mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

It appears to work well, I tested it out by loading it up with small scale DoS attacks. It blocked the offending addresses as expected and produced the relevant syslog entires & triggered my external reporting script. I was however a little disappointed with its script execution functionality, it basically did a "system" call allowing you to pass only one argument - the offending IP address.

I already have mod_security installed which also executes an external reporting script. However mod_security has a neat little feature which I took for granted, it passes all the 'environment' variables from the request to the script allowing you to see the request itself & any headers passed.

For example, a typical mod_security email alert for me would contain:

DOCUMENT_ROOT=/usr/local/apache/vhosts/www.domain.com
GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=*/*
HTTP_ACCEPT_ENCODING=gzip, x-gzip
HTTP_CONNECTION=close
HTTP_HOST=www.domain.com
HTTP_MOD_SECURITY_ACTION=500
HTTP_MOD_SECURITY_EXECUTED=/usr/local/scripts/modsec_alert.pl
HTTP_MOD_SECURITY_MESSAGE=Access denied with code 500. Error normalizing REQUEST_URI: Invalid URL encoding detected: not enough characters
HTTP_USER_AGENT=Mozilla/4.0
PATH=/bin:/sbin...
PATH_INFO=/search.cgi
PATH_TRANSLATED=/usr/local/scripts/modsec_alert.pl
QUERY_STRING=q='object+levels%
REDIRECT_STATUS=302
REMOTE_ADDR=XXX.XXX.XXX.XXX
REMOTE_PORT=45852
REQUEST_METHOD=GET
REQUEST_URI=/cgi-bin/search.cgi?q='object+levels%
SCRIPT_FILENAME=/usr/local/apache/vhosts/www.domain.com/cgi-bin
SCRIPT_NAME=/cgi-bin
SERVER_ADDR=XXX.XXX.XXX.XXX
SERVER_ADMIN=foo@bar
SERVER_NAME=www.domain.com
SERVER_PORT=80
SERVER_PROTOCOL=HTTP/1.1
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache

This shows me detailed information about the request which was declined and why. I wanted to get similar functionality out of mod_evasive and I achieved this with the following additional code (butchered from mod_security).

The original mod_evasive code is expecting a sprintf format string as the parameter 'sys_command' allowing you to define a position with '%s' where the IP address should be inserted. My code above does not to this, it expects 'sys_command' to be the path to the executable which takes a single argument of the IP address.

This change can be applied automagically - to the Apache 1.3.x version of mod_evasive.c only - with the following patch: mod_evasive_execve.patch

Assuming mod_evasive_1.10.1.tar.gz & mod_evasive_execve.patch have already been downloaded to the same directory:

[foo@bar ~]$ tar zxf mod_evasive_1.10.1.tar.gz
[foo@bar ~]$ cd mod_evasive
[foo@bar mod_evasive]$ patch -p1 < ../mod_evasive_execve.patch
patching file mod_evasive.c
[foo@bar mod_evasive]$ $APACHE_ROOT/bin/apxs -iac mod_evasive.c
gcc -DLINUX=22 -DEAPI -I/usr/include/gdbm -DUSE_HSREGEX -fpic -DEAPI -DSHARED_MODULE -I/usr/local/apache/include -c mod_evasive.c
gcc -shared -o mod_evasive.so mod_evasive.o
[activating module `evasive' in /usr/local/apache/conf/httpd.conf]
cp mod_evasive.so /usr/local/apache/libexec/mod_evasive.so
chmod 755 /usr/local/apache/libexec/mod_evasive.so
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak
cp /usr/local/apache/conf/httpd.conf.new /usr/local/apache/conf/httpd.conf
rm /usr/local/apache/conf/httpd.conf.new
[foo@bar mod_evasive]$

Now create a simple shell/perl/something script to use this info. My example emails myself and the address listed as the SERVER_ADMIN, because each VirtualHost on my server has a 'ServerAdmin' entry with the owners email address, my customers get a copy of the email too.

Now configure mod_evasive to execute your script when it is triggered, add the following to your $APACHE_ROOT/conf/httpd.conf:

Now restart Apache:

[foo@bar mod_evasive]$ $APACHE_ROOT/bin/apachectl restart
/usr/local/apache/bin/apachectl restart: httpd restarted

Tada! You're done. Use the 'test.pl' script provided by mod_evasive to trigger a blocking of your IP and see the email generated.

