Blocking comment spam with mod_security

I've mentioned before that I use mod_security to (partially) prevent comment spam on this site. The trouble with spam is that it evolves, so it's a constant arms race.

I've noticed in the last few months that the spam on this site typically has a URL as the comment name. There's also a URL field in the comment form, with a note on it that you shouldn't fill it out. Then, in httpd.conf, I have the following.

SecDataDir /tmp
SecTmpDir /tmp
SecRequestBodyAccess On
SecDefaultAction log,deny,status:406,capture,phase:2,t:lowercase

# Reject comments where the name contains a URL
SecRule ARGS:comment_name "https?:\/\/"

# Also, reject comments where the url field contains a URL
SecRule ARGS:comment_url "https?:\/\/"

Note that that config is specific to the Habari blogging platform. You'd need to tweak the names of the fields (comment_name and comment_url) for whatever blogging platform you're using.

I haven't had any spam since putting this in place, but I've had several legitimate comments that, ordinarily, would probably have gotten lost in the noise of moderating hundreds of spam messages.

I don't believe for a moment that this is a permanent solution, but it at least stems the flood for a moment so I can catch my breath.

I also have a bunch of legacy rules, like:

SecRule ARGS "(zoloft|acyclovir|zithromax)" "msg:'Pharm spam'"

(which, ironically, prevented me publishing this article until I disabled it!) but those require constant maintenance as the spam trends shift from week to week.

ApacheCon NA 2014 Keynotes

This year at ApacheCon, I had the unenviable task of selecting the keynotes. This is always difficult, because you want to pick people who are inspirational, exciting speakers, but people who haven't already been heard by everyone at the event. You also need to give some of your sponsors the stage for a bit, and hope that they don't take the opportunity to bore the audience with a sales pitch.

I got lucky.

(By the way, videos of all of these talks will be on the Apache YouTube channel very soon - https://www.youtube.com/user/TheApacheFoundation)

We had a great lineup, covering a wide range of topics.

Day One:

0022_ApacheCon

We started with Hillary Mason, talking about Big Data. Unlike a lot of droney Big Data talks, she defined Big Data in terms of using huge quantities of data to solve actual human problems, and gave a historical view of Big Data going back to the first US Census. Good stuff.

0084_ApacheCon

Next, Samisa Abeysinghe talked about Apache Stratos, and the services and products that WSO2 is building on top of them. Although he had the opportunity to do nothing more than promote his (admittedly awesome) company, Samisa talked more about the Stratos project and the great things that it's doing in the Platform As A Service space. We love WSO2.

0127_ApacheCon

And to round out the first day of keynotes, James Watters from Pivotal talked about the CloudFoundry foundation that he's set up, and why he chose to do that rather than going with an existing foundation. Among other things. I had talked some with James prior to the conference about his talk, and he came through with a really great talk.

Day Two:

0602.ApacheCon

Day Two started with something a little different. Upayavira talked about the tool that geeks seldom mention - their minds - and how to take care of it. He talked about mindfullness - the art of being where you are when you are, and noticing what is going on around you. He then led us through several minutes of quiet contemplation and focusing of our minds. While some people thought this was a little weird, most people I talked with appreciated this calm centering way to start the morning.

0635.ApacheCon

Mark Hinkle, from Citrix, talked about community and code, and made a specific call to the foundation to revise its sponsorship rules to permit companies like Citrix to give us more money in a per-project targeted fashion.

0772.ApacheCon

And Jim Zemlin rounded out the day two keynotes by talking about what he does at the Linux Foundation, and how different foundations fill different niches in the Open Source software ecosystem. This is a talk I personally asked him to do, so I was very pleased with how it turned out. Different foundations do things differently, and I wanted him to talk some about why, and why some projects may fit better in one or another.

At the end of day three, we had two closing keynotes. We've done closing keynotes before with mixed results - a lot of people leave before. But we figured that with more content on the days after that, people would stay around. So it was disappointing to see how empty the rooms were. But the talks were great.

1052_ApacheCon

Allison Randal, a self-proclaimed Unix Graybeard (no, really!) talked about the cloud, and how it's just the latest incarnation of a steady series of small innovations over the last 50 years or so, and what we can look for in the coming decade. She spoke glowingly about Apache and its leadership role in that space.

1105_ApacheCon

Then Jason Hibbets finished up by talking about his work in Open Source Cities, and how Open Source methodologies can work in real-world collaboration to make your home town so much better. I'd heard this presentation before, but it was still great to hear the things that he's been doing in his town, and how they can be done in other places using the same model.

So, check the Apache YouTube channel in a week or so - https://www.youtube.com/user/TheApacheFoundation - and make some time to watch these presentations. I was especially pleased with Hillary and Upayavira's talks, and recommend you watch those if you are short on time and want to pick just a few.

