I made a detailed comment about the server's problems over in my wife's blog this morning, and I figured I would elaborate on that a little bit here. After further discussions with the very helpful support person at Verve Hosting (I've rarely been disappointed with their support and time turnaround, by the way, only one long wait out of maybe 10-15 questions/requests), I now know more.
First, it may not matter which type of blog publishing software we move to. It seems the spam attackers pretty much attack everyone equally, and failed spam still can screw up the server if enough of it comes in. So even switching to Word Press or Expression Engine gives us no better odds of avoiding future comment shutdowns. The rumor is that the next version of MT helps prevent blog spam, too, but does it completely discourage blog attacks or just make them fail more often? If the latter, that doesn't help my situation. MT-Blacklist doesn't yet work with the next version (v3.15) of MT anyway, so that's a moot point for now.
As I implied above, the frustrating part of this all is that we actually do a great job of blocking spam, better than most MT websites (part of that is due to restrictions on strings like "-holdem", "sex-" or "-pics" and the like rather than just restricting certain URL's). The problem is that MT-Blacklist apparently generates as much of a load on the server for failed comments as for successful comments. And the same would be true with the spam blocking features of any other blog hosting software.
So even if we never see the spam, our hosts have to deal with the bandwidth/processing power. In this case, it wasn't even OUR blog that was the problem. Some other blog on the same server was getting bombed, so they shut down comments on all blogs on that given server (and we just happened to get caught in the crossfire).
Another thing I may try is to rename our comment script from mt-comments.cgi to something random that rotates on a weekly basis. I think if the spammers can't find the comment script and it fails for that reason, that doesn't use up as much processing power as when a comment script is executed that then has to filter things. But do spammers go out and snoop for the names of comment scripts and store them in some database, or do they just snoop the script names on the fly, in which case changing the name won't be worthwhile?
The last (nuclear) option that I would like to avoid would be outright IP denial, which I believe is much less server-intensive than spam-filtering software. I could just block off the whole range of IP's that originate from that Australian place or that place in the Netherlands, which seems to be the range of IP's for about 80% of all spam. The rest of the spam comes from IP's of home (or office) computers that have likely been unwittingly hijacked by spyware/bot/virus programs.
Even then, though, if other bloggers on the same server aren't as diligent as I am, then I am at the mercy of spammers attacking them, which would trigger a shutdown of my comments again. Blech. I suppose I could blame all of my woes on Verve, but I'd have a hard time believing that any other potential host isn't facing the same issues (and would implement similar solutions). I guess for now we'll wait and see just how often they have to shut our comments down, if it gets better or worse, if they offer any other solutions for us, etc.
Posted by Observer at February 18, 2005 03:49 PMComments on entries can only be made in pop-up windows while those entries are still on the main index page. Sorry for the inconvenience this causes, but this blocks about 99.99% of the spam the blog receives.
Do you have available to you the sort of visual-interpretation keying security that I have seen at a few sites, e.g. (you can tell I have kids who have done some online gaming) neopets? Anything that requires a human being to read, type, and click will stop the bot-spam bombs.
On the other hand, your point about bandwidth/CPU consumption by the blog host in fending off the bots ... that'll be there no matter what.
I admit I am fascinated by the evolution of the internet/web, of "real" sites versus spammers/bots/viruses etc. I think it's a tremendous analog for prebiotic evolution, which I've had to discuss in classes a number of times in the origins-of-life portions of the speculative extraterrestrial life courses.
There was a significant step along that evolutionary chain that surfaced a month or two ago. One spyware company filed suit against another, alleging that the other's spyware performed uninstalls of the plaintiff's spyware. If you view viruses/spambots/spyware as first-order parasites or predators (in that they live off of "ordinary" OS's), then in the cyberspace ecosystem some automated thing that attacks those parasites is a second-rank parasite/predator. That the companies have started suing each other over it is pretty good evidence that it's out there and working.
In short, the ecosystem in the cyberworld is getting deeper and richer in terms of diversity and occupancy of niches as we watch. Sort of the Cambrian Explosion again.
It also makes me speculate about the "nonfunctional" DNA in every biological organism. Perhaps that's all well-evolved protection measures against viruses that went extinct some time in the past, and because it doesn't do anything now for good or ill of the organism, it just drifts along. From a software point of view, this is retaining backwards compatibility.
Posted by: Feff on February 18, 2005 04:29 PMIt's getting a bit long in the tooth now, but an entertaining if long-winded description of zombie DDOS attacks is at http://www.grc.com/dos/grcdos.htm
Posted by: Feff on February 18, 2005 04:34 PMOnce again my hat's off to Mr Nosuch. I can only imagine how fighting spam would take the fun away from blogging.
Posted by: Humbaba on February 18, 2005 05:44 PMThat's a neat metaphor, Feff. I'm also fascinated by the war against spam. As frustrating as it is to me, I also kind of welcome the challenge. Maybe that's just me looking at the bright side of things, because if I weren't able to do that, I'd have torn my hair out over spam attacks long ago.
All I know for sure is that this whole spam war is being enabled by a small group of genius programmers who have a set of ethics that make Republicans ... no, worse than that ... cable company executives look like angels. I'm sure most of the products advertised on spam are sold by people who haven't the foggiest idea of the massive number of man-hours and resources they are costing civilization.
Posted by: Observer on February 18, 2005 06:24 PMI bet it finds the script on the fly. But, since they mostly seem to attack old entries ... it's questionable.
I simply ban individual IPs under the assumption that after getting a base number of machines they focus more on sending out spam than finding new machines with new IPs. I used to get incoming spam of large degrees from very similar email addresses that lumped them all together in one attack (i.e. bob####@yahoo.com) and they'd come, at first, maybe 15 times in an hour. Banning IPs, the same round of attack a week later was a third of the size, and stopped showing up for weeks at a time when two strays came in.
Of course, that sense of progress is countered by new spammers, but I consider it fun, in a way.
Posted by: Polerand on February 21, 2005 01:07 PM