CleanTalk's blog

Author: Alexander

Data Encryption in the CleanTalk API method “spam_check”

We are happy to inform you that we have supplemented our API method and now the “spam_check” method takes information in an encrypted form.

How It Works

Every piece of data for each IP or email is encrypted with the SHA256 algorithm and now if the method sends a SHA256 hash to the CleanTalk Cloud, then the search in the CleanTalk database will be processed in hash form.

This will allow you to refuse forwarding of personal data (IP and email) and you will be able to send only hashes of these data.

Please, look at this guide here:
How to Use Encryption in “spam_check” API

Please feel free to contact us anytime, we will gladly answer your questions.

Leave a comment below or Create a private ticket.

November 15, 2018
Temporary email addresses – one of the attributes of spam

Use of temporary email addresses for registration/comments and messages is one of the attributes of spam.

What’s wrong with using temporary email addresses? You will never be able to contact this customer and your marketing will not work. If this user forgets login/pass he will never be able to restore them.

CleanTalk Anti-Spam has added a new parameter that considers of using a temp email in posts and these email will have an additional spam score. We don’t use a strong filtration for these emails, there must be more than one of the spam parameters.

September 4, 2018
CleanTalk Web Application FireWall for WordPress Security Plugin

Hello,

We are happy to announce CleanTalk Web Application FireWall for WordPress Security Plugin. The main purpose of WAF is to protect the Web application from unauthorized access, even if there are critical vulnerabilities.

It allows you to protect Web applications from known and unknown attacks. Its use is transparent to all visitors to the website and does not require knowing how is HTTP working and allows very accurate filtering, supports both GET and POST methods, requests to dynamic resources.

So, hackers use additional HTTP parameters to use vulnerabilities that allow them to get access to a website or prevent changes on your website.

WAF catches all requests to your website and checks HTTP parameters that include: SQL Injection, Cross Site Scripting (XSS), uploading files from non-authorised users, PHP constructions/code, the presence of malicious code in the downloaded files.

So, if HTTP request contains these parameters then this request will be blocked. The special page and reason for blocking will show for blocked requests.

In addition to effective information security and information security applications are required to know what is quality of protection and CleanTalk is logged all blocked requests that allow you to know and analyze accurate information. You can see your Cleantalk Logs in your Control panel. https://cleantalk.org/my/logs_firewall

CleanTalk Web Application FireWall for WordPress is the proactive defense against known and unknown vulnerabilities to prevent hacks in real-time.

Learn more, how to set up and test
https://cleantalk.org/help/security-waf

August 1, 2018
“Feedback System” for analyzing suspicious files for WordPress Security

Hello,

We are happy to introduce our “Feedback System” for analyzing suspicious files. This is the client-server feature in CleanTalk Security Plugin that allows sending suspicious files from WordPress backend to CleanTalk cloud.

So, CleanTalk WordPress Security Plugin includes a Malware Scanner and there may be situations after scanning when you don’t know, is there a bad code or not, especially if you don’t have a programming experience. Well, you will be able to send some files to CleanTalk and we will check them. After checking we will send you an email notification with results.

Please, look at our guide How file analyzes works.

July 24, 2018
Getting event notification on your website
Sometimes, you want to know what is happening on your website, maybe you want to be informed when any messages are sent and were it blocked or allowed by CleanTalk Anti-Spam.

We added a new feature to help you control for messages from your customers.

It allows you to add a notification with some parameters:
- Website — what website you want to receive event notifications from
- Type of Event — what events you want to see in the notifications (Allowed, Denied, All Events)
- Method — select where notifications should go to (E-mail or URL)
- Periodicity (for e-mail method) — how often do you want to receive notifications (Immediately, Every hour, Every 2 hours, Every 4 hours)
- URL (for URL method) — input your link if you chose URL option in the previous step (JSON format)
Learn how you can set up events or change your settings.
June 27, 2018
BlackList by Language
Spam spreads not only in English. Many spam messages are written in Chinese, Arabic, Japanese or Korean languages.

If your website isn’t aimed at an international audience, and you don’t expect comments/users from other languages. For example, your website is about fishing in Ireland and you don’t want to have comments from the Chinese language.

We added a new filter to block comment/messages by languages. That allows you to automatically block comments, messages from languages for which you have set a ban.

