1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Is it wise to block IPs of whole countries??

Discussion in 'Site & Server Administration' started by enikram, Feb 27, 2015.

  1. #1
    Well,
    I get a lot of spam from folks in India offering their SEO and other crap(99% of them don't know a thing about SEO). This particular website is only deals with people in North America so in theory I can block ALL other countries except 2-3 in N.A.

    Since there's no email address on the site, they are using the Contact 7 and as much as I tried to create a good spam list, those scammers find a way not to use the phrases and still get their email in.

    Wordfence plugin that I have has a feature to block IPs of countries and I am thinking about using it. Perhaps that would block those people from accessing the site.

    Is there any reason not to do it? It will have 0 impact on the business if I do implement it.
     
    enikram, Feb 27, 2015 IP
  2. PDD

    PDD Greenhorn

    Messages:
    67
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    23
    #2
    Why not implement a captcha or something similar instead? If you think that would reduce value for your NA traffic then yeah just block them in my opinion
     
    PDD, Feb 28, 2015 IP
  3. enikram

    enikram Active Member

    Messages:
    244
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    60
    #3
    captcha is a big no no for contact pages. Nobody likes to waste time and it's a sure way to lose clients. It is only ok to use it for comments.
     
    enikram, Mar 7, 2015 IP
  4. PDD

    PDD Greenhorn

    Messages:
    67
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    23
    #4
    There's that one "captcha" that allows people to just click a box. It's not intrusive at all.
     
    PDD, Mar 7, 2015 IP
  5. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #5
    I have NO problem with the concept of blocking non-english speaking countries from server access to English language sites -- the risks of losing the handful of potential legitimate users rarely outweighs the dangers of letting folks from certain hives of scum and villainy in the door. Nigeria much?

    BUT -- I would advise that you do a reverse DNS check on IP addresses before wholesale banning ranges. If the IP address has a domain name assigned to it, go ahead and block it. If the address range is obviously assigned to a data center, go ahead and block the whole range as there should be no legitimate user traffic from such a place. (excepting perhaps proxies, and even then...)

    If the address is coming from a normal ISP assigned to a home or small business, THEN I'd be leery of banning it or it's range. Investigation of where things are REALLY coming from can go a long ways.

    Likewise, you might want to look into whitelist/blacklisting support from things like StopForumSpam.org. A bit complex to implement if not adding it to one of their supported forums, but usually well worth it. Sure there are false positives but that's true of anything.

    As to captcha's -- most times they aren't needed if you have something like SPAMassassin running in the background and have a decent method in place for making re-use of the same form invalid and/or just simple sessions for forms. All my contact forms just run back-end through sendmail anyways, so SA will usually axe the obvious spam and mark the questionable mails. Obvious spam is obvious.

    Another approach to consider is implementing session with hash validation -- you would be SHOCKED how many spambots will fall flat on their face if all you do is store a random hash and an expiration time in a session, send that hash client-side inside the form as a hidden field, then verify it and expire it on submit server-side. A LOT of spambots do not actually do a new request for each submit and will instead try to copy the form values 1:1... or they fail to preserve cookies invalidating the form because they aren't a "real browser". It's something simple they COULD implement but rarely do.

    Sometimes all you need is a good e-mail address checker as well... does the domain they are trying to send a mail from actually have a MX or A record? You would THINK spam would use a real return address, but usually it's fictional BS and they want you to click on a link in the document instead.

    function isValidEmail($address) {
    	if (filter_var($address,FILTER_VALIDATE_EMAIL)==FALSE) {
    		return false;
    	}
    	/* explode out local and domain */
    	list($local,$domain)=explode('@',$address);
    	
    	$localLength=strlen($local);
    	$domainLength=strlen($domain);
    	
    	return (
    		/* check for proper lengths */
    		($localLength>0 && $localLength<65) &&
    		($domainLength>3 && $domainLength<256) &&
    		(
    			checkdnsrr($domain,'MX') ||
    			checkdnsrr($domain,'A')
    		)
    	);
    }
    Code (markup):
    Far more complete than the typical (easily bypassed) client side checks, and those two reverse dns lookup checks rejects fake domains.

    One big thing, do NOT rely on client side checks for ANYTHING -- they should be a user convenience but have NOTHING to do with actually validating a blasted thing. ALWAYS recheck things server-side since a spambot isn't going to care what your scripttardery is trying to do.

