Update (May 5 2009 @ 4:32 AM): The phpCF page is now updated and with links to tar-balls, docs and stuff.

• Incorporation of the Lillesvin Networks blacklist (text/plain version) – possibly more blacklists will be supported in future releases.
• Better testing for HTML
• Configuration to allow specific HTML tags, thus excluding them when testing for HTML
• Better debugging methods
• Removal of disabled checks in the instance-log

Go get it at http://lillesvin.net/phpcf!

I’m not quite sure what to make of this, because there are a couple of things involved and the decrease started just as I made some big changes to my anti-spam system. The following are some possible factors in the decrease and there may very well be some I’m overlooking.

I started returning 404 Not Found on blacklist redirects instead of 200 OK

Are the spammers running some kind of automated learning, so once they receive a 404, they stop trying? That would be weird, because in order to even see the before mentioned 404, they have to make at least 3 attempts at spamming. So automated learning would be indicated by a vast amount of blocked attempts compared to the number of blacklist redirects, which is not the case here – both numbers have decreased heavilly, though the number of blacklist redirects varies from zero to 5-6 a day.

phpCF is working great

If the spammers are in some way measuring their success-rate, then it must mean that phpCF is working great, because no spam has gotten through in a long time. But this would also be strange, because how would they measure the success-rate? Googling? I think not.

The blacklist is complete

I’ve finally blacklisted each and every spam-bot on the planet! Yay, for me! :-p
Actually, this would explain the small number of blocked attempts compared to the larger amount of blacklist redirects. But still, somehow I don’t believe that this is the reason.

More options

Last, but not least, there may be outside factors causing the decrease (even though I’d like to think that I came up with the “cure for the cancer”). Maybe Google-bombing has gotten harder, or the spammers are getting more cautious – or maybe blog-spamming just isn’t profitable enough…

… and then there is all the stuff I can’t think up right now because it’s 8:46 AM and I haven’t slept yet. If you have any ideas, experiences, thoughts … anything! Please, post a comment or drop me a mail. I’d be more than happy to know what you think.

In case you’re wondering what phpCF is, then you’ve chosen the right paragraph to read. phpCF is a PHP class designed for scanning of e.g. blog-comments to determine whether they’re spam or not. phpCF only does the checking, assigns a score and compares it to the configured threshold. What to do if it’s spam is up to the one implementing it. Apart from doing a simple job in a simple way it’s also simple to implement. Simple, simple, simple… SIMPLE! Look at this example…

Also, I created a Freshmeat entry for phpCF and I hope that the server can stand the extra traffic, when phpCF hits the Freshmeat front page. If not, let me know.

First of all, I’ve been receiving a lot of comment spam lately – so I thought I’d revamp my spam checking system (I just counted the number of links before; if it was > 5, then the comment was blocked and the IP logged for potential blacklisting). The new system I’ve been hacking a little on is way more flexible and extensible – so it’ll be a lot easier to fight off spam later, if they find yet another way to spam me. If this turns out to be a success I might release it under the GPL, but I want to test it a little before deciding on it.

Secondly, I’ve been playing more with my tablet and now it works perfectly with Linux. Turned out that kernels 2.6.4 through 2.6.8 had some issues, so after upgrading to kernel 2.6.11 and recompiling mousedev.ko, evdev.ko and wacom.ko I finally got it working. (Thanks to the docs at the Linux Wacom Project and furrywolf from #debian.) So if you’re considering buying a tablet I can recommend the Wacom Volito (if you’re a beginner) – it’s cheap and it’s relatively easy to get working with Linux – just like the other Wacom tablets. Look them up on eBay – you can probably get a used one very cheap.

Oh yeah, bumped into this sign here in Århus – I can’t remember whether it was a hair dresser or some kind of shop. Also, take a look at this cake we made for a friends birthday.

But as the heading implies, I’ve also been working hard… On what you might ask – and rightly so because I haven’t told you yet. Foremost I’ve been working on an article about cleaning a Windows box for malware and keeping it clean. (Yeah, I’m not a Windows guy, but I was asked to write it for Windows, so I didn’t really have a choice — and besides, there is no real malware problem on *nix.)

Furthermore I’ve been working on a new design and codebase for lillesvin.net and I’ve even prepared a couple of surprises for the launch of the new site. I can’t (or rather: won’t) tell you what it is and I won’t tell you when I plan to launch the new site… Not yet. (Truth be told, I have no clue as to when it’ll be finished.)

In your face – you fucking, slimy, fat-ass, jerk-off spamming sons-o’-bitches!

phpSnatch or not, it’s nice to see, that it is actually possible to protect oneself against most of the spam. I just hope they won’t start posting X posts with 5 links in them, instead of just one huge post… But I guess I’ll just have to wait and see — and hope they don’t actually read my blog, ’cause then I’ll just have given up the secret.

Only one thing really nags me. These spam attempts seems pretty coordinated. Every attempt is made with intervals of approximately 35 minutes in waves lasting 20-22 hours. Not many of the IP addresses resolved to any valid hostnames – neither did they respond to ping probes. It’s not like I’m thinking that they are directly targetted against me, but it does appear like either a cronjob or some sort of worm.

If anybody knows something about this kind of spamming, please feel free to comment on it or email me, ’cause as you can plainly see, I’m not really that much into it, I’m just fighting to keep it off.

I’m currently implementing phpSnatch, but it will probably take some time before I get the spam score threshold adjusted right.

On my server it’s a little slow, since SpamAssassin isn’t the fastest thing on the earth, but it might differ very much from your experience. Please try it out and give me some feedback on it.

I’m probably going to dedicate a page on this site to it later, but as of now I’ll concentrate on developing it. So for now you’ll have to live with the README in the package, which has an example of use and installation instructions. You can also view the README through the Subversion repository.

A demonstration of this early pre-alpha-beta-unstable-rev9 non-release can be found at http://penguins.linux.dk/phpSnatch/test.php where you can try entering some values and have them estimated. The source code for the scanning process can be seen at http://penguins.linux.dk/phpSnatch/scan.phps.

As you can probably see it’s very simple to use, but things might be a bit unstable here in the beginning, so of course, there’s absolutely NO WARRANTY should you choose to use it. The author takes ABSOLUTELY NO RESPONSIBILITY FOR ANYTHING.
It’s free as in speech AND as in beer, so feel free to do whatever you want with it, just don’t blame me if something doesn’t work as expected or if it screws up anything.