Using mod_security to shield Movable Type from Blog Comment Spam

jeremy zawodny writes about how he fixed blog spam using mod_security:

i recently noticed an upswing in the traffic my blog gets from comment spam bots. they’re never successfully able to post comments, of course, but it still results in a lot of hits to the movable type script that handles comment submissions: mt-comments.cgi

notice the “cgi” there? that’s right. this is a old school stand-alone perl cgi script. i’m not running it under mod_perl, so for each request apache must fork() and exec() to start the perl interpreter. then perl has to parse and compile the script, along with all of its supporting modules.

this all culminates in an error message back to the spam bot–a message that is surely discarded. in short, it’s a lot of effort to tell a spam bot to go fuck off. and it causes my 4 year old web server to strain at times.

so i decided to add a new layer to my defenses recently. i added mod_security to my apache setup and crafted a few rules to combat most of the poorly written bots as well as those that are slightly more well designed.

gadi evron,
ge@beyondsecurity.com.

Share
  • http://jeremy.zawodny.com/blog/ Jeremy Zawodny

    “recently discovered” makes me sound a bit clueless, don’t you think? If you look back at my archives, I think you’ll see that I’ve been fighting blog spam for a long, long time.

  • sunshine

    My apologies, I mis-interpreted what you said. I fixed it, hopefully to your satisfaction…

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    “In short, it’s a lot of effort to tell a spam bot to go fuck off.”

    That… is hilarious.

  • http://ant.sillydog.org/ Antony Shen

    My mt-comments.cgi has been hit by 20555 times. Although none of the spam comments went through (I use MTScode), it was a heavy CPU usage of the server, and resulted non-responding (entire server).

    I just installed mod_security. and I hope it will reduce the server load.

  • sunshine

    Or increase it, depends on your configuration….

  • http://deleted XML Exploit

    mod_security is bound to add load to the server, but the benefit is that the CGI must be worse at managing resources (as it is probably written in perl) whereas mod_security is written in C/C++ which has significant CPU improvements :P