    ... which provides yet another easy way to reject spam mails or at least filter them somewhat -- reject them if they try to send HTML in their text, and send / store the messages as TEXT, NOT markup. Again something simple that makes a LOT of spam go tits-up face-down.
     
    Last edited: Mar 13, 2015
    deathshadow, Mar 13, 2015 IP
  6. WSWD

    WSWD Well-Known Member

    Messages:
    1,420
    Likes Received:
    65
    Best Answers:
    1
    Trophy Points:
    175
    #6
    Absolutely do it! I'm all for it as well. However, a lot of times, these folks are not using IPs/servers in their countries, or the IPs locations show something different.

    It's a good start though.
     
    WSWD, Mar 13, 2015 IP
  7. enikram

    enikram Active Member

    Messages:
    244
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    60
    #7
    I've been testing a website by blocking India and Pakistan... I haven't had a single spam email in 2 weeks asking if I want site redesign,seo or marketing. Seems like it is working. In the past I was receiving up to 5 of such emails per single day!

    I am also blocking about 50 countries from backend(eg wp-admin). That helped with those trying to hack the wp username. Major offenders for back end are: India, China, Russia, Brazil, Turkey, Indonesia, Vietnam. All of these countries are among the "top 10 countries where spam comes from" according to many sources online.
     
    enikram, Mar 16, 2015 IP
  8. Jeffr2014

    Jeffr2014 Active Member

    Messages:
    254
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    55
    #8
    @enikram, could you please share your list of 50 countries here? Many of us here are in the same situation... Thanks in advance.
     
    Jeffr2014, Mar 29, 2015 IP
  9. [ET]Alexander

    [ET]Alexander Well-Known Member

    Messages:
    66
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    100
    #9
    I personally find it to be bad business practice to block entire countries from accessing websites on your servers. From a hosting providers standpoint, what if one of my customers is from another country and living in north america, and the website that they published is intended for friends, family and people from their home country? The only time I believe that a country should be restricted would be if said country are under sanction by the UN or if the country as a whole is a threat (such as North Korea). For all you know, by restricting any given country, you could be losing out on a legitimate source of income.
     
    [ET]Alexander, Mar 29, 2015 IP
    rsrikanth05 likes this.
  10. sachinsud

    sachinsud Member

    Messages:
    8
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    31
    #10
    Blocking whole country means lots of ips would be added in the block list.
    This process will make your site little slow. In case of heavy users it create wait time on the server which can cause noticeable lag for the server.
     
    sachinsud, Mar 30, 2015 IP
  11. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #11
    usually if you do it at the IPTables level it's not enough delay to cause problems -- at least not compared to the negative impact the traffic from these third world shit-holes of outright sleazeball scumbags have if you are running something like a forums.

    The extra delay on every initial handshake request is offset by the rest of the request being ignored, not even sending content to them, and rejecting their spam-tard asshattery. At WORST it's a wash, but you're keeping the dirtbags at bay. Best case it saves you resources by pretty much giving them all the finger.

    ... and often the results speak for themselves -- you go and start wholesale banning the "hives of scum and villainy" (once you double check that the IP's you are banning are data centers and not actual home ISP's -- I do REALLY recommend checking that using RDNS first) the spam levels drop from flooding an ocean to a slow drip.

    If that blocks a few legitimate users in these cesspits of humanity they have the cojónes to call countries, maybe the legitimate users in said countries should try to get their governments to do a better job of policing their own? Most of the places I ban are so filled with sleazy shits (India, Pakistan, Nigeria, Russia) I really can't feel too bad about flipping off said nations wholesale.
     
    deathshadow, Mar 30, 2015 IP
    Jeffr2014 likes this.
  12. Jeffr2014

    Jeffr2014 Active Member

    Messages:
    254
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    55
    #12
    For my main site I cannot effectively block these using WordFence (WP blog is installed in a subfolder and most attacks just go for main website page which is static), but I can do it using .htaccess country blocking.
    @deathshadow, I have to add Ukraine and China to your list, I get a lot of attacks from there (according to WordFence reports). India still takes the 1st spot at over 50%, looks like hacking is a new national sport there... Speaking of India though, I am still undecided about blocking it, there are a lot of educated English speaking people there and I get meaningful traffic to many of my blogs from India - when I say "meaningful", it is WRT the number of pages per visit and average time on site metrics.

