[wp-hackers] Best way to 'enhance' wp-comments-post.php

Eric A. Meyer eric at meyerweb.com
Thu May 25 20:40:22 GMT 2006 

At 2:13 PM -0400 5/25/06, Austin Matzko wrote:

>How about the filter 'preprocess_comment', called at the start of
>wp_new_comment?  That gets it right away.

At 12:19 AM +0530 5/26/06, Rabin Vincent wrote:

>You could hook into "init". This will get you in fairly close to where
>you are with the direct edits. There you could check if the request
>is for wp-comments-post.php, and if so do your stuff.

    I considered 'preprocess_comment' since that's what Akismet uses, 
but wasn't sure if it was the best choice.  Anyone have a compelling 
explanation of which would be better, 'preprocess_comment' or 'init'? 
Or if there's something even better?

At 2:38 PM -0400 5/25/06, David Chait wrote:

>Having written my own solution (CG-AntiSpam), I can give you one word of
>advice: were I a spammer, I wouldn't necessarily ever check for response
>codes, redirects, etc.

    Yeah, I figure that's usually the case.  But there may be those 
who, with zombienets and such, invest the effort in doing their own 
error detection, so they have a more efficient set of zombies.  I 
mean, if I were a spammer, that's what I'D do.  No sense wasting 
perfectly good zombies!  But maybe I think a little differently than 
spammers.  (God, I hope so.)  So I want to be as low-profile as 
possible for those who are being a little smarter than average.

At 12:06 PM -0700 5/25/06, Justin Watt wrote:

>I curious if anyone has tried this simple javascript strategy:...

    That's basically what I'm doing, except my approach doesn't use 
JavaScript, but an MD5 hash of the server name, current date, and the 
WP API key (with a string fallback for those who don't have such a 
key).  It's slightly less robust than the JS approach, but only for 
those spammers who aren't using JS-enabled engines to drive their 
spam.  One of the other posters mentioned botnets that use IE, which 
would use JS.  It's also more accessible to those who might be 
legitimately commenting with JS-disabled clients.  (Yes, they exist, 
and yes, I consider such things.)
    I realize this means that a spammer who actually uses the comment 
form on a post will get past this line of defense, but that's okay: I 
have other lines of defense.  This one is just meant to deflect all 
the direct-submission attackers, which may well be 90% of the spam I 
was getting.  That's a rectal statistic, I admit, but one that feels 
instinctually correct.  It may be proven very wrong over the next few 
weeks, of course.  So far, so good, though!

-- 
Eric A. Meyer  (eric at meyerweb.com)
Principal, Complex Spiral Consulting   http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/

More information about the wp-hackers mailing list