Django tarpit for malicious requests


While checking my logs for this site and seeing the usual malicious requests against every spammers favorite software WordPress I decided to make things a little harder for them with a tarpit.


This was an experiment and I recommend not to use it on your production machines because you could easily exhaust your web workers depending on your configuration. There might also be better ways to do this from Python/Django, I didn't really put a lot of thought into it.

def _spam(num=10):
    A generator that slowly returns garbage
    for _ in range(num):
        time.sleep(random.randint(1, 3) / 10)
        yield random.choice(string.ascii_letters)

def spam(request):
    return StreamingHttpResponse(_spam())

class SpamView(View):
    def dispatch(self, request, *args, **kwargs):
        return StreamingHttpResponse(_spam())

To use it simply add it to your file like below.

urlpatterns = [
    url(r"^.*\.php", spam),
    url(r"^.*/wp-(includes|admin)/.*", spam),
    url(r"^.*\.env", spam),
    url(r"^.*\.git/.*", spam),


Start a new thread

Cancel reply
Markdown. Syntax highlighting with <code lang="php"><?php echo "Hello, world!"; ?></code> etc.
DjangoPythonBitcoinTuxDebianHTML5 badgeSaltStackUpset confused bugMoneyHackerUpset confused bugX.OrggitFirefoxWindowMakerBashIs it worth the time?i3 window managerWagtailContainerIrssiNginxSilenceUse a maskWorldInternet securityFontGnuPGThunderbirdJenkins