Sometime around November 5, 2006, the Baltimore IMC was hit with an attempted comment spam attack. It appears to be an automated routine that submits the comment form at the bottom of random articles, but none of the attempts successfully completed the anti-spam CAPTCHA field, so none of the comments were posted.

Normally, such attempts would go unnoticed, since they failed the first obstacle to successful spamming. However, the rate of attacks was occurring at such a speed that it was causing database connectivity issues, and that triggered a notification email to the IMC technical contact.

The dadaIMC software we use was designed to repel such attacks, and there are mechanisms in place to deny the ability to post to the site by blocking IP addresses (IP addresses are normally not captured to preserve anonymity, but can be told to display for circumstances precisely like this one). Given that the only damage being caused by these attacks is CPU and database usage, however, blocking their ability to post didn't really solve the problem. The software was augmented to provide the ability to block certain visitors at the site level, so any attempt to access the site was met with a 403 - Access Forbidden response. The effectively prevents the spammers from hitting the site at all.

Unlike the occasional spam attack, however, these comments were not coming from a single IP address. After some logging was implemented, it was determined that the spam was originating from HUNDREDS of different IP addresses. While it is possible that IP addresses were being spoofed, closer examination revealed that virtually every IP address belonged to a cable- or DSL-provided dynamic IP address, which suggests that the spammer was in control of hundreds of "zombie" computers, using an array of compromised home computers to initiate the comment spam.

A system was inititated to automate counter-measures. After failing the anti-spam CAPTCHA field, an encrypted IP address is logged into the database. After repeated failures, the real IP address is logged and automatically blocked from posting. After further attempts, the IP address blocked from the site entirely. If they still persist, the IP address is firewalled (using the built-in Linux iptables) from accessing the server at all. At the time of this writing, there are 463 IP addresses being firewalled at the server level, and 1,291 IP addresses are currently blocked or are being tracked for abuse.

Almost two weeks later, the spamming attempts are still trickling in, but it's little more than an annoyance now.