Taking a look at lib/spam_protection.rb, and scan_uri called when adding a trackback, scan_uri only checks against the RBL database.
So I’ve added the following to scan_uri:
# Pattern scanning
BlacklistPattern.find_all.each do |pattern|
logger.info(“[SP] Scanning domain for #{pattern.class} #{pattern.pattern}”)
if pattern.kind_of?(RegexPattern)
throw :hit, “Regex #{pattern.pattern} matched on host” if domain.join(‘.’).match(/#{pattern.pattern}/)
else
throw :hit, “String #{pattern.pattern} matched on host” if domain.join(‘.’).match(/\b#{Regexp.quote(pattern.pattern)}\b/)
end
end
Ultimately, this code should be factored out and called from scan_text and scan_uri.
So here’s the full version:
def scan_uri(host)
return scan_ip(host) if host =~ Format::IP_ADDRESS
host_parts = host.split(‘.’).reverse
domain = Array.new
# Check for two level TLD
(SECOND_LEVEL.include?(host_parts[1]) ? 3:2).times do
domain.unshift(host_parts.shift)
end
# Pattern scanning
BlacklistPattern.find_all.each do |pattern|
logger.info(“[SP] Scanning domain for #{pattern.class} #{pattern.pattern}”)
if pattern.kind_of?(RegexPattern)
throw :hit, “Regex #{pattern.pattern} matched on host” if domain.join(‘.’).match(/#{pattern.pattern}/)
else
throw :hit, “String #{pattern.pattern} matched on host” if domain.join(‘.’).match(/\b#{Regexp.quote(pattern.pattern)}\b/)
end
end
logger.info(“[SP] Scanning domain #{domain.join(‘.’)}”)
query_rbls(HOST_RBLS, host, domain.join(‘.’))
end
I’ll run this for a few days, and if it works, I will add a patch to the typo trac database.
So far, with the right pattern in the blacklist, it has been able to fend off one attack. So far, so good :)
[SP] Scanning for StringPattern HIDDEN
[SP] Scanning for StringPattern HIDDEN
[SP] Scanning IP 193.219.28.245
[SP] Scanning domain for StringPattern HIDDEN
[SP] Hit: String HIDDENmatched on host
I’ve replaced the pattern with HIDDEN just not to give this guy more publicity than he deserves.