The early comment-spammers were using very basic HTTP clients, mostly without thinking about what's going on 'under the hood'. As such their spam-messages would come through with easily filtered HTTP "User-Agent" headers like "PEAR HTTP_Request class ( http://pear.php.net/ )" and "libwww-perl/5.803". Over a period of a few months these – what I call 1st generation – bots began to dwindle in numbers, replaced by slightly more sophisticated clients which loosely emulated real browsers.

These 2nd generation bots were still very primitive, apart from changing the "User-Agent" and adding a few other headers they were still pretty basic and would repeatedly attempt to post comments over the period of a few seconds on a number of posts. This activity is also easily filtered since not even a superhuman Blog-fiend could comment on your top ten posts in less than 10 seconds.

All the attempts so far have been very basic, beginners in Perl / PHP could probably pull it off easily, and they are just as easily filtered out.

Over the Christmas period I observed some very unusual activity, a 'spam attack' coming from dozens of source IP addresses, coordinated within a few minutes. I initially spotted it because the "User-Agent" header was completely empty – stands out a bit. After some investigation and further attacks I became pretty confident this wasn't a fluke or coincidence of independent spammers.

I knocked up a quick Wordpress plug-in to capture as much info about these suspicious requests as possible. Here is one of the first attacks.

03/02/2006 20:37:44 212.0.XXX.XXX GET /
03/02/2006 20:38:14 201.242.XXX.XXX GET /category/wordpress/plugins/
03/02/2006 20:39:54 210.183.XXX.XXX GET /2006/02/02/search-term-highlighter-plugin-0-0/
03/02/2006 20:40:25 200.122.XXX.XXX GET /category/java/jakarta-velocity/
03/02/2006 20:40:37 62.23.XXX.XXX GET /2006/02/02/sitecom-cn-502-usb-bluetooth-dongle-works-on-linux/
03/02/2006 20:40:55 68.96.XXX.XXX GET /2006/02/02/search-term-highlighter-plugin-0-0/
03/02/2006 20:41:18 70.88.XXX.XXX POST /wp-comments-post.php
03/02/2006 20:41:20 70.88.XXX.XXX GET /category/thoughts/
03/02/2006 20:41:44 200.21.XXX.XXX POST /wp-comments-post.php
03/02/2006 20:41:48 200.21.XXX.XXX GET /2006/01/25/ti-7x21-flashmedia-sd-host-controller-104c-8033/
03/02/2006 20:42:16 61.145.XXX.XXX GET /category/wordpress/plugins/search-term-highlighter/
03/02/2006 20:42:24 217.113.XXX.XXX GET /category/flash/
03/02/2006 20:42:48 212.251.XXX.XXX GET /category/internet/
03/02/2006 20:43:04 205.180.XXX.XXX POST /wp-comments-post.php
03/02/2006 20:43:22 82.76.XXX.XXX GET /keywords/
03/02/2006 20:43:56 218.248.XXX.XXX GET /2006/02/02/search-term-highlighter-plugin-0-0/#postcomment
03/02/2006 20:44:13 206.191.XXX.XXX GET /2006/02/02/search-term-highlighter-plugin-0-0/%23postcomment
03/02/2006 20:44:14 206.191.XXX.XXX GET /category/tools/
03/02/2006 20:44:15 206.191.XXX.XXX GET /category/wordpress/plugins/search-term-highlighter/
03/02/2006 20:44:38 62.23.XXX.XXX GET /category/wordpress/plugins/search-term-highlighter/
03/02/2006 20:45:33 82.76.XXX.XXX POST /wp-comments-post.php
03/02/2006 20:45:34 82.76.XXX.XXX GET /category/tools/
03/02/2006 20:45:35 82.76.XXX.XXX POST /wp-comments-post.php
03/02/2006 20:45:48 203.162.XXX.XXX POST /wp-comments-post.php

In this particular instance, the attack was over a ten minute period. The first request was a HTTP GET on the root of my Blog "/" almost definitely used to feed the other bots with URL's. Next, other clients in the Botnet continue to spider my Blog in parallel, building a list of URL's to try later and lastly the first of the attempts to post a comment.

If you examine the sequence of requests, the bots are posting a comment, then coming back to check if it was successful. Analysis of later attacks even found other bots in the group checking if the comment posted by a peer bot was successful. The participating hosts are located all over the world but the majority are in North America and Asia.

