[spam-stopper] Heavy attack

Eric A. Meyer eric at meyerweb.com
Fri May 26 02:02:30 UTC 2006 

At 9:37 AM +1200 5/26/06, Sarah King wrote:

>That's an interesting point Eric, that the bots may not be visiting
>the page but hitting the script directly and what are we doing about
>it.

    From what I can tell, they typically aren't.  I went from getting 
a few hundred bits of spam (including those caught by Akismet and 
those that landed in my moderation queue as well as those who made it 
onto the public site) per day to somewhere around 50 per day, all of 
them caught by Akismet so far.

>There are occassionally times when the referrer doesn't stick so
>that's not reliable but an internal, randomly generated "key" which
>puts it's md5() value onto the submit form and can then be tested by
>the post would work. Change it daily and you've solved part of the
>problem.

    That's exactly what I've started doing!  My first step was hacking 
that kind of protection into my comments form and the 
wp-comments-post.php script, and I'm going to move the part I hacked 
into the script to a plugin.  I might also move the comment-form part 
into the plugin-- we'll see.  Basically, I concatenate a few bits of 
data together and md5-hash the result, just as you propose.
    The daily change is easy: I use the current date as part of the 
stuff that's md5-hashed.  There is currently the danger in that if a 
poster gets the comment form at 11:59pm and submits the comment at 
12:01am, the md5 hashes won't match and so the comment will be 
rejected.  I'm going to fix that tonight with a one-day-back check. 
If someone gets the form two days before he submits the comment, 
well, then too bad for him.
    As I say, this has so far been incredibly effective at blocking 
direct-submission spam, and by blocking I mean it never even makes it 
into the comments table in the WP DB.  What I'm doing won't catch 
spambots (or human spammers) that actually load up a post page and 
use the comment submission form, but my early results indicate those 
are rare.  And, of course, there are other lines of defense (like 
Akismet) one can use to deal with those malefactors.
    I'm still wondering if the direct-submission spambots haven't come 
up with a way to submit spam in such a way that Akismet somehow gets 
skipped.  No, I have no idea how, but the stuff Akismet is catching 
now looks a lot like the stuff it wasn't catching-- the things you, 
Sarah, and Mariano and I have seen get posted.  In fact, some of the 
things currently in my Akismet queue look less spammy than the stuff 
that got posted to the site before.  Combine that with the fact that 
the stuff that was getting through also lacked e-mail addresses, 
which my WP install was configured to require before accepting any 
comment, and it sure feels like they figured out a way to bypass the 
spam checking.
    But I can't say for certain, being neither a PHP guru nor a 
WordPress code expert, and it's entirely possible they came up with 
some other devious approach to slip past those safeguards.  Either 
way, it would be interesting to find out how.

-- 
Eric A. Meyer  (eric at meyerweb.com)
Principal, Complex Spiral Consulting   http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/

More information about the spam-stopper mailing list