{"id":446,"date":"2008-01-13T23:57:46","date_gmt":"2008-01-14T04:57:46","guid":{"rendered":"http:\/\/blogs.n1zyy.com\/n1zyy\/2008\/01\/13\/emulating-spamd-for-http\/"},"modified":"2008-01-13T23:57:46","modified_gmt":"2008-01-14T04:57:46","slug":"emulating-spamd-for-http","status":"publish","type":"post","link":"https:\/\/blogs.n1zyy.com\/n1zyy\/2008\/01\/13\/emulating-spamd-for-http\/","title":{"rendered":"Emulating spamd for HTTP"},"content":{"rendered":"<p>I won&#8217;t lie&#8211;I love OpenBSD&#8217;s <a href=\"http:\/\/www.openbsd.org\/cgi-bin\/man.cgi?query=spamd&#038;sektion=8\">spamd<\/a>. In a nutshell, it&#8217;s a &#8216;fake&#8217; mailserver. You set your firewall up to connect obvious spammers to talk to this instead of your real mailserver. It talks to them <em>extremely<\/em> slowly (1B\/sec), which keeps them tied up for quite some time. (As an added bonus, it throws them an error at the end.)<\/p>\n<p>One thing that really gets under my skin is bots (and malicious users) probing for URLs on the server that don&#8217;t exist. I get a lot of hits for \/forum, \/phpbb, \/forums, \/awstats&#8230; What they&#8217;re doing is probing for possible (<em>very<\/em>) outdated scripts that have holes allowing remote code execution.<\/p>\n<p>It finally hit me: it&#8217;s really not that hard to build the same thing for HTTP. <a href=\"http:\/\/www.acme.com\/software\/thttpd\/\">thttpd<\/a> already supports throttling. (Note that its throttling had a more sane use in mind: limiting overall bandwidth to a specific URL, not messing with spammers and people pulling exploits, so it&#8217;s not <em>exactly <\/em>what we want, but it&#8217;ll do.)<\/p>\n<p>Then you need a large file. I downloaded a lengthy novel from Project Gutenberg. It&#8217;s about 700 kB as uncompressed text. I could get much bigger files, yes. But 700 kB is plenty. More on this later.<\/p>\n<p>It&#8217;s also helpful to use Apache and mod_rewrite on your &#8216;real&#8217; server. You can work around it if you have to.<\/p>\n<p>Set up your \/etc\/thttpd\/throttle.conf:<\/p>\n<blockquote>\n<pre>\n**    16<\/pre>\n<\/blockquote>\n<p>Note that, for normal uses, this is <em>terrible<\/em>. This rule effectively says, &#8220;Limit the total server (**) to 16 (bytes per second).&#8221; By comparison, a 56K dialup line is about 7,000 bytes per second (or 56,000 bits per second).<\/p>\n<p>Rudimentary tests show that having one client downloading a 700 kB file at 16B\/sec places pretty much <i>no<\/i> load on the server (load average remained 0.00, and thttpd doesn&#8217;t even show up in the section of top that I can see), so I&#8217;m not concerned about overhead.<\/p>\n<p>You can also set up your thttpd.conf as needed. No specific requirements there. Start it up with something like <tt>thttpd -C \/etc\/thttpd\/thttpd.conf -d \/var\/www\/maintenance\/htdocs\/slow -t \/etc\/thttpd\/throttle.conf<\/tt> (obviously, substituting your own directories and file names! Note that the \/slow is just the directory I have it serving out of, not any specific naming convention.)<\/p>\n<p>Now what we need to do is start getting some of our mischievous URL-probers into this. I use some mod_rewrite rules on my &#8216;real&#8217; Apache server:<\/p>\n<blockquote><pre># Weed out some more evil-doers\nRewriteRule ^forum(.*)$ http:\/\/ttwagner.com:8080\/20417.txt [NC,L]\nRewriteRule ^phpbb(.*)$ http:\/\/ttwagner.com:8080\/20417.txt [NC,L]\nRewriteRule ^badbots(.*)$ http:\/\/ttwagner.com:8080\/20417.txt [NC,L]\nRewriteRule ^awstats(.*)$ http:\/\/ttwagner.com:8080\/20417.txt [NC,L]\n<\/pre><\/blockquote>\n<p>In a nutshell, I redirect any requests starting with &#8220;forum,&#8221; &#8220;phpbb,&#8221; &#8220;badbots,&#8221; or &#8220;awstats&#8221; to an enormous text file. I&#8217;m not sure if escaping the colon is strictly necessary, but it has the added benefit of &#8216;breaking&#8217; the link when pasted, say, here: I don&#8217;t want anyone getting caught up in this unless they&#8217;re triggering it. I tend each with (.*), essentially matching everything. You may or may not see this as desirable. I like it, since \/forum and \/forums are both requested, and so forth. You could take that out if necessary. The [NC,L] is also useful in terms of, well, making anything work.<\/p>\n<p>I want to watch and see whether anyone gets caught up in this. Since it&#8217;s technically passing the request to a different webserver (thttpd), it has to tell the client to connect to that, as opposed to seamlessly serving it up. I don&#8217;t know if the bots are smart (dumb?) enough to follow these redirects or not.<\/p>\n<p>Note that \/badbots doesn&#8217;t really exist. I inserted it into my robots.txt file, having heard that some &#8216;bad &#8216;bots (looking for spam, etc.) crawl any directory you tell them not to. I wondered if this was accurate.<\/p>\n<p>The ending is quite anticlimactic: we wait not-so-patiently to see what ends up in the logfile.<\/p>","protected":false},"excerpt":{"rendered":"<p>I won&#8217;t lie&#8211;I love OpenBSD&#8217;s spamd. In a nutshell, it&#8217;s a &#8216;fake&#8217; mailserver. You set your firewall up to connect obvious spammers to talk to this instead of your real mailserver. It talks to them extremely slowly (1B\/sec), which keeps &hellip; <a href=\"https:\/\/blogs.n1zyy.com\/n1zyy\/2008\/01\/13\/emulating-spamd-for-http\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,5,6,11,13,18,22,24,27],"tags":[],"class_list":["post-446","post","type-post","status-publish","format-standard","hentry","category-computers","category-cool-links","category-funny","category-insanity","category-linux-tips","category-ocd","category-programming","category-rants-raves","category-security"],"_links":{"self":[{"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/posts\/446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/comments?post=446"}],"version-history":[{"count":0,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/posts\/446\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/media?parent=446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/categories?post=446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/tags?post=446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}