CleanTalk's blog

Category: CleanTalk

“Feedback System” for analyzing suspicious files for WordPress Security

Hello,

We are happy to introduce our “Feedback System” for analyzing suspicious files. This is the client-server feature in CleanTalk Security Plugin that allows sending suspicious files from WordPress backend to CleanTalk cloud.

So, CleanTalk WordPress Security Plugin includes a Malware Scanner and there may be situations after scanning when you don’t know, is there a bad code or not, especially if you don’t have a programming experience. Well, you will be able to send some files to CleanTalk and we will check them. After checking we will send you an email notification with results.

Please, look at our guide How file analyzes works.

July 24, 2018
Getting event notification on your website
Sometimes, you want to know what is happening on your website, maybe you want to be informed when any messages are sent and were it blocked or allowed by CleanTalk Anti-Spam.

We added a new feature to help you control for messages from your customers.

It allows you to add a notification with some parameters:
- Website — what website you want to receive event notifications from
- Type of Event — what events you want to see in the notifications (Allowed, Denied, All Events)
- Method — select where notifications should go to (E-mail or URL)
- Periodicity (for e-mail method) — how often do you want to receive notifications (Immediately, Every hour, Every 2 hours, Every 4 hours)
- URL (for URL method) — input your link if you chose URL option in the previous step (JSON format)
Learn how you can set up events or change your settings.
June 27, 2018
BlackList by Language
Spam spreads not only in English. Many spam messages are written in Chinese, Arabic, Japanese or Korean languages.

If your website isn’t aimed at an international audience, and you don’t expect comments/users from other languages. For example, your website is about fishing in Ireland and you don’t want to have comments from the Chinese language.

We added a new filter to block comment/messages by languages. That allows you to automatically block comments, messages from languages for which you have set a ban.

At the moment, the blacklist of languages allows adding for blocking next languages:
- Chinese
- Korean
- Japanese
- Hindi
- Arabic
This option is useful in cases of protection from manual spam and enhances protection.

CleanTalk informs you about the occurrence of an opportunity to manage personal black/white lists. You can view, add, and delete their items in the Control Panel. You can add languages to the blacklist in dashboard CleanTalk -> Black&White lists or use the link https://cleantalk.org/my/show_private.
June 4, 2018
Protection against DDoS attacks at the web applications level
As you know DDoS attacks on the site are of different intensity, it is important to the number of hosts involved in the attack, the number of network packets and the amount of data transmitted. In the most severe cases, it is possible to repel the attack only using specialized equipment and services.

If the volume of the attack is less than the bandwidth of the network equipment and the computing power of the server (server pool) serving the site, you can try to “block” the attack without resorting to third-party services, namely to include a program filter of traffic coming to the site. This filter will filter out the traffic of bots participating in the attack, while skipping legitimate traffic of “live” site visitors.

Scheme of software filter from DDoS attacks on the site

The filter is based on the fact that bots participating in DDoS attacks are not able to execute JavaScript code, so bots will not go beyond the stop page of the filter, which will significantly unload the frontend/backend and the site database. Because to process each GET/POST DDoS attack request, you will need to execute no more than 20 lines of code in the backend of the site and give the page-stub of less than 2KB of data.
1. The filter is called by the first line of the web application, before calling the rest of the application code. So it is possible maximally to unload the “hardware” of the server and reduce the amount of traffic sent to the bots.
2. If the visitor falls under the filter conditions, then we give the visitor a special page-stub. On the page,
- We are reporting the reasons for issuing a special page instead of the requested one
- We set the special cookie in the user’s browser through JavaScript
- Run JavaScript redirect code to the source page
1. If the visitor has a special cookie, the filter transparently passes the visitor to the requested page of the site.
2. If the visitor’s IP address belongs to an autonomous system from the list of exceptions, then the traffic is also transparently skipped. This condition is necessary to exclude the filtering of search engine bots.
Project filter on github.com.

Synthetic tests of the filter

We tested ab utility from Apache Foundation on the main page of the combat site, previously removing the load from one of the nodes.