At the moment, the blacklist of languages allows adding for blocking next languages:
- Chinese
- Korean
- Japanese
- Hindi
- Arabic
This option is useful in cases of protection from manual spam and enhances protection.

CleanTalk informs you about the occurrence of an opportunity to manage personal black/white lists. You can view, add, and delete their items in the Control Panel. You can add languages to the blacklist in dashboard CleanTalk -> Black&White lists or use the link https://cleantalk.org/my/show_private.
June 4, 2018
New Parameter to Filter Spam

How spammers circulate website spam? They use infected with viruses computers, hacked websites or they buy servers to spread spam.

In ordinary situations, websites do not send any comments (POST requests) to other websites and if that happens it is a certain sign of a hacked website.

Each hosting provider has its own IP range it uses for websites and servers, therefore receiving traffic (comments, registrations, messages) from these IPs looks very suspicious.

That’s why we added a new parameter to distinguish spam. It determines if an IP belongs to the hosting provider networks. If yes then all traffic coming from it will be checked with stricter tests.

As a result, the CleanTalk Service catches spam more precisely.

About CleanTalk service

CleanTalk is a cloud-based service for protecting websites from spambots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to opt out of methods of protection that require the user to prove that he is human (captcha, question-answer, etc.).

May 24, 2018
Protection against DDoS attacks at the web applications level
As you know DDoS attacks on the site are of different intensity, it is important to the number of hosts involved in the attack, the number of network packets and the amount of data transmitted. In the most severe cases, it is possible to repel the attack only using specialized equipment and services.

If the volume of the attack is less than the bandwidth of the network equipment and the computing power of the server (server pool) serving the site, you can try to “block” the attack without resorting to third-party services, namely to include a program filter of traffic coming to the site. This filter will filter out the traffic of bots participating in the attack, while skipping legitimate traffic of “live” site visitors.

Scheme of software filter from DDoS attacks on the site

The filter is based on the fact that bots participating in DDoS attacks are not able to execute JavaScript code, so bots will not go beyond the stop page of the filter, which will significantly unload the frontend/backend and the site database. Because to process each GET/POST DDoS attack request, you will need to execute no more than 20 lines of code in the backend of the site and give the page-stub of less than 2KB of data.
1. The filter is called by the first line of the web application, before calling the rest of the application code. So it is possible maximally to unload the “hardware” of the server and reduce the amount of traffic sent to the bots.
2. If the visitor falls under the filter conditions, then we give the visitor a special page-stub. On the page,
- We are reporting the reasons for issuing a special page instead of the requested one
- We set the special cookie in the user’s browser through JavaScript
- Run JavaScript redirect code to the source page
1. If the visitor has a special cookie, the filter transparently passes the visitor to the requested page of the site.
2. If the visitor’s IP address belongs to an autonomous system from the list of exceptions, then the traffic is also transparently skipped. This condition is necessary to exclude the filtering of search engine bots.
Project filter on github.com.

Synthetic tests of the filter

We tested ab utility from Apache Foundation on the main page of the combat site, previously removing the load from one of the nodes.

Results with a disabled filter,
```
ab -c 100 -n 1000 https://cleantalk.org/

Total transferred: 27615000 bytes
HTML transferred: 27148000 bytes
Requests per second: 40.75 [#/sec] (mean)
Time per request: 2454.211 [ms] (mean)
Time per request: 24.542 [ms] (mean, across all concurrent requests)
Transfer rate: 1098.84 [Kbytes/sec] received
```
Now the same thing with the filter on,
```
Total transferred: 2921000 bytes
HTML transferred: 2783000 bytes
Requests per second: 294.70 [#/sec] (mean)
Time per request: 339.332 [ms] (mean)
Time per request: 3.393 [ms] (mean, across all concurrent requests)
Transfer rate: 840.63 [Kbytes/sec] received
```
As you can see from the test results, enabling the filter allows the web server to process almost an order of magnitude more requests than without the filter. Naturally, we are talking only about requests from visitors without JavaScript support.

Application of the filter in practice, the history of saving the site from one small DDoS attack

Periodically, we are faced with DDoS attacks on our own corporate site https://cleantalk.org. Actually during the last of the attacks, we applied a filter from DDoS at the level of the website applications.

