Wednesday, May 31, 2006

[Wordpress] Major spam influx & possible fix

Not sure if it's just us or if it's a common phenomena that the amount of spam comments has increased 3 fold over the last weeks. Even though my "comment blacklist" is pretty extensive by now, spammers seem to find a creative way to misspell words and sneak in through the back door.

I just checked todays logfile and I see already about 800 denied access attempts - hmm music to my ears. So here is what helped me to drastically crank down the number of spam comments and accesses from known, spamming sites:

(1) Change your standard "wp-comments-post.php" wordpress file to e.g. "wp-comments-post-XYZ123.php". And of course change the respective line in your template/comments.php file to reflect the renaming (in the plain vanilla template it's line 72, the "<form>" statement).

This already will do miracles, as many of the spamming sites use automated scripts calling exactly this file. Now all they get is a 404 (document not found) error response. ha!

(2) Block specific IP's from identified hosts. This way, they won't even get a 404 they'll receive a 403 message (denied access), which hopefully turns them away and will make one's blog unattractive to them - probably the only way, because even a comment (automatically) declared as SPAM and quarantined is understood as a successfull attempt for spammers (how would they know the difference?!), but getting a 403 may send a different signal (no pun intended).

Of course banning IPs can have drawbacks when not carefully managed, but it seems that the two above measures in combination with a properly configured comment blacklist (keywords) did the trick for us.

A possible issue with preventing certain IP addresses access to your blog is related to two scenarios. (a) Dynamic, thus changing IP addresses -> the spamming site will have a new IP tomorrow and vice versa you may block a totally legit user (b) IP belongs to a proxy/gateway server -> denying a proxy server access, will prevent anyone behind it from accessing your blog.

Here is my take on...
(a) all spamming hosts I choose to block have had the same address over days, highly unlikely they will change their address tomorrow and if so, two clicks for me.
(b) checking on the suspicious IP with a quick scan of your logfile, typically shows the access pattern. 99% -as far as I can tell- have only been accessing the Wordpress comment-file directly, i.e. a pretty clear sign of a spam-bot.

Just to cover that 1% , I recommend to setup a personalized 403 error message, asking (real) visitors to get in touch with you if falsely being denied access to your blog.

With more and more bloggers moving to Wordpress, I hope this post will provide an interesting (proactive) alternative to merely SPAM deletion.

You can find more info and my Wordpress plugin here.

This Post was written by Oliver @ delicious:days.

3 comments:

L said...

Thanks for the tips! I got seriously hit over the weekend on one of my blogs. The comments just end up in the moderation queue, but it's a big time sink to pick them all out to nuke them.

paul said...

If you're using Movable Type, you can and should change the default filename for the comment script like described above.

Possibly out of date instructions for doing this can be found on my other blog - http://www.kiplog.com/archives/2005_01.html#000228.

You'll find that changing the filename periodically helps when spam flairs up again.

Thanks for reminding me, I forgot to do this on a client's WP blog, and I need to do that.

Vanessa said...

i was wondering what was going on! i never got spam until a few days ago and then suddenly it seemed like it was all i got. oddly enough, all on one particular post.

thanks! i'll definitely try changing the name of the file.