#1 2017-12-03 2:56 pm

postcd

Member

Registered: 2012-10-10

Posts: 13

Suggestion: blocklist that excludes "low toxicity"/low risk IPs

Hello,

does stopforumspam provide (or can this be considered as a new feature) blocklist of IPs that lists only IPs with lets say more than 2-3 incidents in last 90 days? I do not want to ban everyone just because he appears in the database for single spam report. I could have ended myself there, just because i posted helpfull link.

I know i can reduce risks by using 1day or 7 day blocklist (lists IPs that sent spam very recently) provided by firehol (moderators do not like links so i can not help with link), but banning based on number of incidents in time period would be much more accurate for me, so there would be handy if SFS provide more blacklists that would be refined that way.

I had to disable whole SFS blocklist because there was customer of mine who was blocked, i could leave a link to the evidence of his IP activity, but mods here do not like links). The IP looks quite innocent in my opinion and it is probably shared IP and in higher risk location, but it blocked the customer and i do not want this to happen again.

I know there is a "toxic" blocklist (can not be helpfull to give link to it, as i was almost reported to SFS database by mods in my previous thread just to give helpfull link).

As a side note, there are services who offer several kinds of blacklists, not only list restricted by time period (IPs doing SPAMming in last n days), but also according to number of abuses which is what i suggest to the SFS as it may allow users to fine tune blocking.

Last edited by postcd (2017-12-03 3:00 pm)

kpatz

Member

Registered: 2008-10-09

Posts: 1,437

Re: Suggestion: blocklist that excludes "low toxicity"/low risk IPs

If you use the API you can get a confidence score (0-100%) and use that to determine the "toxicity" of an IP, username or email.

But if you use the downloaded IP lists, there's no confidence score included in those.  Perhaps Ped could add it if there isn't one already?

---

Spam happens when greed meets stupidity.

Papa Parrot

Member

From: Mexico

Registered: 2011-08-19

Posts: 1,826

Website

Re: Suggestion: blocklist that excludes "low toxicity"/low risk IPs

I am not positive this is relevant or not, but any way,
https://www.stopforumspam.com/faq# Read the not all IP addreses are equal.

The software one uses to block people should be configured to block or not block a IP , if
you do not want to block that IP, you should be able to white list it, and not block it.
We give people access to the data base, but the decision to block or not block is done
on their end, not our end.
In other words if one wants their software to block or ban based on number of incidents in time period
then they should configure it to do that. We do NOT do the blocking, all we do is supply the information
on reported activity.

For example, I use ZBBLOCK on some of my sites, that I want to keep more private, however I ran into
a problem, one of the signatures used in ZBBLOCK was blocking my ISP, and not because of X number of listings, but because of badly written header used by my ISP,obviously I did not want to block or ban my own ISP, but also I did want to keep using  ZBBLOCK, so I contacted the author of zbblock, "zap", he explained to me
how to white list the ISP, problem solved.
I do not know anything about "firehol", maybe some body here does ?  It is more likely that the developer/author of "firehol" could explain how to control the software, so that you do not block any IP or ISP that you don't want to block, if there is not some way to whitelist who YOU block, I would start looking for a better , more flexible fire wall system / software.
I did look at the "firehol" support and website, it does look like a IP could be white listed:

If the keyword except is found, then all the parameters following it are rules to match packets that should excluded from the blacklist (i.e. they are a whitelist for this blacklist). See firehol-params(5) for more details.

Another quote:

Always have a whitelist too, containing the IP addresses or subnets you trust. Try to build the rules in such a way that if an IP ...---snip--

This is also a good strategy, given that bad ip list maintenance may block you out of your systems. The last resort could be to use iprange to filter out the whitelisted IPs from the ip feeds you use. To do this, create a text file with the IPs you want to whitelist and run: iprange blacklist --exclude-next whitelist > ...

The OP should contact them to get details on configuring this software, or maybe if anyone here is familiar with it , they can help.

---

Everything is for the Birds

And now, Papa Parrot and his kids

postcd

Member

Registered: 2012-10-10

Posts: 13

Re: Suggestion: blocklist that excludes "low toxicity"/low risk IPs

yes, i need blocklist, not API. I DL blocklist and load it into my server firewall, but i need good blocklist that is tuned as i mentioned on my initial post. Current blocklist blocks also innocent people and that is evil and prevents me from using it (as mentioned).

Papa Parrot

Member

From: Mexico

Registered: 2011-08-19

Posts: 1,826

Website

Re: Suggestion: blocklist that excludes "low toxicity"/low risk IPs

Well, if you download the IP list, and use it in your fire wall, the solution is simple,  use a editor
and edit it, remove the IP's you don't want to be blocking from it.
Most editors have a "find" option, you can use that to find the IP or any other detail you wish to remove.

That is basically what I had to do with Zbblock, when it was blocking my ISP, once I understood the process
it was simple , I just removed that line in the signature.inc file. 
Did you read the FAQ ?

People move. Mobile data connections and dynamic IP addresses are common. Blocking an IP address based on a single listing that is 10 months old isn’t a great idea.

