Once you've installed ReverseDOS, it's time to configure it to meet your needs.
ReverseDOS just compares values in incoming requests (referrer, POST, GET, etc.) against a list of terms that you define as junk/spam. When a match is found, ReverseDOS works its evil magic, tries to tie up spammer resources, and then denies the request.
The key to making it work well for you is to translate spammer terms that show up on your site (or as referrers) into filter-ese. Filters are stored as simple XML nodes in the ReverseDOS.config file, and use a very simple and easy to implement syntax.
In addition to setting values for filters, ReverseDOS allows for a great deal of flexibility at a global level (such as the ability to specify the number of seconds to try and 'stall' spammers, the HTTP Code to respond with, etc.) Defaults for all of these values exist, but if you need to you can specify your own values in the ReverseDOS.config.
A complete overview of the settings can be found here, and a quick-start is found below:
Properly encoding filter text/values is usually a no-brainer, but can be a big deal, and some things just bear mentioning right from the start.
Everything is already UrlDecoded: All of the values you are 'filtering' against have been UrlDecoded. So if you are searching for 'href=', you don't have to look for 'href%3D'. Or if you are looking for weight loss pills, you don't need to look for 'weight%20loss%20pills', etc.
But you may need to XML encode non-legal xml characters: If you are looking for something like 'viagra & mints' (don't ask, I was pressed for ideas), you'll need to make sure that the ampersand is XML encoded. Ampersands are easy, but other values aren't. Try this form to help encode.
Quick-Start Configuration Guide
Once you've identified spam 'terms' or 'patterns,' you can just add them to your ReverseDOS.config <filters> collection as simple xml elements to begin filtering. Here's a quick tutorial to show you how to get started.
1. Assume that you're sick of seeing anything with texas-holdem either being referred or posted to your site. To stop comment and referrer spam with that term, just open you ReverseDOS.config file, and add a new filter element, with the term you despise as the element's value:
2. If you want the pattern to be treated as a regular expression, just add the optional isRegex attribute, and set its value to true (the default is false), like so:
This can be VERY handy for specifying multiple terms, sites, patterns/etc in a single filter. For example, if my blog is 'lucky' enough to get all sorts of referrer spam for pharmaceutical products, I can block all of them with a simple regex (using the | character which signifies OR for regexes) as follows:
<filter isRegex="true"> cialis|atenolol|phentermine|levaquin</filter>
With the above filter, any request containing cialis OR atenolol OR phentermine OR levaquin will be blocked.
3. Using Regex ORs is also a handy way to 'tune' existing patterns/groups. Say I wanted to add viagra to the list of terms to block. Rather than adding it as a new filter, I can just OR it on to the existing regex by plunking it on to the end with the OR symbol as follows:
<filter isRegex="true"> cialis|atenolol|phentermine|levaquin|viagra</filter>
4. Patterns can span multiple lines, but just make sure that the pattern is still a valid regex if it spans multiple lines. (i.e. don't forget to put the | in between the lines). All whitespace is removed when the pattern is loaded. (Future versions of ReverseDOS will just treat new lines as OR and add the regex | if it isn't present.)
<-- BAD: --> <filter isRegex="true"> cialis|atenolol|phentermine levaquin|viagra</filter> <-- GOOD: --> <filter isRegex="true"> cialis|atenolol|phentermine |levaquin|viagra</filter>
(Note that the bad example is missing the | between lines.)
5. It is also possible to create more 'intelligent' patterns by specifying the optional matchCount attribute in association with patterns marked as Regexes. For example, spammers love to spam tons of links -- so to stop a post (or anything else) with more than 4 links in it, just specify a simple regex pattern, as well as a matchCount as follows:
<filter isRegex="true" matchCount="4"> href=</filter>
Now, if the literal text href= is found 4 or more times in the POST, the request will be treated as spam and denied.
Trusting Your own Content
If you blog, or edit content on your site through another interactive means, you may find that you end up ReverseDOS-ing yourself if you post multiple links, or go on a tirade about viagra, etc. To prevent this, a <trustedAddresses> node exists in the ReverseDOS.config file. Zip out to a site like whatismyip.com and figure out what your IP address is. Then just add it to the .config file. If you post from home and work, etc. add in multiple addresses. If you need to trust a range of addresses, just use a regex with the optional isRegex attribute. Here's a sample of what to add:
<trustedAddresses> <address pattern="18.104.22.168" /> </trustedAddresses>
ReverseDOS 2.9 also introduces the ability to 'trust' entire directories on your site. Logically you'll want these to be directories that require authentication - such as /admin/ or /posts/ directories and the likes. To trust a directory, just specify another anti-pattern in the <trustedAddresses> node using the <directory> element as follows:
<trustedAddresses> <directory pattern="/blog/admin/" /> </trustedAddresses>
While isRegex is a viable option for trusted directories (the default is false), you'll probably find that you get better results by just specifying the desired directory as a simple string/pattern match - making sure to be as specific as possible.
A note on how trusted directories are located: As the name indicates, only directories can be trusted at this point. So if you set up a trusted directory with the pattern "admin" the following would be true:
- /blog/admin/doSomething.aspx?somevalue=viagra :: trusted (despite viagra in the url)
- /admin/ :: trusted (obviously)
- /publicArea/photos/index.aspx?sneakySpammer=admin :: not trusted - even though admin is in the url, it's NOT a directory - and therefore can't be spoofed.
- /somepage/admin.aspx :: trusted - woops. (Nobody's perfect - and if you want to make sure that your pattern only matches a directory, just use "/admin/" etc.)
Quick Start Done...
That's it. You're ready to deploy ReverseDOS and fight spam. If you want to see more docs on the global settings, check out the docs. If you're insanely bored, read the rest of this page...
Advanced Configuration Options
Configuring ReverseDOS to scan other file types (like images and .exes):
If you need to let ReverseDOS scan other file types, you just need to bind those extensions to ASP.NET for processing. Doing this, of course, incurs the overhead of having the ASP.NET pipeline serve this content in the future (and may break some custom processing, etc.), but will then allow subsequent requests for the specified content to be scanned for requests by ReverseDOS. To configure this option, you just need to configure IIS to bind the requested content (extension) to ASP.NET. Here's how:
- Open the Internet Information Service MMC on your webserver.
- Navigate down into the websites folder, find the site where GPB is installed and right click it, then select Properties.
- Select the Home Directory tab, then click Configuration.
- A list of extensions and their mapped executable paths exists. Find and select the .aspx extension and then click the Edit button.
- Select the entire text of the Executable: field, right click it and select Copy. (CTRL+C won't work).
- Close the Add/Edit Application Extension Mapping dialogue by clicking Cancel.
- Find the extension you wish to map to ASP.NET and click Edit to edit it, or click Add to create it if it doesn't exist (for .gif for example).
- Right click the Executable: field and select Paste (CTRL+V won't work either). Specify the Extension: if it's not already specified. (Specify it with the . in front of it e.g. ".gif").
- Click OK. The extension is now mapped/bound for this site, and will be served by ASP.NET -- and will filter through the ReverseDOS HttpModule.