This obviously demonstrates a very high level of sophistication. Initially I presumed that there was a single client application running requests in parallel over a group of HTTP proxies. After tracing down the locations & owners of each of the participants in the attacks I concluded it was infeasible that they all happened to have open proxies being abused in this way. A large proportion of the machines being used are actually web servers which have probably been exploited and are running IRC-controlled Trojan software.

Backing this up is the pace these attacks are evolving, the first few were very primitive without even a HTTP "User-Agent" header; however this was very quickly amended. The most recent attack I observed (1st March 2006) showed even more improvements, each client was almost indistinguishable from normal visitors. Providing full 'Internet Explorer' like headers of accepted mime types, charsets, languages and even including valid HTTP referrer headers and cookies.
Thankfully, all their time seems to be invested in improving the client software; the actual content of the comment was practically identical.

My SpamKit Plugin has so far easily handled each of these situations. It uses Gerry's "Time Based Tokens" which were auto-generated and written into a hidden form field. Any incoming comments without a token or with an invalid token could be held for moderation while at the same time having zero impact on real visitors writing comments. Unlike techniques used by other solutions it does not require the user to type in a random key from an image like the 'captcha' technique, nor does it rely on JavaScript support in the browser. Until these spam bots reach a level of sophistication where they are parsing out HTML forms including hidden values and posting them, the current version of SpamKit will still be an effective solution.

However there is one major drawback with SpamKit; pingback/trackback's are machine-generated, they will not have a "Time Based Token" and will be held for moderation as if they were spam. The problem with this is that spammers are also increasingly using the pingback/trackback mechanism to get their comments through the net. A lot of thought and discussion on this subject with Gerry lead to one potential solution; scoring & validation on the URL the pingback/trackback is supposedly from.

In early examples of trackback spam the URL given pointed straight to some advertising-based web page. Something like this lends itself to easy detection and filtering as the content when examined would score highly for spam key words like 'Viagra' etc. However these attacks have also evolved, the most recent of which point to real web pages or Blogs that contain obfuscated JavaScript redirection code – redirecting real visitor's browsers but avoiding any page content detection techniques. In some cases the code has been inserted into Bulletin Boards or Guestbook's which allow unfiltered HTML.

An example page with obfuscated JavaScript redirection (warning, this will redirect you to mp3search.ru)

http://zigfrid.blog.kataweb.it/il_mio_weblog/

So, what measures can be taken to stop spam?

Personally I don't think you will ever get rid of spam, you have a pretty good chance of eradicating all but the most sophisticated of spammers, but you'll never stop 100% of spam. The best methodology is to constantly evolve your defences at the same rate or faster than the opposition. For starters Gerry & I are constantly dreaming up new ways we can enhance SpamKit… Recent updates include encoding the original source IP address in the "Time Based Token" which would become invalid if submitted from a different address. Other works in progress include hardcore validation of the email address submitted; does the domain exist? does it have a mail exchanger MX record? etc. content validation, key word searching and probabilities of the content being spam – progress will be reported here and on Gerry's site.

In the long term spammers are going to have clients that pretty much replicate real users down to the delays & randomness between requests. Countermeasures are going to have to be just as sophisticated, evaluating content and even executing JavaScript as if they were also real clients.

My original problem was that Google was returning search results pointing to index-style pages on my Blog instead of the post's themselves. These index pages like Categories & Archives would quickly update and the majority of visitors coming from Google search results were having a poor experience - the post that drew them in wasn't obviously visible.

I knew I could use Robots.txt directives to control the INDEX-ing and FOLLOW-ing of my site, but I was hesitant about applying experimental rules to all Search Engine robots. Thankfully GoogleBot looks for a header specific to itself only, this let me apply custom rules to Google only very easily.

Using my Wordpress templates I added the following header on all index-style pages except the home page:

<meta name="GOOGLEBOT" content="NOINDEX,FOLLOW"/>

Basically this is instructing GoogleBot to follow links on this page, but not to index the page itself. The end result is that search results pointing to my blog are using the 'permalink' URL, not the index page it is listed on.

sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output and generating iptables rules, the process can be quick enough to block an attack before they get a chance to enter any password at all.