    Here are some useful links:
    How to block countries with .htaccess: http://www.webhostinghub.com/help/learn/website/general-server-setup/block-country-range
    IP blocks by country: http://www.nirsoft.net/countryip/index.html

    Though, I am wondering what would be a performance penalty of adding a couple of hundred lines of "deny from" to .htaccess...?
     
    Jeffr2014, Mar 30, 2015 IP
  13. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #13
    See to me, that's letting them WAY too far into the server as it's allowing them to talk to apache, or ngnix or whatever server software you are running. "Wordfence" is a JOKE as then you have PHP trying to handle it, and even .htaccess introduces lag and overhead for no reason.

    It's why I prefer to do this at the command line using IPTABLES.

    iptables -A INPUT -s 192.168.1.100 -j DROP

    Replacing the desired IP address as appropriate. You can also nab an entire range of addresses thus:

    iptables -A INPUT iprange --src-range 192.168.1.100-192.168.1.200 -j DROP

    The advantage of doing it there is it doesn't just block them at the HTTP level, it also blocks SMTP, FTP, SSH, Telnet and any other protocol they might be trying to bang down the door using. Dicking around with it AFTER the request is being handled by Apache? More overhead (what @sachinsud was worried about) and simply letting the places you are applying a DELTA policy to get far too deep into the server.

    If you're going to block them, make it so their requests to the server aren't even acknowledged at the TRUE firewall level. Otherwise, why bother? DELTA -- Don't Even Let Them Aboard. Don't even let them get as far as talking to server processes!

    Admittedly if you are on some crappy shared or managed hosting you might not be able to do that, but when a decent unmetered VPS can be had for $10 or less a month why would ANYONE be screwing around with shared hosting at this point? It's 2015, if your hosting doesn't give you shell access it's probably time to move to better hosting.
     
    deathshadow, Mar 30, 2015 IP
    Jeffr2014 likes this.
  14. Jeffr2014

    Jeffr2014 Active Member

    Messages:
    254
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    55
    #14
    Thanks @deathshadow , this is very helpful. I will check more on how to use iptables and try to block a few spam countries (will put all these IP ranges in bash script) - I am on a VPS, so should be alright with this approach.
     
    Jeffr2014, Mar 30, 2015 IP
  15. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #15
    One nice thing about IPTABLEs is anything you drop is persistant -- so you don't have to do it every boot.

    On debian it does this automatically, on Red Hat Legacy *nix flavors like CentOS, you have to tell iptables to save.

    service iptables save
    Code (markup):
    Though having a script to make sure they are added is handy when/if you move between hosts. You can also pull a list of current addresses and their status in IPTABLES using:
    iptables -L -n -v
    Code (markup):
     
    deathshadow, Mar 30, 2015 IP
  16. Version 7

    Version 7 Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #16
    I've been blocking ip by country on my Linux server with iptables for a couple years now and it's worked out great, but it should only be used for certain services; and http isn't one of them. smtp, imap, pop, ftp and ssh; these are all good candidates for country wide firewall rules.

    The trick to limiting the number of rules in your firewall is to block by /16 subnets. The parser only has to scan a class B network to match the rule instead of 10 times that number when using class C rules. Very rarely will a U.S. ip and foreign ip match within the same class B network. Choose a reliable ip whois server to verify the ip's location - I use cqcounter dot com. You'll then want to verify that the ip you want to block is not from the U.S. - I use countryipblocks dot net for that - look for the "access control lists" link at the top.

    I currently (5/16/2016) have only 282 /16 subnets blocked (see attached file) and that has eliminated about 99% of the spam, as well as the pop, imap and ftp probes.

    http has just too many connections going on for a firewall to handle efficiently, so other means to secure it must be used - server level (modsecurity), cloudflare helps and a few others - but this is a whole other subject on it's own...
     

    Attached Files:

    Version 7, May 16, 2016 IP
  17. Puntocom81

    Puntocom81 Banned

    Messages:
    80
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    35
    #17
    I use spamd (https://en.wikipedia.org/wiki/Spamd) featuring greylisting and I get 1 spam every month or two even publishing my mail address in plain text.
     
    Puntocom81, May 17, 2016 IP
  18. TRUE Media Partner

    TRUE Media Partner Member Affiliate Manager

    Messages:
    31
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    33
    #18
    You can hide contact form from indian visitors (like cloaking). It's not necessary to hide the whole site.
     
    TRUE Media Partner, May 17, 2016 IP