Sure there are a lot of servers in datacenters posting onto forums and there really is no reason why any but a tiny fraction of these servers should be posting on your site. There are no mandated "do's" and "don’ts" for how you control access to your site but please consider us when implementing a system on your site that uses StopForumSpam data. We are small, we have limited resources and we operate completely on the good will of the community, we simply don’t have the resources of Twitter. If you operate a popular website accessed from around the world then blocking people based entirely on a single IP listing has a snowball effect on us, especially when you send them our way. We spend a huge amount of precious time addressing confused, angry and abusive people.

We do have one golden rule, one that we take very seriously; Do not use the API as a software firewall. If you query the API whenever you serve a page then you will very quickly find your IP address thrown into the firewall. There is a reason for this. If Google spiders your site, you start performing a denial of service attack querying if Google is a listed spammer. If Google spiders your site and 10,000 others all doing the same then you launch a distributed denial of service attack against us.

Especially:

Do not use the API as a software firewall.

Download the IP list, modify it to suit your needs. Simple.

It seems a lot of people misunderstand this, and using the term "block list" adds to the confusion, we provide data , the data includes IP's that have been used to spam , based on reports submitted.  We do not have a "block list" that blocks any one, or any IP, from other sites. The users of the data base decide which IP's they wish to block and which ones they do not want to block.  The users that use the data we provide as they see fit.
Download the IP list, use it as you wish, remove any IP's you do not wish to block.

postcd>> I had to disable whole SFS blocklist because there was customer of mine who was blocked, i could leave a link to the evidence of his IP activity, but mods here do not like links). The IP looks quite innocent in my opinion and it is probably shared IP and in higher risk location, but it blocked the customer and i do not want this to happen again.

We do not need a link to the evidence of the IP in question, how ever if your customer has a IP that is listed
in the data base, and wishes to request a removal, they can do that.
https://www.stopforumspam.com/removal
  Especially if it is a static IP, they might want to do that other wise they may find their selves blocked on other sites as well, if it is a dynamic IP , and shared, it wouldn't matter any way because they probably have a different IP almost every time they log in to your site. However if their e-mail address, and user name are also
listed, you should advise them to request a removal. They need to do this, not you or somebody else.
If they are using a ISP that also is being used by a high number of spammers and bots, they might want to
try to find a better ISP.
================================
  A last note, you keep bringing this up:

but mods here do not like links)

repeatedly,

provided by firehol (moderators do not like links so i can not help with link),

,
again no need for a link to "firehol", most of us know how to use the search engine, and find it
if we want to know more about that.
Yes you are correct we do not like it when people post links that are not necessary, and appear
to be promoting some web hosting sites, or something commercial, even more so when the 2 web hosting sites are known to be bad hosts, associated  with hosting lots of spammers. 
I  suppose it refers to this thread: https://www.stopforumspam.com/forum/vie … hp?id=8169
I do not understand why you keep bringing that up, it only serves to derail the topic at hand.
We do not have any problem when people post links , as long as they are within the forum guide lines, which are clearly explained when you register:

Forum rules
You must agree to the following in order to register
Do not sign up using a Hotmail, Outlook, AOL email address. They delete our forum signup emails.

Do NOT signup from an email that sends us a verification email back, we don't get them and will ignore ALL requests (SpamArrest etc)

Because this is the last place you would expect to find spam or commercial advertising as part of our members profile and posts, the following guidelines are in effect.

We will not permit signature links, website fields or usernames that contain:
• Linking to any form of pornography.
• Any "SEO" type forum or website.
• Any type of "hacking" website.
• Any website or forum that is commercial in nature (selling a product or service).

DO NOT REGISTER AN ACCOUNT USERNAME THAT REPRESENTS A DOMAIN

More details regarding the above here and your acceptance and subsequent registration indicates you have read, understood and will abide by these terms. Failure to comply with these policies will result in your account terminated and your data entered into the spam database.

If the flavour of your website is to sell or promote a product or service, is "SEO" in nature, includes hacking and related agenda, or is of "adult nature", DO NOT link to it unless otherwise previously requested to do so by a member of the SFS team for support reasons.

Posting links, backlinks, SEO or anything else dubious or illegal, in signatures or posts, will result in your account being banned and your details entered into the database. If in doubt, just don't do it. Harsh? Perhaps but this is the last forum in the world that will tolerate forum spam

With that said, if we feel we need a link to some site, or the evidence on some data, IP etc. We will ask you to post a link to it. There is no need to repeatedly say :

but mods here do not like links)

Every time you think a link should be posted.
   With members that have been members for a long time, we do not quickly and with out thinking , ban or submit them to the data base, however we do remove the link , if we feel it is not appropriate.

---

Everything is for the Birds

And now, Papa Parrot and his kids

pedigree

uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı

From: New Zealand

Registered: 2008-04-16

Posts: 7,056

Re: Suggestion: blocklist that excludes "low toxicity"/low risk IPs

There is an API option &expire=age that will ignore results older than "age" days.  The way that the API dataset is loaded into memory just records that lastseen date and the number of listings, so it's not able to get a "x records in y days" result, only a "all results with y days of age"

https://www.stopforumspam.com/usage