Results with a disabled filter,
```
ab -c 100 -n 1000 https://cleantalk.org/

Total transferred: 27615000 bytes
HTML transferred: 27148000 bytes
Requests per second: 40.75 [#/sec] (mean)
Time per request: 2454.211 [ms] (mean)
Time per request: 24.542 [ms] (mean, across all concurrent requests)
Transfer rate: 1098.84 [Kbytes/sec] received
```
Now the same thing with the filter on,
```
Total transferred: 2921000 bytes
HTML transferred: 2783000 bytes
Requests per second: 294.70 [#/sec] (mean)
Time per request: 339.332 [ms] (mean)
Time per request: 3.393 [ms] (mean, across all concurrent requests)
Transfer rate: 840.63 [Kbytes/sec] received
```
As you can see from the test results, enabling the filter allows the web server to process almost an order of magnitude more requests than without the filter. Naturally, we are talking only about requests from visitors without JavaScript support.

Application of the filter in practice, the history of saving the site from one small DDoS attack

Periodically, we are faced with DDoS attacks on our own corporate site https://cleantalk.org. Actually during the last of the attacks, we applied a filter from DDoS at the level of the website applications.

The start of the attack

The attack started at 18:10 UTC + 5 on January 18, 2018, attacked the GET with requests to the URL https://cleantalk.org/blacklists. On the network interfaces of the Front-end servers, there appeared an additional 1000-1200 kbit/second of incoming traffic, i.e. received a load of 150/second GET requests to each server, which is higher than the nominal load 5 times. As a consequence, the Load average of Front-end servers and database servers has grown dramatically. As a result, the site began to issue error 502 due to the lack of free processes php-fpm.
- Attack analysis
- After spending some time studying the logs, it became clear that this is the DDoS attack, because,
- 5/6 requests were for the same URL.
- There was no clearly defined group of IP addresses creating a load on the URL from item 1.
CPU front-end servers were loaded an order of magnitude higher than the surge load on network interfaces.

Accordingly, it was decided to include a filter of visitors to the site using the algorithm described above, additionally including in it the checking of incoming traffic through our database of blacklists, thereby reducing the probability of issuing a stop page to legitimate visitors to the site.

Enabling the filter

After spending some more time preparing the filter, it was switched on at 19:15-19:20.

After a few minutes, we got the first positive results, first Load average returned to normal, then the load on the network interfaces fell. A few hours later, the attack was repeated twice, but its consequences were almost invisible, the frontends worked without errors 502.

Conclusion

As a result, by using the simplest JavaScript code, we solved the problem of filtering traffic from bots, thereby extinguishing the DDoS attack and returning the availability of the site to its regular state.

Honestly, this bot filtering algorithm was not invented on the day of the attack described above. A few years ago, we implemented the additional function SpamFireWall to our Anti-Spam service, SpamFireWall uses more than 10 thousand websites and there is a separate article about it.

SpamFireWall was developed primarily to deal with spam bots, but since the lists of spambots intersect with the lists of other bots used for questionable purposes, the use of SFW is quite effective, including for stopping small DDoS attacks on the site.

About CleanTalk service

CleanTalk is a cloud-based service for protecting websites from spambots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to opt out of methods of protection that require the user to prove that he is human (captcha, question-answer, etc.).
May 23, 2018
Validation of Email Addresses for Protection Against Spam Bots on the Website
E-mail is still one of the most important and effective elements of online business and marketing and is the most effective channel for generating revenue. Therefore, for any online business and website owners, it is important to be sure that the email owner used it for registration/subscription so that the user used his real email address.

There are several important reasons for this.

First, it is important to recover the forgotten password, for example: the user has misspelled his email address, after a while used the password recovery function and cannot get a new password.

Second, this user will not receive your email notifications.

Third, the user whose email was used by spammer for registration/subscription will send your newsletter to spam. Further, spammers can use this email for sending spam, brute force, etc.

The use of such emails for marketing mailings and other mailings may carry certain risks for the owner of the site and increase the risks of adding to the lists DNSBL, various blacklist’s, increase the likelihood of getting into the spam folder and your other emails. Increase your budget costs for mailing to fake addresses or addresses whose owners have been compromised by spammers.

To avoid or minimize risks to a minimum, the list of email addresses must be checked before sending.

Recently, we started checking the existence of email addresses, which checks if such an email address exists or not. It uses the MX records of the domain of the email address and connects to the mail servers (via SMTP, and also simulates the sending of the message) to ensure that the mailbox does exist for that user/address and it can receive mail.