ApacheCon North America 2014

Last week I had the honor of chairing ApacheCon North America 2014 in Denver Colorado. I could hardly be any prouder of what we were able to do on such an incredibly short timeline. Most of the credit goes to Angela Brown and her amazing team at the Linux Foundation who handled the logistics of the event.

My report to the Apache Software Foundation board follows:

ApacheCon North America 2014 was held April 7-9 in Denver, Colorado, USA. Despite the very late start, we had higher attendance than last year, and almost everyone that I have spoken with has declared it an enormous success. Attendees, speakers and sponsors have all expressed approval of the job that Angela and the Linux Foundation did in the production of the event. Speaking personally, it was the most stress-free ApacheCon I have ever had.

Several projects had dedicated hackathon spaces, while the main hackathon room was unfortunately well off of the beaten path, and went unnoticed by many attendees. We plan to have the main hackathon space much more prominently located in a main traffic area, where it cannot be missed, in Budapest, as I feel that the hackathon should remain a central part of the event, for its community-building opportunities.

Speaking of Budapest, on the first day of the event, we announced ApacheCon Europe, which will be held November 17-21 2014 in Budapest. The website for that is up at http://apachecon.eu/ and the CFP is open, and will close June 25, 2014. We plan to announce the schedule on July 28, 2014, giving us nearly 4 months lead time before the conference. We have already received talk submissions, and a few conference registrations. I will try to provide statistics each month between now and the conference.

As with ApacheCon NA, there will be a CloudStack Collaboration Conference co-located with ApacheCon. We are also discussing the possibility of a co-located Apache OpenOffice user-focused event on the 20th and 21st, or possibly just one day.

We eagerly welcome proposals from other projects which wish to have similar co-located events, or other more developer- or PMC-focused events like the Traffic Server Summit, which was held in Denver.

Discussion has begun regarding a venue for ApacheCon North America 2015, with Austin and Las Vegas early favorites, but several other cities being considered.

I'll be posting several more things abut it, because they deserve individual attention. Also, we'll be posting video and audio from the event on the ApacheCon website in the very near future.

ApacheCon welcomes SourceForge back for another year

The following guest post appears on the SourceForge blog today. I'm personally very pleased to welcome SourceForge back to ApacheCon for another year.

-------------

The Apache Software Foundation is pleased to announce ApacheCon US 2014, which we’re presenting in conjunction with the Linux Foundation. The conference will be held in Denver, Colorado, and features three days, ten tracks of content on more than 70 of the Apache Software Foundation’s Open Source projects, including Apache OpenOffice, Apache Hadoop, Apache Lucene, and many others.

We’re especially pleased to welcome SourceForge as a media partner for this event.

See http://na.apachecon.com/ for the full schedule, as well as the evening events, BOFs, Lightning Talks, and project summits.

Co-located with the event is the Cloudstack Collaboration Conference - http://events.linuxfoundation.org/events/cloudstack-collaboration-conference-north-america - the best place to learn about Apache CloudStack.

Apache OpenOffice - http://openoffice.apache.org/ - has an entire day of content, including both technical and community talks.

Hadoop, and its ecosystem of Big Data projects, has more than five full days of content (two tracks on two days, one track on the other).

Other projects, such as Cordova, Tomcat, and the Apache http server, have a fully day, or two, of content.

If you want to learn more about Apache Allura (Incubating), an Open Source software forge (and also the code that runs SourceForge) we’ll have two presentations about Allura, by two of the engineers who work on that code: Dave Brondsema and Wayne Witzel. Learn how to use Allura to develop your own projects, and join the community to make the platform even better.

This is the place to come if you rely on any of the projects of the Apache Software Foundation, and if you want to hang out with the men and women who develop them. We’ve been doing this event since 1998, and this promises to be the best one yet, with more content than we’ve ever presented before.

Come see me at ApacheCon NA 2014

In April I will be speaking at ApacheCon North America in Denver, Colorado. I've had two talks accepted:

Configurable Configuration is a talk about some of the new shiny configuration syntax available in Apache httpd 2.4 - stuff like the If/ElseIf/Else syntax in configuration files, the new expression evaluation engine, and mod_macro for scriptable configuration blocks, for starters.

Demystifying mod_rewrite will drag you kicking and screaming from being a mod_rewrite newbie to being a mod_rewrite expert. You don't dare miss it.

We're also presenting two whole days of Apache http server content - code-named "httpd.conf" - get it?

And there's ten tracks of amazing content across more than 70 projects from the Apache Software Foundation.

Register at na.apachecon.com by March 14 to get the early rate.




About

Some people are heroes. And some people jot down notes. Sometimes, they're the same person. (The Truth. Terry Pratchett)