To prevent spammers from making it through, I run Scallywhack and a number of custom ModSecurity rules. So far, spams only made it through as new tickets in the ticket tracker, so I installed the TicketDeletePlugin.

Yesterday, I saw the first spam as a comment to an existing and valid ticket. Like tickets themselves, ticket comments can not be removed by Trac by default. Luckily, upstream Trac seems to have fixed this. I’m running Debian’s version of Trac 0.11.1 however, so I decided to patch that. The patches in the Trac ticket #454 didn’t apply cleanly, so I had to patch it manually. To save others the work, it’s available here: http://www.inliniac.net/files/trac_0.11.1-debian-comment_edit.patch

To use it, make a copy of your /usr/share/pyshared/trac directory.
Next, go into the trac directory and run the command:
patch -p1 < /path/to/trac_0.11.1-debian-comment_edit.patch

After this, each comment in the comment system will have a “edit” button and you can remove the spam message content. It’s not possible to remove the entire comment, but this works for me.

Luckily, ModSecurity creator Ivan Ristic was quick to point out where the problem is. I’m using the Core Ruleset for ModSecurity, and one thing that ruleset does is use the ‘lowercase’ transformation. This converts all text from arguments to lowercase, so my ^POST$ match would never be able to match. So like Ivan suggested, using ^post$ solved this part.

Next Ivan pointed out a weakness in the rules. My rules looked for /blog/wp-comment-post.php, and would be easily evaded by just using /blog//wp-comment-post.php. He suggested using the ‘normalisePath’ transformation. I did this, but I also slightly changed the rules to not look for the /blog/ part at all (maybe this makes normalisePath useless, but I decided to rather be safe than sorry).

The rules I’m using now look like this:

SecRule REQUEST_METHOD “^post$” “log,deny,chain,msg:’LOCAL comment spammer at rbl list.dsbl.org’”
SecRule REQUEST_URI “wp-(comments-post|trackback)\.php$” “chain,t:normalisePath”
SecRule REMOTE_ADDR “@rbl list.dsbl.org”

SecRule REQUEST_METHOD “^post$” “log,deny,chain,msg:’LOCAL comment spammer at rbl bl.spamcop.net’”
SecRule REQUEST_URI “wp-(comments-post|trackback)\.php$” “chain,t:normalisePath”
SecRule REMOTE_ADDR “@rbl bl.spamcop.net”

SecRule REQUEST_METHOD “^post$” “log,deny,chain,msg:’LOCAL comment spammer at rbl sbl-xbl.spamhaus.org’”
SecRule REQUEST_URI “wp-(comments-post|trackback)\.php$” “chain,t:normalisePath”
SecRule REMOTE_ADDR “@rbl sbl-xbl.spamhaus.org”

Thanks a lot Ivan Ristic for your comments!

The basic syntax of the rbl rule is as follows:

SecRule REMOTE_ADDR “@rbl bl.spamcop.net”

However, I would not recommend just using this rule because it would do a lookup of the remote ipaddress for every request made to your site. This will totally destroy the performance of your site. So I decided to inspect only POST request, since posting comments requires… POST

SecRule REQUEST_METHOD “^POST$” “log,deny,chain,msg:’LOCAL comment spammer at rbl bl.spamcop.net’”
SecRule REMOTE_ADDR “@rbl bl.spamcop.net”

For some reason unclear to me, this doesn’t work. With this rule the rbl is never ever checked. I could see that just the rbl rule would work, so it must be something in the combination of the rules. Luckily, I found a workaround:

SecRule REQUEST_URI “^/blog/wp-(comments-post|trackback)\.php$” “log,deny,chain,msg:’LOCAL comment spammer at rbl bl.spamcop.net’”
SecRule REMOTE_ADDR “@rbl bl.spamcop.net”

So I tried some variations of rules and the above rule turns out to work just fine. It doesn’t look for the POST method, but instead just looks at the URI’s at which a comment poster posts.

After using this with a large number of blacklists, seven to be precise, I can conclude it is very effective. The last few days 144 attempts were blocked, while 22 still came through. I have manually inspected all blocked comments and so far not a single false positive has occured.

Even though I have configured seven different blacklists, only three are actually get hits, so I will paste those below:

SecRule REQUEST_URI “^/blog/wp-(comments-post|trackback)\.php$” “log,deny,chain,msg:’LOCAL comment spammer at rbl list.dsbl.org’”
SecRule REMOTE_ADDR “@rbl list.dsbl.org”

SecRule REQUEST_URI “^/blog/wp-(comments-post|trackback)\.php$” “log,deny,chain,msg:’LOCAL comment spammer at rbl bl.spamcop.net’”
SecRule REMOTE_ADDR “@rbl bl.spamcop.net”

SecRule REQUEST_URI “^/blog/wp-(comments-post|trackback)\.php$” “log,deny,chain,msg:’LOCAL comment spammer at rbl sbl-xbl.spamhaus.org’”
SecRule REMOTE_ADDR “@rbl sbl-xbl.spamhaus.org”

Good luck fighting off the spam!