This test solves several tasks at once, reducing the likelihood of skipping spam and allowing users to check the emails of their users. To test users, you can use the API method https://cleantalk.org/help/api-spam-check.

An example of the result of the API response for https://cleantalk.org/blacklists?record=mattressfg%40gmail.com
```
{"data":
            {"ma********@gm***.com":
                      {"appears":1,
                      "frequency_time_10m":0,
                      "spam_rate":"1",
                      "frequency":"8",
                      "frequency_time_24h":1,
                      "updated":"2018-03-26 00:26:48",
                                                  "exists": 0, 
                      "frequency_time_1h":1}
            }
}
```
At the moment, we use this tool only to improve spam detection and check all email addresses that have had spam activity in the last 10 minutes. For checked addresses, a flag is set in the database, which is taken into account in the further spam filtering and API response.

“exists”: “1” – exists

“exists”: “0” – does not exist

You can sum up the interim results; the percentage of non-existent email addresses in the spam mailing is 25.34%.

We collect information about spam IP/email addresses from more than 237,000 websites. The email database contains more than 10,095,239 email addresses. And in our immediate plans, check all emails in the database and run a scan of all the email addresses that are processed by the service.
May 11, 2018
CleanTalk GDPR Compliance on Apr 29, 2018

This document provides information about the law and our plans for implementing the GDPR’s important principles for CleanTalk’s services.

All clients of the service represent controllers of any personal data that are being transferred to CleanTalk to offer proper functioning service. A Data Controller defines aims and means of personal data processing, while a Data Processor works with data on behalf of Data Controller. CleanTalk as a Data Processor will work with personal data on behalf of its clients in view of offering its service to the clients.

Inform your clients about what data are being collected on your website and who process them. Indicate this information in your rules of your website usage or/and in your confidentiality policy.

Example:
“By using this website, your IP address can be stored and processed for security reasons. Your IP address may be saved in the server log files, CMS log files, CleanTalk Anti-Spam & Security log files, Google Analytics, Google Adwords.
Our website uses the 3rd parties services such as the CleanTalk Anti-Spam & Security, Google Analytics, Google Adwords. They can store and process your IP address.
CleanTalk can use Cookies to manage access to the website by the CleanTalk SpamFireWall Function, to secure and to protect this website from spam.”

You can add, remove or change this text as you wish.

The moment a visitor sends POST request such as comment, registration or contact form submission, the CleanTalk Anti-Spam receives and processes the following personal data if they exist: IP address, e-mail, text and values of each filled form field. Therefore each website form should grant a visitor the ability to give permission to process and keep these data.

Example:
By pressing “Submit” I confirm and give permission to process my personal data.

You can leave the link to the description of who and what data will be stored and processed. Example:
When you submit this website form your personal data will be stored in this website such as your IP address, your e-mail, your text of the comment and data of website form fields. Also, for security reasons and to protect this website from spam, your data will be processed in the CleanTalk Cloud Service and they will be stored in log files for 7 or 45 days. On the expiry of the mentioned period, they will be deleted completely. CleanTalk may use information of spam activity of IP/email addresses to offer proper anti-spam protection to all websites connected to its service. It concerns exclusively those IP/email addresses that are being used for spam mailing.

Personal Data Management

At any moment you can delete information of any request via your CleanTalk Control Panel.

You can choose how long the service should keep data: 7 or 45 days or do not keep approved requests at all.
https://cleantalk.org/my/profile

You also can exclude any website form fields from sending their data to the CleanTalk Anti-Spam or you can set a list of website pages for CleanTalk to ignore them completely.

Can I add exclusions for some pages of my site?

Can I not send my personal data to CleanTalk servers?

April 29, 2018
Expanding the possibilities of CleanTalk Anti-Spam

Checking existing Joomla users for spam

Spambot messages (comments) are often disguised as ordinary user messages, but contain sponsored links or text. The main tasks of such messages are the user’s transition to a malicious resource, advertising or links to enhance the positions of their site. This compromises the site and can spoil the reputation; search engines can lower the position of the site in search results.

