June 2, 2008: Blocked 77.92.88.11 and 77.92.88.2 at the firewall. They were just both posting reams and reams of spam to nowarblog.org and there's no good way other than the firewall to get them to shut up. So I did.
/sbin/iptables -I INPUT -s 77.92.88.11 -j DROP
As an afterthought, banned 77.92.88.3 as well. Probably should zap the whole block, to be on the safe side, but I'm interested to see the response.
(Note to self: if I start getting a long list, HiPAC is a high-performance drop-in replacement for iptables. Might turn out handy.)
inetnum: 77.92.88.0 - 77.92.89.255 netname: LIMT-Group-Ltd descr: LIMT Group Ltd country: RU admin-c: SMS44-RIPE tech-c: SMS44-RIPE status: ASSIGNED PA mnt-by: AS13213-MNT source: RIPE # Filtered person: Sergey M Safin address: LIMT Group Ltd. address: Karpinskogo 97a address: Moscow address: 111423 address: Russian Federation phone: +7 342 2763167 nic-hdl: SMS44-RIPE
Ha. Fifteen minutes later, I've got spam from 77.92.88.9 -- that's what I figured.
June 3, 2008: Hmm. This problem is more widespread than I thought. My theory so far has been that most forum spam comes in through botnet proxies, but there are an awful lot of repeat offenders:
mysql> select origin, ip, count(*) as c from webspam where date_sub(curdate(),interval 7 day) < ondate group by origin, ip order by c desc limit 30; +-----------+-----------------+------+ | origin | ip | c | +-----------+-----------------+------+ | nowarblog | 84.16.227.86 | 2351 | | nowarblog | 78.129.202.8 | 2299 | | nowarblog | 67.215.231.186 | 1571 | | nowarblog | 77.92.88.2 | 1450 | | nowarblog | 195.225.178.21 | 1392 | | nowarblog | 77.92.88.3 | 1352 | | nowarblog | 89.149.244.45 | 1280 | | nowarblog | 78.129.202.11 | 1182 | | nowarblog | 78.129.202.10 | 727 | | nowarblog | 77.92.88.11 | 593 | | toonbots | 216.255.187.158 | 569 | | nowarblog | 78.129.208.130 | 552 | | nowarblog | 77.92.88.9 | 369 | | nowarblog | 78.129.208.115 | 350 | | nowarblog | 213.186.117.8 | 216 | | nowarblog | 206.53.51.84 | 160 | | nowarblog | 78.129.202.17 | 132 | | nowarblog | 203.162.2.136 | 62 | | nowarblog | 203.162.2.133 | 62 | | nowarblog | 203.158.221.227 | 60 | | toonbots | 91.121.200.220 | 58 | | nowarblog | 203.162.2.134 | 52 | | nowarblog | 203.162.2.135 | 51 | | nowarblog | 195.225.178.23 | 51 | | nowarblog | 195.225.178.31 | 47 | | nowarblog | 164.116.224.11 | 46 | | nowarblog | 127.0.0.1 | 38 | | nowarblog | 203.162.2.137 | 36 | | nowarblog | 64.92.172.106 | 34 | | nowarblog | 85.91.81.188 | 31 | +-----------+-----------------+------+ 30 rows in set (0.91 sec)
Seems to me anybody at the top of this list should be blocked at the firewall... So that's what I'm doing, blocking 84.16.227.86, 78.129.202.8, 67.215.231.186, 195.225.178.21, 89.149.244.45, 78.129.202.11, and 78.129.202.10.
August 3, 2008 - argh, did I say MediaWiki spam wasn't a real problem yet? Well, it is now, and I don't have time to mess with it, so I locked the Mondoglobo Wiki for the time being. (By adding the following to LocalSettings.php:)
$wgReadOnly = 'too much spam and not enough time to shoot you individually; watch this space for further details';
Server load's already dropping (thank God).