So version 2.8 of ReverseDOS has been completed for almost a week. I've been testing it quite a bit on my local dev/test box. The good news: I was able to duplicate the gratuitous 403 bug against 2.1 in test, but haven't been able to produce that same kind of activity from version 2.8 -- which is good, because 2.8 was architected from the ground up to fix those problems ;)
But, given how much it sucked to release version 2.1 out to the world, only to see it buggy, I want to check version 2.8 extensively - and in the real world, not just in a test environment. Only, there's a problem: my use or various incarnations of ReverseDOS on AngryPets.com has made it so that I only get about 8-10 spam attempts per day. Not that I'm REALLY complaining, but that does make it hard to test version 2.8 in a live environment against spammers when they hardly visit my site.
Happily, two brave souls have offered to test version 2.8 out on their sites to see if it's working correctly.
Jamie Thingelstad is testing it out on roadsignmath.com and on his blog. So far things are looking good. 403s are only happening where they belong and he's already seen a few spammers dumb enough to wait around for 20 seconds to get the Response Code (403). His roadsignmath site gets a hefty amount of traffic, and oodles of spam attacks - so testing things out there has been very helpful.
Jack Hecker also encountered problems with 2.1, and has already deployed 2.8 to his own blog. He too has had it with spammers, and if it works for him as well as it is working for Jamie, I think it will be safe to say that it's ready for the 'masses.'
If testing continues to go well, expect ReverseDOS 2.8 by tomorrow evening.
I can't wait. One question though, does it include the MT black list integration?
Posted by: Ayende Rahien | July 28, 2005 at 04:48 PM
It doesn't. The big goal here was to re-architect to avoid the 2.1 bugs. That said, the re-architecture was also done with the express intention of being able to quickly integrate the MT Blacklist (and any other external resource) into future versions. If all goes well, I should have that functionality soon (i.e. next week). And because 2.8 moves everything out of the web.config, upgrading fro 2.8 to 3.x will be super easy: just paste in the new .dlls, and then add in a directive telling ReverseDOS how often to pull in the MT blacklist.
Posted by: Michael K. Campbell | July 28, 2005 at 05:14 PM
Hey, you spelled my name wrong. ;-) It's Thingelstad. MT blacklist integration will be AWESOME! Also, how about that Trusted URL feature?
Posted by: Jamie Thingelstad | July 30, 2005 at 12:15 AM
Jamie, Man. I'm totally sorry about misspelling your name. Problem is I triple checked the spelling (but was focusing on the stad part). I've corrected the spelling. All 4 of the people that subscribe to my blog via aggregators will just have to pay the price of sucking it back in ;) As for the url thingy. I've actually given that some thought. The problem is that it's simply too easy for spammers to spoof the referal. Obviously, that's not an issue for referrer spammers, but for comment spammers, if they just make the referrer contain yoursite[/yourblog]/admin/, then they're in. At least, that was my thinking... And I then went on thinking of elaborate ways to bind to multiple events in the pipeline and delay 'response' etc. Then it dawned on me: If we say: JUST LET ANYTHING in the /admin/ directory skip processing, then we're fine. Who cares about the referrer. If the request is in /admin/ (or some other specified directory), the assumption is that any activity in there will be sanctioned by virtue of some authorization protocol/process. (And actually, I think this is more or less along the lines of how you talked about it anyhow -- i was just too busy thinking about it from my own perspective to hear). So yeah, I'll be adding it.
Posted by: Michael K. Campbell | July 30, 2005 at 06:23 PM