We have implemented a spam check for comments and users who already exist on the site. This allows site administrators to automatically check and identify comments and spambot logs that were not detected by conventional anti-spam tools.

How it works

The plugin checks the creation date of users/comments. The IP/email data is passed to the CleanTalk server by the API method. Next, the IP/email is checked in the CleanTalk database and if on the verification date, these IP/email messages had BlackListed status, and then the API method will return the plugin information about it. The plugin forms a table with suspicious users/comments that can be deleted.

To start scanning, go to the plugin settings: Extensions → Plugin Manager → Anti-Spam from CleanTalk, then click the “Check Spam Users” or “Check Spam Comments” button.

IPv6 support

IPv6 is becoming more and more used on the Internet. It is enough to look at the statistics, from which it follows that in 2017, there was an increase in the use of IPv6 from 14-16% to 18.27- 21.80%.

Leaders of growth were: Germany-35.27, USA-33.01%, Canada — 17.93, EU countries, India, Japan, Brazil increased to 21-27%.

For 2017, we have noted an increase in spam attacks with IPv6 and launched IPv6 support in anti-spam plugins, in the Black List database and API methods.

Managing spam comments in WordPress

CleanTalk Anti-Spam allows you to configure actions for spam comments. The following options are implemented:

Move to the spam folder – all spam comments will be moved to the Spam folder. To avoid a large number of entries in the folder, you can configure automatic cleaning of spam comments older than 15 days.

Ban spam comments without moving to WordPress – in this case, the spam comment will not be added to any of the WordPress folders, information about each entry will only be available in the CleanTalk control panel.

Smart spam comments filter – in this case, spam comments for IP/email that have status in the BlackListed will be placed in the WordPress basket, the remaining spam comments will be moved to the Spam folder. Comments containing Stop Words will be sent to manual moderation.

Blocking emails/nicknames by a mask

This option is more about moderation and allows you to make a ban on the use of certain words in users nicknames based on a mask, for example email *kkk*vvv*@example.com, this will block all addresses with any character set before “kkk”, before “vvv” and after “vvv”.

More information on using personal lists can be found here.

April 29, 2018
CleanTalk Malware Scanner — heuristic code analysis
We have already talked about the launch of security service for WordPress in the previous article. Today we want to talk about the launch of heuristic analysis to detect malicious code.

The very presence of malicious code can lead to a ban in search results or a warning in the search for that the site is infected, to protect users from potentially dangerous content.

You can find malicious code on your own, but it’s a lot of work and most WordPress users do not have the necessary skills to find and remove unnecessary lines of code.

Often, the authors of malicious code disguise it, which makes it difficult to determine by its signatures. The malicious code itself can be located anywhere on the site, for example the obfuscated PHP-code in the logo.png file, and the code itself is called by one inconspicuous line in index.php. Therefore, the use of plugins to search for malicious code is preferable.

CleanTalk on the first scan scans all WordPress kernel files, plugins and themes. When rescanning, only those files that have changed since the last scan were scanned. This saves resources and increases scanning speed.

How heuristic analysis works

One of the main disadvantages of heuristic analysis is that it is quite slow, so we use it only when it is really necessary. First of all, we divide the source code into lexemes (the minimal language construct) and remove all unnecessary:
1. Space symbols.
2. Comment of different types.
3. Not PHP code (outside of tags <?php ?> )
Next, we recursively simplify the code until there are no “complex constructs”:
1. Perform concatenation of strings.
2. Substitution of variables into variables.
3. and other
Also, in the process of simplifying the code, we monitor the origin of the variables and many others.

In the end, we get a clean code that can be analyzed. It is very important that we get the code not in the form of a string, but in the form of lexemes. Thus, we know where the lexeme is a string with the desired text, and where the lexeme function is.

In the sense of finding “bad constructs” eval for us there is a difference:
```
<?php echo 'eval("echo \"some\"")'; ?>
```
— in this case there will be no lexeme T_EVAL,

there is a lexeme T_CONSTANT_ENCAPSED_STRING ‘eval (“echo \” eval\”)’
```
<?php eval('echo "some"'); ?>
```
– and here it is. And this is the version we will find.