It's quick and simple to setup, I enabled email alerts to see what it gets upto and can report it is all working fine on my servers (Red Hat 9 customised).

It will block when triggered by:

The length of time the block remains in place is all configurable.

Failed logins from these:
invalid user abdul (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user abort (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user abs (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user adam (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user admin (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user admin (password) from 203.98.XXX.XXX: 14 Time(s)
invalid user advertise (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user alan (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user alcatel (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user alex (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user alex (password) from 203.98.XXX.XXX: 6 Time(s)
invalid user allan (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user aloha (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user alpha (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user alter (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user ameno (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user amman (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user andy (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user angel (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user antidot (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user apache (password) from 125.240.XXX.XXX: 30 Time(s)
invalid user apache (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user ariane (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user aron (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user art (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user artificial (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user asahi (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user aspect (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user aspidistra (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user atempt (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user atilla (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user atom (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user aurel (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user avsadmin (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user azazel (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user backup (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user base (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user bash (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user beast (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user berg (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user beta (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user binary (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user black (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user bobo (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user bogdan (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user book (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user bourn (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user brett (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user brian (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user buche (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user cable (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user cache (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user cain (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user cambera (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user camelia (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user cesna (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user chat (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user chris (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user church (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user clark (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user client (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user coffee (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user common (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user costel (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user costi (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user crack (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user cristina (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user cyclon (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user dalton (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user danny (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user darling (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user dasilva (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user data (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user dave (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user david (password) from 125.240.XXX.XXX: 26 Time(s)
invalid user david (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user davod (password) from 125.240.XXX.XXX: 2 Time(s)
invalid user deserve (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user desire (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user dns (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user domain (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user donna (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user dool (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user down (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user dragon (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user dudu (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user earth (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user elixir (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user elvis (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user epsilon (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user eric (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user example (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user fadeh (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user fatih (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user fax (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user felix (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user fiat (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user filter (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user finale (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user fire (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user foon (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user ford (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user found (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user frank (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user freddy (password) from 125.240.XXX.XXX: 14 Time(s)
invalid user ftpuser (password) from 125.240.XXX.XXX: 30 Time(s)
invalid user gamma (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user ganja (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user gaspar (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user george (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user gerhard (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user ghost (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user gone (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user grand (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user granicus (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user gregory (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user grims (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user guest (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user guest (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user gushi (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user hang (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user hassan (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user health (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user helen (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user hell (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user helmut (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user heracle (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user honour (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user host (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user http (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user httpd (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user iarin (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user ident (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user include (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user info (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user info (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user iolanda (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user ion (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user ionut (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user irina (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user jack (password) from 125.240.XXX.XXX: 26 Time(s)
invalid user jamal (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user james (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user jasmina (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user jason (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user java (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user jeffrey (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user jelem (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user jenny (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user jerry (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user jessica (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user jessie (password) from 125.240.XXX.XXX: 14 Time(s)
invalid user jhony (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user jiang (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user jihad (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user jim (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user joe (password) from 125.240.XXX.XXX: 26 Time(s)
invalid user john (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user john (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user jupiter (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user just (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user justice (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user justin (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user kadir (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user kain (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user kaleb (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user kelly (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user kevin (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user kevin (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user kline (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user koln (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user kondor (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user lampard (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user larry (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user laura (password) from 125.240.XXX.XXX: 16 Time(s)
invalid user laura (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user law (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user lawyer (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user leroi (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user leslie (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user lex (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user library (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user library (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user light (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user lincoln (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user linda (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user linux (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user lisa (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user locco (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user lost (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user louis (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user louise (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user lucky (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user mailtest (password) from 125.240.XXX.XXX: 24 Time(s)