The start of the attack

The attack started at 18:10 UTC + 5 on January 18, 2018, attacked the GET with requests to the URL https://cleantalk.org/blacklists. On the network interfaces of the Front-end servers, there appeared an additional 1000-1200 kbit/second of incoming traffic, i.e. received a load of 150/second GET requests to each server, which is higher than the nominal load 5 times. As a consequence, the Load average of Front-end servers and database servers has grown dramatically. As a result, the site began to issue error 502 due to the lack of free processes php-fpm.
- Attack analysis
- After spending some time studying the logs, it became clear that this is the DDoS attack, because,
- 5/6 requests were for the same URL.
- There was no clearly defined group of IP addresses creating a load on the URL from item 1.
CPU front-end servers were loaded an order of magnitude higher than the surge load on network interfaces.

Accordingly, it was decided to include a filter of visitors to the site using the algorithm described above, additionally including in it the checking of incoming traffic through our database of blacklists, thereby reducing the probability of issuing a stop page to legitimate visitors to the site.

Enabling the filter

After spending some more time preparing the filter, it was switched on at 19:15-19:20.

After a few minutes, we got the first positive results, first Load average returned to normal, then the load on the network interfaces fell. A few hours later, the attack was repeated twice, but its consequences were almost invisible, the frontends worked without errors 502.

Conclusion

As a result, by using the simplest JavaScript code, we solved the problem of filtering traffic from bots, thereby extinguishing the DDoS attack and returning the availability of the site to its regular state.

Honestly, this bot filtering algorithm was not invented on the day of the attack described above. A few years ago, we implemented the additional function SpamFireWall to our Anti-Spam service, SpamFireWall uses more than 10 thousand websites and there is a separate article about it.

SpamFireWall was developed primarily to deal with spam bots, but since the lists of spambots intersect with the lists of other bots used for questionable purposes, the use of SFW is quite effective, including for stopping small DDoS attacks on the site.

About CleanTalk service

CleanTalk is a cloud-based service for protecting websites from spambots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to opt out of methods of protection that require the user to prove that he is human (captcha, question-answer, etc.).
May 23, 2018
Validation of Email Addresses for Protection Against Spam Bots on the Website
E-mail is still one of the most important and effective elements of online business and marketing and is the most effective channel for generating revenue. Therefore, for any online business and website owners, it is important to be sure that the email owner used it for registration/subscription so that the user used his real email address.

There are several important reasons for this.

First, it is important to recover the forgotten password, for example: the user has misspelled his email address, after a while used the password recovery function and cannot get a new password.

Second, this user will not receive your email notifications.

Third, the user whose email was used by spammer for registration/subscription will send your newsletter to spam. Further, spammers can use this email for sending spam, brute force, etc.

The use of such emails for marketing mailings and other mailings may carry certain risks for the owner of the site and increase the risks of adding to the lists DNSBL, various blacklist’s, increase the likelihood of getting into the spam folder and your other emails. Increase your budget costs for mailing to fake addresses or addresses whose owners have been compromised by spammers.

To avoid or minimize risks to a minimum, the list of email addresses must be checked before sending.

Recently, we started checking the existence of email addresses, which checks if such an email address exists or not. It uses the MX records of the domain of the email address and connects to the mail servers (via SMTP, and also simulates the sending of the message) to ensure that the mailbox does exist for that user/address and it can receive mail.

This test solves several tasks at once, reducing the likelihood of skipping spam and allowing users to check the emails of their users. To test users, you can use the API method https://cleantalk.org/help/api-spam-check.

An example of the result of the API response for https://cleantalk.org/blacklists?record=mattressfg%40gmail.com
```
{"data":
            {"ma********@***il.com":
                      {"appears":1,
                      "frequency_time_10m":0,
                      "spam_rate":"1",
                      "frequency":"8",
                      "frequency_time_24h":1,
                      "updated":"2018-03-26 00:26:48",
                                                  "exists": 0, 
                      "frequency_time_1h":1}
            }
}
```
At the moment, we use this tool only to improve spam detection and check all email addresses that have had spam activity in the last 10 minutes. For checked addresses, a flag is set in the database, which is taken into account in the further spam filtering and API response.

“exists”: “1” – exists

“exists”: “0” – does not exist

You can sum up the interim results; the percentage of non-existent email addresses in the spam mailing is 25.34%.

