modsecurity as final antispam solution? Not really

In my previous post about comments I’ve described some more notes about my antispam solution based on mod security, and then some people actually wondered about its validity as a final solution. So let me explain a bit further.

I’m not saying that modsecurity is perfect and that it does its job perfectly well; actually, I always have to disable some of its rules because are sometimes positively stupid or effectively braindamaged, like the “PHP source disclosure” rules in the latest release (2.5.10) that stops any request that would return “fread” to the user; so almost any half-interesting piece of source code.

In general, while modsecurity is doing its job, I recognize that it’s not a perfect solution to everybody. I still find it a nicer solution than captchas, but maybe the two things could be merged: instead of implementing this antispam measures in mod_security, at Apache level, they could be implemented at application level, with an extension library. At that point it’d be possible to choose whether the client is either of: trusted, untrusted, positively a spammer. First and last cases are obvious: the comment is either passed or killed right away; untrusted clients would be presented a bad bad captcha to solve.

This would tie in with not only user-agent based filtering, but also DNSBL and Honeypot’s httpBL and even email verification, and the blogspam webice.

One very interesting use of this would solve the current difficult-to-decide situation where anonymous clients, such as TOR, end up being abused by the spammers, and the decision between keep allowing them to comment, and that of just killing them all is not quite as easy; I can see the reasons for using TOR, but the amount of SPAM is just too much (I wonder if I should do something along the lines of making the blog available directly on the TOR network and then killing the IPs coming from lists like TornevallNET ).

And a word about email verification; some people seem to find it funny to use some common fake email addresses like anonymous@the.net when posting a comment. I seriously have a beef with that. The reason why this is, is very simple: I don’t care whether you enter an email address or not! I don’t require you to; if you do, you get gravatar integration and I can contact you, but that’s about it; you can simply avoid filing the field if you don’t want me to know your email address. If I could check the email address for validity with modsec, I’d be rejecting such comments to begin with.

I’m probably not going to work on this myself for now, but this is an idea if somebody wants to look at it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s