invalid user malaga (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mano (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user maria (password) from 203.98.XXX.XXX: 6 Time(s)
invalid user mariana (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mark (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user mark (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user marte (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user marty (password) from 125.240.XXX.XXX: 14 Time(s)
invalid user mary (password) from 125.240.XXX.XXX: 14 Time(s)
invalid user master (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user matt (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user media (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mercur (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mercury (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user michael (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mike (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user mike (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user mind (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user minerva (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mister (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mistero (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mobifon (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user mohamed (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mona (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user monaco (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user monica (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mooka (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user moon (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mount (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mrdev (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mumu (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user munis (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user mysql (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user mysql (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user nancy (password) from 125.240.XXX.XXX: 14 Time(s)
invalid user neptun (password) from 203.98.XXX.XXX: 3 Time(s)
invalid user nino (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user noise (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user nokia (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user office (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user okubo (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user omega (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user oracle (password) from 125.240.XXX.XXX: 26 Time(s)
invalid user oracle (password) from 203.98.XXX.XXX: 10 Time(s)
invalid user oracle1 (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user osama (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user osiris (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user osman (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user palm (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user panama (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user pascal (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user patricia (password) from 125.240.XXX.XXX: 12 Time(s)
invalid user patrick (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user paul (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user paul (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user peter (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user pgsql (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user port (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user portal (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user postfix (password) from 125.240.XXX.XXX: 26 Time(s)
invalid user postgres (password) from 125.240.XXX.XXX: 26 Time(s)
invalid user public (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user quarter (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user rajev (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user read (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user rehash (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user relay (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user remove (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user rename (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user repection (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user request (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user resin (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user restore (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user richard (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user richard (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user road (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user robert (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user robin (password) from 125.240.XXX.XXX: 14 Time(s)
invalid user roger (password) from 125.240.XXX.XXX: 18 Time(s)
invalid user sales (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user sales (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user sam (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user samba (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user same (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user sandy (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user sarah (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user saturn (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user scott (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user script (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user search (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user send (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user serafim (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user server (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user service (password) from 125.240.XXX.XXX: 26 Time(s)
invalid user shadow (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user shake (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user sharon (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user sharon (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user shell (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user shoot (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user shop (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user shrike (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user sigmund (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user siliciu (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user silla (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user silva (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user silvia (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user sirg (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user smash (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user smell (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user smuf (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user snake (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user sole (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user sombrero (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user sorina (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user sound (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user space (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user sparc (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user spool (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user sport (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user squad (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user staff (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user stanley (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user start (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user stealth (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user steel (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user stepfen (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user stephen (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user steve (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user steven (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user stick (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user storm (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user stream (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user student (password) from 125.240.XXX.XXX: 26 Time(s)
invalid user student (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user sun (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user support (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user support (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user susan (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user susan (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user system (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user target (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user tay (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user temp (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user temp (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user tener (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user test (password) from 125.240.XXX.XXX: 26 Time(s)
invalid user test (password) from 203.98.XXX.XXX: 14 Time(s)
invalid user testuser (password) from 125.240.XXX.XXX: 26 Time(s)
invalid user tetra (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user thanatos (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user thoor (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user tony (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user tony (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user torpe (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user track (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user travel (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user tristan (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user truth (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user unix (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user user (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user user (password) from 203.98.XXX.XXX: 16 Time(s)
invalid user username (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user venus (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user verset (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user video (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user vincent (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user virtual (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user vision (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user visual (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user warez (password) from 203.98.XXX.XXX: 1 Time(s)
invalid user web (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user webadmin (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user webadmin (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user webmaster (password) from 125.240.XXX.XXX: 28 Time(s)
invalid user webmaster (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user while (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user white (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user william (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user willy (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user wish (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user write (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user www (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user www-data (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user wwwrun (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user yarrow (password) from 203.98.XXX.XXX: 2 Time(s)
invalid user zed (password) from 203.98.XXX.XXX: 4 Time(s)
invalid user zoom (password) from 203.98.XXX.XXX: 2 Time(s)
root/password from 125.240.XXX.XXX: 30 Time(s)
root/password from 203.98.XXX.XXX: 36 Time(s)

