[ also posted to comp.lang.perl.modules and comp.lang.perl.misc ]

I have uploaded HTTP::ProxyTest to CPAN. From README:

Robots that send comment spam are often hidden behind anonymous open proxy servers. You can use HTTP::ProxyTest to look for open proxies on-the-fly and prevent such spam robots from submitting their crap. The module is particularly useful if you don't want to bother your web site visitors with CAPTCHAs etc.
HTTP::ProxyTest tests certain ports of REMOTE_ADDR that are often used for anonymous open proxies, and denies access if an open proxy is found, i.e. it responds with status "403 Forbidden" and exits.

I have been using that approach to fighting comment spam for more than a year, and it has proved to work well.

Your comments on both the usefulness of HTTP::ProxyTest and the code would be much welcome. Since the module source is conveniently available at CPAN, I did not post it here.

  • Comment on RFC: CPAN module for blocking open proxy requests

Replies are listed 'Best First'.
Re: RFC: CPAN module for blocking open proxy requests
by ahmad (Hermit) on Jul 14, 2010 at 22:25 UTC

    Looks good, but nmap might bring some headache from some datacenters (Port scanning).

    The only change I would suggest is adding an option to modify the error printed by "caught" sub.

    From your experience, how fast is that lookup?

[reply]

      If some serious computer admin would notice and check it out, let's hope that s/he sees that the following HTTP requests are made from HTTP::ProxyTest, and concludes that it's for a good purpose. Nobody has complained to me so far, btw. ;-)

      I like your suggestion. Will write a simple template for next release.

      Normally a lookup takes somewhere between 5 - 20 seconds, and I believe that the average is at the lower side of that interval. However, some hosts have filtered all the ports, and in those cases it may take more than 30 seconds. Also, a 'clean' host will not be tested more often than once a week.

      Thanks for taking the time to check out the module and post your comments.

[reply]

        Despite your good intentions and noble goals, I hold that there is no valid reason for a web server to try to make unsolicited connections to my system. A port scan detector I sometimes run on my network would automatically start dropping packets from your host and notify me and your ISP's IP range abuse admin of the attack.It has to be manually overridden not to take those actions for a particular host or network range.

        You may want to announce somewhere near your comment entry box that you'll be using this type of countermeasure so people don't think you're the one stirring up trouble. In most instances, I don't think people look any more kindly on port scanning of their systems than they do on spam. If you make it clear what's going on and why, you're likely to get more support for it.

        I know I'm always happy to allow anti-cheating tests during games and such if I know what they are going to do and why. By agreeing to use a service which I know will be port scanning my systems, I would be agreeing to the scan. That's a much better scenario than you just scanning my network without telling me.

        How do you deal with multiple people in the same community who share a pool of short-lived DHCP leases if you only check once per week?

[reply]

Back to Meditations