We collect information about spam IP/email addresses from more than 237,000 websites. The email database contains more than 10,095,239 email addresses. And in our immediate plans, check all emails in the database and run a scan of all the email addresses that are processed by the service.
May 11, 2018
IPv6 Support in CleanTalk Security for WordPress
Recently we wrote that we made IPv6 support in the anti-spam plugin. But not only spammers began to use IPv6, for other types of attacks on sites, attackers also use them.

We implemented support for IPv6 in the security plugin for WordPress Updated methods of IP addresses determination, storage and transfer of information to the cloud.

We had to teach the plugin to distinguish, standardize, search for subnets and store IPv6 addresses. Despite a lot of different ready-made solutions had to do its implementation and the main problem is that PHP can be compiled with different parameters, and in general may be an outdated version, so had to do everything from scratch.

As soon as we get the IP address we check whether it is valid and its type.

Then we define its belonging to the IP frequency range or the CDN range (If there are headings of a specific CDN). And here was the main difficulty, as it was necessary to realize all this independently, and at the same time to remind ourselves what is what.

It was decided to make the subnet search universal, so that it could receive IPv4 and IPv6 on the input, and if desired also IPv7, if we live. The only thing that is strictly prescribed is the X-theta base (octet for IPv4 and hexestate for IPv6). Naturally, recursion…
```
 /*
	 * Check if the IP belong to mask.  Recursive.
	 * Octet by octet for IPv4
	 * Hextet by hextet for IPv6
	 * @param ip string  
	 * @param cird mixed (string|array of strings)
	 * @param ip_type string
	 * @param cird mixed (string|array of strings)
	*/
	static public function ip__mask_match($ip, $cidr, $ip_type = 'v4', $xtet_count = 0){
		
		if(is_array($cidr)){
			foreach($cidr as $curr_mask){
				if(self::ip__mask_match($ip, $curr_mask, $ip_type)){
					return true;
				}
			} unset($curr_mask);
			return false;
		}
		
		if($ip_type == 'v4') $xtet_base = 8;
		if($ip_type == 'v6') $xtet_base = 16;
			
		// Calculate mask
		$exploded = explode('/', $cidr);
		
		// Exit condition
		$xtet_end = ceil($exploded[1] / $xtet_base);
		if($xtet_count == $xtet_end)
			return true;
		
		$mask = $exploded[1] - $xtet_base * $xtet_count >= 0 ? $xtet_base : $exploded[1] - $xtet_base * ($xtet_count - 1);
		$mask = 4294967295 << ($xtet_base - $mask);
		
		// Calculate first ip X-tet
		$ip_xtet = explode($ip_type == 'v4' ? '.' : ':', $ip);
		$ip_xtet = $ip_type == 'v4' ? $ip_xtet[$xtet_count] : hexdec($ip_xtet[$xtet_count]);
		
		// Calculate first net X-tet
		$net_xtet = explode($ip_type == 'v4' ? '.' : ':', $exploded[0]);
		$net_xtet = $ip_type == 'v4' ? $net_xtet[$xtet_count] : hexdec($net_xtet[$xtet_count]);
		
		$result = ($ip_xtet & $mask) == ($net_xtet & $mask);
		
		if($result)
			$result = self::ip__mask_match($ip, $cidr, $ip_type, $xtet_count + 1);
		
		return $result;
	}
```
It should be noted that the function takes only normalized IPv6 addresses and networks (a string or array of network strings). For example, Cloud Flare 2a06: 98c0 :: 0/29 does not work, it needs to be expanded to 2a06: 98c0: 0: 0: 0: 0: 0: 0/29

Because of the fact that from the local base of the firewall you have to select addresses on the fly, using DB tools, not using PHP. IPv6 address had to be divided into 4 columns, each of them 32 bits, corresponds to one IPv4 address. Accordingly, with this structure, you can use the old sampling method, with binary operations.

Changes were also made to the service control Panel and databases for correct processing and display of information.

Implemented support for IPv6 for personal blacklists, security firewall and functions Traffic Control (IP blocking when a specified number of requests per unit of time).
May 8, 2018

CleanTalk

Sign up / Sign in

Solutions

Anti-Spam for websitee

Filter fake emails

Hide contact data

Stop spam emails in Contact form 7 (CF7)

Stop spam in Elementor form builder

Stop spam in WPForms

Website malware scanner

WordPress Security & Firewall Plugin

Documentation

License agreement

Signs of Malware

Contact us

Create a support ticket