Locked account login attempts:
apache : 32 Time(s)
mysql : 30 Time(s)
postfix : 26 Time(s)

However, my favourite ones are still the bots that try talking HTTP to my SMTP server:

unknown[61.128.XXX.XXX] sent non-SMTP command: POST / HTTP/1.1 : 1 Time(s)

Discussions on the subject with Gerry determined that this is most likely down to Google's PageRank technology; where index-style pages have a higher value than the post pages themselves. To get around this he suggested manipulating 'robots.txt' directives within the index-style pages.

On Google's "Information for Webmasters" help page I found they look for special 'robots.txt' directives and meta tags in documents when spidering specific to Googlebot only. This meant I could single out Googlebot for these directives and not affect other search engines (which don’t exhibit the problem so much).

I basically want Google to 'FOLLOW' links on all pages, but not to 'INDEX' the index-style pages like categories & archives by date. The desired effect being that Google can find all posts as before but simply ignore the index-style pages themselves. Implementing this is quite simple; I modified my theme's "header.php" file inserting the following code in the "head" section:

This reads almost literally, if this is not a single post view, not a page view or the home page, add the following "meta..." tag. Although the home page is an index-style page I am reluctant to add 'NOINDEX' because I don't want it disappearing from search results.

Now the long wait for the changes to reflect in Google's results.

Updated 24th January 2006 - Gerry pointed out this can be optimised using De Morgan's Law

Over the Christmas period I have observed more people visiting an ancient post of mine than in the past six months. The post is about my experiences with an external hard drive enclosure; more accurately, the chip / controller a great deal of hard drive enclosures use. Based on this I would guess that a considerable number of people got hard drive enclosures for their Christmas and ran into the same problems I had. Anyway, I am wandering a little.

It was reading my access_log's that made me realise that Blogs are actually a really bad format for the Grandma user...

Picture this, imagine your Grandma is Google'ing and happens to get a result that points to your Blog. She see's a teaser in the search results that shows you've written something about what she is looking for. Grandma clicks your link and is presented with your last 10 posts about God knows what and no sign of the post she saw the snippet of. Grandma goes back to Google thoroughly disappointed and never to return...

I encounter this phenomenon frequently, but because I am familiar with the Blog format I think nothing of drilling down to the relevant category to find the post I wanted; or if I am lazy click Google’s cached copy of the page. However for the average internet surfer it presents a fundamental flaw in the usability of the Blog format.

The problem is quite simple; search engines can never be up to date with your content all the time. The more frequent you post the more the problem will occur and the harder the post will be to find. The way I see it there are two possible solutions.

Smarter search engines

Enhancing search engines so they can distinguish between an index-page of posts and individual posts. This could be done by identifying sections of text within a page as an extract from another URL using something like RDF [http://www.w3.org/RDF/] which can already be embedded within XHTML [http://internetalchemy.org/2005/10/introducing-embedded-rdf]. Enclosing the section of text between the ‘<rdf:RDF>’ tags would do the trick.

This wouldn’t be a trivial change for search engines to make, it would be time-consuming and therefore costly but I believe it would be worthwhile for the future of internet content.

Smarter websites

A more short-term solution I am looking at is improving my website [i.e. Wordpress] to detect that the visitor has come from a search engine, try and determine the query they used from the ‘Referer’ HTTP header, then find and present the best matches to that query before any other posts are displayed.

I contemplated getting the site to pull a copy of the URL given in the ‘Referer’ header, scan for the result that led the visitor to your site then locate the correct post given the snippet text… Then I decided that was a reeeeeeaaally bad idea.

In the long-run I believe the content and therefore the search engines that index it have to improve to cater for the format of internet content today and I think embedded RDF might be the key; unfortunately this cannot happen overnight.

In the meantime making smarter websites will help the situation until the content and the search engines catch up.

I manage the entire installation of my Wordpress blog in CVS; although I have several customisations to the core Wordpress code, I merged them seamlessly into the 2.0 code without problems. During the upgrade process I did get some warnings that the 'wp_usermeta' table didn't exist – because I hadn't run /wp-admin/upgrade.php yet which was no big deal. Apart from that the whole process was very straight-forward!

All the plugins I use appear to work perfectly: Weighted Words, iG:Syntax Hiliter, Spelling Checker & my own

My first opinions...

Although the new fancy rich-text editor looks great, I am still going to use the original code-version as I am so used to it and prefer writing my own xhtml. I am not so sure if I like the new admin colour scheme yet either, I have grown quite attached to the previous grey one.

I am extremely impressed that Wordpress has changed hugely 'under-the-hood' seemingly without breaking any of the existing interfaces and therefore plugins.

Version 2.0 boasts a lot of new features and the Trac Timeline is a hive of activity. I will probably keep running on the latest nightly build until the final release.

As far as the SpamKit plugin is concerned it would see trackbacks & pingbacks as new comments, without any time-based token. Thankfully Wordpress passes a 'comment_type' flag of 'trackback' or 'pingback' in these cases, and there is also a separate action of 'trackback_post' which the plugin can hook into. But what is stopping a particular clever spammer from doing trackback / pingback spam? Nothing...

