Is there a better way to block spamers IP's than this?

Cliff Wells cliff at develix.com
Tue Jun 17 03:29:06 MSD 2008 

On Mon, 2008-06-16 at 17:31 +0200, Thomas wrote:
> Where do you get your spammer IPs from? Most of the time, the IP are
> spoofed, 

The IP can't be spoofed if they intend to send you spam, otherwise
they'd never be able to negotiate the TCP handshake to send you the data
(the server's side of the handshake would go to the spoofed address
rather than the spammer).  IP spoofing only happens in certain types of
DoS and man-in-the-middle attacks and is unrelated to spam (I'm
disregarding trusted networks as I don't think it applies here).

Spammers can spoof HTTP *headers*, but those are unreliable in most
cases anyway.  The question in this case should probably be "where does
Nginx get remote_addr from?", which I'm going to venture is from the TCP
socket information, not from client-provided HTTP headers (I'm not aware
of a HTTP 1.1 header that defines a client IP address, except perhaps
proxy headers such as "X-Forwarded-for" or similar, but those are *in
addition to* the actual connection address).

As someone else pointed out, they might be using a proxy, but if so, I
don't see the harm in blocking the proxy as they could rightfully be
seen as being a (un)willing collaborator (much like many dnsbl's block
open mail relays).

As far as things like Tor and anonymous proxies... well, I guess that's
part of the risk you take when you use such things.  People have a right
to privacy but the owners of websites also have a right to know who is
using their site.  If you use an anonymous proxy you should be aware
that it might impact your experience on the web, including the inability
to view some sites.

Personally, I block IP addresses at the firewall level and use "at" to
unblock them after a reasonable period (usually a week), to allow for
the possibility that a legitimate user might acquire that address and
also to keep my blacklists short.  I don't think maintaining a list of
banned IP's in your Nginx config is going to be maintainable.

Regards,
Cliff

More information about the nginx mailing list