution as the spammer will come through again if they are bouncing or using a proxy as was said before.

Busy — Thu, 05 May 2005 22:56:22 +0000

block them by IP - there is a range for Romania

Bad side is there are some honest Romanians out there, believe we have some members from there on here, and also some of the brighter spam/scammers (1%) will use proxies