So, slightly disheartened by this particular problem I went back to the mental-drawing -board. SpamKit plugin is great for a very specific problem, but its certainly not the grand unified solution I am looking for. All it would take is for a smarter-spammer to pull the comment form with my time-based-token and then send it along with the spam message for instant approval. It's worryingly easy to do, I did it in about 10 lines of PHP code – no joke.

The spam problem will always present itself as long as we try to 'filter' out automatic-spam-clients from humans; it is simply the wrong approach. Eventually spam-clients will evolve to become so sophisticated we cant tell the difference anyway, then all the filters and tricks in the book won't help you. I have already started to see a distinct difference between the spam clients hitting my blog daily, a trend showing that more sophisticated clients are being developed all the time.

The only way you will truly eradicate spam is to validate the content of the message or the content of the web page being linked, everything else is just a bonus.

The way I see it, there are two solutions that will blow Spam out of the water forever:

Smarter Application

An application that verifies everything based on in-built rules, configuration and past experiences.

All this is great but it goes far beyond what a humble PHP application should be doing. I dread to think what server load this would produce on even a small-scale blog – not to mention a multi-blog-site or a shared web server.

Dumb Application made smarter through On-line Collaboration

This basically describes Akismet – where a central system has all the complex logic and the client-application receives a simple yes/no decision.

Personally, I would do this asynchronously because the client-application [Wordpress for example] doesn't really need an immediate decision. Comments can easily wait in a queue for approval which a later XMLRPC callback provides. This would greatly reduce the load on the system and allow far more complex algorithms and lookups to take place improving the overall accuracy of the decisions dispensed.

Other widely used anti-spam solutions also look promising, for example the 'roadmap' for Spam Karma SK2.2 has some really good ideas, my favourite's being the honeypot and the anti-PageRank idea.

If you have read my previous posts you'll have seen how wide the spam problem already is. Although I am very proud of my little SpamKit plugin because it does exactly what I wanted, I am quite frustrated with its limitations.

The whole spam problem is very interesting to me, its not going to go away any time soon. It's existed since 1978 and been evolving ever since...

The Horde Project is about creating high quality Open Source applications, based on PHP and the Horde Framework.

The guiding principles of the Horde Project are to create solid standards-based applications using intelligent object oriented design that, wherever possible, are designed to run on a wide range of platforms and backends.
There is great emphasis on making Horde as friendly to non-English speakers as possible. The Horde Framework currently supports many localization features such as Unicode and right-to-left text and generous users have contributed many translations for the framework and applications.

Today I downloaded and attempted to install Horde 3.0.8 - released on Sunday 11th December 2005 - something appears to be wrong as I didn't get very far. I followed all the given instructions, my server is configured correctly, all the dependencies are installed and working. I got so far as to use the web-based setup / configuration screen but it didn't allow me to save any settings or complete the setup process.

Following the instructions to the letter; I went to the 'Authentication' tab, selected 'IMAP Authentication', the page reloaded but didn't reflect my choice from the 'authentication backend' drop-down list. Instead it wouldn't display anything other than 'Let a Horde application handle authentication' but without the additional drop-down to select the application to use.

I initially suspected some Javascript incompatibility as I normally use Firefox and sooo many applications are written against Internet Explorer. But after several attempts from different browsers & platforms I gave up on the authentication tab, opting to try at least the 'Database' tab and configure MySQL. I could easily fill out all the details but when I tried to 'Generate Horde Configuration' it threw me back to the 'General' tab, highlighting that I had not completed required fields to do with error reporting & URL generation – both were set to valid values.

I re-read the documentation and re-did the whole installation... just in case I missed something or was too eager to lock down permissions. Again, exactly the same problem. Next, I relaxed ALL the permissions possible, I basically chmod'd the whole thing to 777 - in case the setup wasn't able to write to the config directory but this didn't help either.

The FAQ didn't provide much help so i went to the IRC channel #horde @ irc.freenode.net and found others with exactly the same problem *holds back the tears of frustration* ... But unfortunately no-one seemed to have any immediate answers.

On a hunch I grabbed Horde 3.0.7 from the FTP site and went through the whole setup process again. However this time it worked as expected and was running within ten minutes!!

Argh... Next step is to diff the code and see where it went wrong... (stay tuned)

Update - This issue was fixed in version 3.0.9 which is now available from www.horde.org