Action log
Here are things I've done, specifically:

June 2, 2008: Blocked 77.92.88.11 and 77.92.88.2 at the firewall. They were just both posting reams and reams of spam to nowarblog.org and there's no good way other than the firewall to get them to shut up. So I did.

/sbin/iptables -I INPUT -s 77.92.88.11 -j DROP

As an afterthought, banned 77.92.88.3 as well. Probably should zap the whole block, to be on the safe side, but I'm interested to see the response.

(Note to self: if I start getting a long list, HiPAC is a high-performance drop-in replacement for iptables. Might turn out handy.)

inetnum:        77.92.88.0 - 77.92.89.255
netname:        LIMT-Group-Ltd
descr:          LIMT Group Ltd
country:        RU
admin-c:        SMS44-RIPE
tech-c:         SMS44-RIPE
status:         ASSIGNED PA
mnt-by:         AS13213-MNT
source:         RIPE # Filtered

person:         Sergey M Safin
address:        LIMT Group Ltd.
address:        Karpinskogo 97a
address:        Moscow
address:        111423
address:        Russian Federation
phone:          +7 342 2763167
nic-hdl:        SMS44-RIPE

Ha. Fifteen minutes later, I've got spam from 77.92.88.9 -- that's what I figured.

June 3, 2008: Hmm. This problem is more widespread than I thought. My theory so far has been that most forum spam comes in through botnet proxies, but there are an awful lot of repeat offenders:

mysql> select origin, ip, count(*) as c from webspam
       where date_sub(curdate(),interval 7 day) < ondate
       group by origin, ip order by c desc
       limit 30;
+-----------+-----------------+------+
| origin    | ip              | c    |
+-----------+-----------------+------+
| nowarblog | 84.16.227.86    | 2351 |
| nowarblog | 78.129.202.8    | 2299 |
| nowarblog | 67.215.231.186  | 1571 |
| nowarblog | 77.92.88.2      | 1450 |
| nowarblog | 195.225.178.21  | 1392 |
| nowarblog | 77.92.88.3      | 1352 |
| nowarblog | 89.149.244.45   | 1280 |
| nowarblog | 78.129.202.11   | 1182 |
| nowarblog | 78.129.202.10   |  727 |
| nowarblog | 77.92.88.11     |  593 |
| toonbots  | 216.255.187.158 |  569 |
| nowarblog | 78.129.208.130  |  552 |
| nowarblog | 77.92.88.9      |  369 |
| nowarblog | 78.129.208.115  |  350 |
| nowarblog | 213.186.117.8   |  216 |
| nowarblog | 206.53.51.84    |  160 |
| nowarblog | 78.129.202.17   |  132 |
| nowarblog | 203.162.2.136   |   62 |
| nowarblog | 203.162.2.133   |   62 |
| nowarblog | 203.158.221.227 |   60 |
| toonbots  | 91.121.200.220  |   58 |
| nowarblog | 203.162.2.134   |   52 |
| nowarblog | 203.162.2.135   |   51 |
| nowarblog | 195.225.178.23  |   51 |
| nowarblog | 195.225.178.31  |   47 |
| nowarblog | 164.116.224.11  |   46 |
| nowarblog | 127.0.0.1       |   38 |
| nowarblog | 203.162.2.137   |   36 |
| nowarblog | 64.92.172.106   |   34 |
| nowarblog | 85.91.81.188    |   31 |
+-----------+-----------------+------+
30 rows in set (0.91 sec)

Seems to me anybody at the top of this list should be blocked at the firewall... So that's what I'm doing, blocking 84.16.227.86, 78.129.202.8, 67.215.231.186, 195.225.178.21, 89.149.244.45, 78.129.202.11, and 78.129.202.10.

August 3, 2008 - argh, did I say MediaWiki spam wasn't a real problem yet? Well, it is now, and I don't have time to mess with it, so I locked the Mondoglobo Wiki for the time being. (By adding the following to LocalSettings.php:)

$wgReadOnly = 'too much spam and not enough time to shoot you individually; watch this space for further details';

Server load's already dropping (thank God).






Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.