We look for such constructs, we break them down into degrees of criticality:

Critical:
- eval
- include* и require*
- - with bad file extension
  - non-existent files (will be deleted in the next versions)
  - connecting deleted files
Dangerous
- system
- passthru
- proc_open
- exec
- include* и require*
  - with the error suppression operator (will be deleted in the next versions)
  - with variables depending on POST or GET.
Suspicious
- base64_encode
- str_rot13
- syslog
And other.

We are constantly improving this analysis: adding new constructions to search, reducing the number of false alarm, optimize the simplification of the code.

In the plans to teach it to detect and decode strings encoded in URL and BASE64 and others.

The plugin itself is available in the WordPress directory.
April 23, 2018
Anti-Spam Filter for IP Networks

Dear customers!

CleanTalk has expanded the functions of personal blacklists.

We’ve just added a support in your private blacklists to block separate IP networks.

This will allow you to use the service to block IP networks that use spammers. Very often spammers buy servers from hosting companies or virtual servers and use them to send a spam. So, your website hasn’t to receive a comments/registrations from hosting IPs because a real people never use their IPs. There can be only XML-PRC requests but it is not important because this protocol is using for other attacks such as brute-force and DDoS via XML-RPC pingbacks.

The instruction of how to add entries to your personal blacklists can be found here:
https://cleantalk.org/help/I-want-to-block-ip

April 10, 2018
Additional factors for estimating spam activity of IP/Email addresses in Anti-Spam/Anti-Fraud API
Cloud Anti-Spam by CleanTalk in the process collects data on spam activity of IP/Email addresses. On the basis of these data, a database of spam IP/email is formed. CleanTalk provides several API methods for working with the data we have.

We have recently added new parameters to the spam activity test method and launched two new API methods:
- the first is getting the country code letter by IP address
- the second – checking domain for participation in spam mailings
But about everything in order.

Get the country code letter by IP address.

This API method returns a two-letter country code (US, UK, CN, etc.) or the full name of Russia by IP address. Read more on the use of the method ip_info.

Checking the domain to participate in spam mailings.

Allows you to check whether this domain has been used in spam mailings. At this point in CleanTalk database contains records of 383 1 062 domains.

For example, you have a comment, it is on the topic of the article, with a very meaningful text and does not raise suspicions, but contains a link to a third-party site. We check the links and get that the domain is listed in the database, the links were posted on other websites and the date of their placement approximately coincides with the date of the comment. It turns out that the comment was used to place a link to a third-party resource.

Using this method is useful when recognizing manual spam when all other checks are completed.

You can check the blacklist manually on the website

Read more on the use of the method backlinks_check.

Update the spam_check method.

Method allows you to bulk check IP/email against a database of blacklists CleanTalk. At the moment the database contains records about 2 808 344 IP and 990 835 Email. Also, the method allows you to make an IP check for a specific date.

In addition to the main parameter, as a result of the issuance, showing the presence or absence in the database, additional parameters have been added:

spam_rate – spam activity rating from 0 to 100%. The parameter is calculated for each IP or email record as the ratio of blocked requests to the total number of requests from a given IP or email. As an example, IP has a total of 100 requests, of which the service blocked 97 requests as spam, so spam_rate will be 97%.

Why this is important, it gives you the ability to set your own request blocking logic. As the spammers change the IP and at the moment it can be a regular user.

Following parameter:

Each parameter shows the activity of the data being checked for the last 10 minutes, 1 hour and 24 hours, respectively. That is, it shows the number of requests for a specific time from a specific IP or email. This is useful in cases where IP or email does not yet have BlackListed status in the database, but has a fairly high activity in a short time. About what other parameters you can use to protect against spam, you can read in our previous articles:

Non-visual methods of protecting the site from spam Part 1

Non-visual methods of protecting the site from spam Part 2

Non-visual methods of protecting the site from spam Part 3

Example of output of API data for test email *@cl*******.org. This email is for tests, so the “updated” parameter: “2019-03-28 22:07:19” is the date.
```
{"data":
            {"*@cl*******.org":
                      {"appears":1,
                      "frequency_time_10m":null,
                      "spam_rate":"0",
                      "frequency":"999",
                      "frequency_time_24h":null,
                      "updated":"2019-03-28 22:07:19",
                      "frequency_time_1h":null}
            }
}
```
Learn more about using the spam_check method.
March 28, 2018