[spam-stopper] Heavy attack
Eric A. Meyer
eric at meyerweb.com
Fri May 26 02:02:30 UTC 2006
At 9:37 AM +1200 5/26/06, Sarah King wrote:
>That's an interesting point Eric, that the bots may not be visiting
>the page but hitting the script directly and what are we doing about
From what I can tell, they typically aren't. I went from getting
a few hundred bits of spam (including those caught by Akismet and
those that landed in my moderation queue as well as those who made it
onto the public site) per day to somewhere around 50 per day, all of
them caught by Akismet so far.
>There are occassionally times when the referrer doesn't stick so
>that's not reliable but an internal, randomly generated "key" which
>puts it's md5() value onto the submit form and can then be tested by
>the post would work. Change it daily and you've solved part of the
That's exactly what I've started doing! My first step was hacking
that kind of protection into my comments form and the
wp-comments-post.php script, and I'm going to move the part I hacked
into the script to a plugin. I might also move the comment-form part
into the plugin-- we'll see. Basically, I concatenate a few bits of
data together and md5-hash the result, just as you propose.
The daily change is easy: I use the current date as part of the
stuff that's md5-hashed. There is currently the danger in that if a
poster gets the comment form at 11:59pm and submits the comment at
12:01am, the md5 hashes won't match and so the comment will be
rejected. I'm going to fix that tonight with a one-day-back check.
If someone gets the form two days before he submits the comment,
well, then too bad for him.
As I say, this has so far been incredibly effective at blocking
direct-submission spam, and by blocking I mean it never even makes it
into the comments table in the WP DB. What I'm doing won't catch
spambots (or human spammers) that actually load up a post page and
use the comment submission form, but my early results indicate those
are rare. And, of course, there are other lines of defense (like
Akismet) one can use to deal with those malefactors.
I'm still wondering if the direct-submission spambots haven't come
up with a way to submit spam in such a way that Akismet somehow gets
skipped. No, I have no idea how, but the stuff Akismet is catching
now looks a lot like the stuff it wasn't catching-- the things you,
Sarah, and Mariano and I have seen get posted. In fact, some of the
things currently in my Akismet queue look less spammy than the stuff
that got posted to the site before. Combine that with the fact that
the stuff that was getting through also lacked e-mail addresses,
which my WP install was configured to require before accepting any
comment, and it sure feels like they figured out a way to bypass the
But I can't say for certain, being neither a PHP guru nor a
WordPress code expert, and it's entirely possible they came up with
some other devious approach to slip past those safeguards. Either
way, it would be interesting to find out how.
Eric A. Meyer (eric at meyerweb.com)
Principal, Complex Spiral Consulting http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more http://meyerweb.com/eric/books/
More information about the spam-stopper