Page country blocking rule. Possible to improve my current expresions?

Previously I had some assitance in setting up blocking rule for selected pages on my website. I was very greatful for the help and advise here.

The pages blocked contained my contact information in an attempt to stop certain regions sending massive amounts of “I want a guest post on your website how much?” emails that are filling up my inbox every day.

With the help of members here, it does seem that some of this is being blocked

image858×60 4.28 KB

However, Compaired to the above mentioned stats, I am still getting flooded with annoying emails from these regions with new fresh email addresses.

Could it be possible this rule is not performing to it’s fullest? Maybe I need to tweak it using a a different expression?

I understand the possiblites of people using VPNs to get around this rule. However, I wouldent expect 100% of the entities flooding me with these emails are using them. Hecne why I question the performance of the rule.

The rule is setup to not alllow these regions to access my contact details pages and currently looks like this

(http.request.uri.path contains “contact-us” or http.request.uri.path contains “submission-options”) and ip.geoip.country in {“IN” “PK” “RU”}

Understanding that this is correct suggested method, Is it possible that this rule might not be performing so well and a different expression could help the reduction of access to these geo blocked pages?

I do have an email spam filter setup on my webhiost also, However, I can’t make this too strong due to blocking possible legit non spammy emails.

It’s also possible my email address is on some kind of "List’ these “Guest Post Resellers” pass around among themselves. This is something I understand and I am aware of. However, I jumped on several VPN IPs in these regions, some get blocked and some don’t

Any advise, improvments on my current rule? Could these entities be on the boarders of these regions hence this is why not being captured by the rule?

On your website or?
Is it some kind of a contact, comment, or any other form?
Have you implemented a captcha on it, if so?

Is your website database hacked and infected with some malicious code or malware, possibly with some spammy content?

Basically. I have put in some WAF rules so people from three regions can’t access my contact details page where my email address is displayed. However, they seem to still be landing on my contact information pages and getting my email address. As I have described.

The WAF rule I had some help with creating seems to be still allowing some of the people within the three blocked regions access to my contact details page.

India and PK have been blocked from being able to visit my contact details pages. But I am stil getting loads of emails from these places. They should not be able to get my email address because I have blocked them from seeing the page they are listed on.

Could be a couple of things… if your email address is ‘out there’, then it’s out there and you’re going to get spam regardless of them finding your page. I tend to have my contact forms going to a somewhat obfuscated backend [email protected] such that I can rotate them if need be. You could try something similar by decommisioning the old inbox address and starting up with a new one. If you still get spam then you know the page is being crawled, if this stops the majority of it then your address was just on some lists that are being hit.

Now if your page is being hit despite the above rules it could be that spammers are hitting your site from outside of the countries you’ve blocked even though they ‘live’ there - many ‘attackers’ use a VPN so they could be coming from the,US, say depending on their endpoint. One bit of low-hanging fruit here would be to block Tor access, then VPN, and/or proxies too if you like.

Last things to check, basic one, is just make sure all public access is only available via Cloudflare and hits to your content page aren’t coming in on the base ip.com/contact-us etc. GL.

Hi there.

Thank you for the input you have provided so far. Its been helpful and I appreciate it

I was recently introduce to spam assassin which was part of my cpanel hosting. Configured this with a few keyword triggers and that seems to have done the tick for me.

I think you are right on the money when you say my email address is “Out there” It would make sense the address is on a list for the “Guest post” resellers and “Bloggers for brands” hit me ups.

Thank you for your time.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.