Spam BLIP is a plugin for WordPress that checks the IP addresses of (potential) comment submissions against DNS-based lists of addresses associated with weblog SPAM.

What’s it do?

 

# 11

Spam BLIP is based on DNSBL lookups. DNSBL is ‘DNS Blackhole List.’ Wikipedia has a detailed article on DNSBL. Briefly, a DNS name lookup is used to query a database about an IP address by encoding the address as a host+subdomain with the domain of the database. There are hundreds of DNSBL services. Most of these are meant specifically for email spam. Email spam was the original application of DNSBL, but since weblog spamming has become a big problem too there are some DNSBL domains specifically intended for weblogs.

That’s it?

No, there’s more. A small table is added to the WordPress database. Only a limited number of records are kept so that accessing the table will remain fast. IP addresses that have been found in a DNSBL are added to the table, and it’s checked before doing a DNS lookup, so that the DNS lookups aren’t done repeatedly for persistent spammers. There is a settings page where the number of IP address records kept, and how long they are kept, can be configured. The settings page also provides blacklist and whitelist entry fields for addresses that should never, or always, be allowed. Of course, the settings page also provides the means to set the DNSBL domains that will be used — and something of a ‘micro language’ for interpreting lookup results, but you will probably be fine with the default interpretation, so you don’t need to figure out how to use this feature. The settings page has inline documentation.

Operation

The database table is regularly trimmed down according to TTL (Time To Live) and maximum records options. The reason the database table can remain small is that it is not intended to be precious data with permanent or long term storage; it is an expedient to reduce the number of DNS lookups needed (and it does that well). The same IP address typically tries to spam again and again three, ten, twenty times over a span of a few days, or a week or two. You may imagine how storage of such a spamming address in a very quick database table reduces the time waiting for DNS lookups (the time of which varies widely). Spam BLIP may be used in combination with Akismet, the content analysis solution that is included with WordPress. In this arrangement, Spam BLIP is like a pre-filter: Akismet will will only operate on those comments that Spam BLIP has passed. This combined use compensates for downsides of each approach to spam filtering. DNSBL will usually let more spam pass because it is only as effective as the lists it uses are complete. Content analysis at a remote site requires increased network use, and possibly more CPU use. So, Spam BLIP as a first stage will reduce the resources used by Akismet, and Akismet will catch some Spam BLIP misses (because it is very good). There is an important caveat to DNSBL use (Spam BLIP or otherwise). Because it works on IP addresses without knowing the content, there can be false positives. The problem is that a welcome, legitimate blog visitor might be assigned an IP address from their ISP that had been added to a list because the honest ISP had been abused by a spammer that had received the same address. That problem was greater in dialup days when ISP customers would probably get a different address with every dial-in. More recently non-spamming people who keep a broadband modem on all the time are less likely to have an address that lingers in a DNSBL, but it can still be a problem. (Spam BLIP allows whitelisting of addresses and address ranges, but that’s not a real solution). Please consider this before using Spam BLIP.

2 thoughts on “Spam BLIP

    1. Interesting.

      You must have been attempting to comment from an IP address that had been added to one of the DNSBL lists in use by Spam BLIP. There are several possibilities. You might have been ‘roaming’ with any available IP address. An IP subnet of your regular ISP might have been placed in DNSBL for some period. Your comment here got through, and I see the IP belongs to a large provider — spammers often abuse such networks with the result that subnet ranges will sometimes be listed for a while. Also, Spam BLIP settings allow you to edit DNSBL lookup domains. Did you add any? There are some that work the same way as a DNSBL domain, but which should not be used — for example, some list all ISP-owned public IP address. Those are obviously not suitable. Some are meant as DNSBL domains, but are too strict for practical use.

      If you know the IP address, or subnetwork, you wish to place comments from, then you can add these to the Spam BLIP whitelist. When you log in to WordPress, choose the Settings item from the vertical menu on the left, and choose the Spam BLIP Plugin child-item. That loads a settings page. There is information under the Help tab at the top right, and the sections of the page each have introductory text. IAC, scroll down and find the Advanced Options section, and under that the Active User Whitelist text entry field. In that add any address or networks that you would like to permit even if found in a block-list.

Leave a Reply

Your email address will not be published. Required fields are marked *