where the wild (spammy) things are

Wordfence automatically blocks IP addresses that repeatedly attempt to brute-force logins on UCalgaryBlogs. After a few attempts, they aren’t able to try again for a few minutes (in case it’s a legitimate person trying to log in, it doesn’t banish them entirely right away). If they knock it off, the ban gets lifted. If they keep hammering, the ban gets escalated, eventually putting them in a permanent penalty box (identified by their IP address – not perfect, but it’s all we have).

Blocked logins by country, August 8-22, 2016

I was half tempted to just drop the ban-hammer on the entire country of Russia, but we have students there (and I wouldn’t want to anger Putin or his tiny-handed American mouthpiece). The US? Buffalo appears to be one of the biggest sources of spam bots – colocated servers (compromised? rented by spammers?) are a big chunk of the attacks we get.

3 thoughts on “where the wild (spammy) things are”

  1. Very cool! Can it handle any proxied (if headers are forwarded) IP’s or look for things like empty referrers or browser types and match certain ones (or ignore empties)?

    Love the comment on the tiny-handed man! That was an 8:30am laugh 🙂

    Russia, what the heck guys?!

    1. I’m not sure how (if) they handle IP spoofing or forwarding, but I’d be surprised if that wasn’t accounted for. Their website lists only vague details of how the system works to identify “threats” – that makes me a little nervous, but it also seems to work quite well, so…

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.