[wp-hackers] Simple comment spam experiment

Austin Matzko if.website at gmail.com
Wed Apr 16 15:06:27 GMT 2008

On Wed, Apr 16, 2008 at 10:20 AM, Otto <otto at ottodestruct.com> wrote:
>  Conclusion:
>  Spammers, for the most part, are not loading the comments form and using it.
>  They're merely hitting a list of sites and the wp-comments-post.php file
>  directly. Renaming this file and adjusting accordingly has much the same
>  effect as using a hidden field, of course.

After my own experiments, in which I logged everything about comment
submitters for weeks, I've come to a different conclusion.  My
comments preview plugin[1] changes the comment form's action attribute
to the post's permalink (from wp-comments-post.php), so I tried
deleting wp-comments-post.php with no noticeable drop in comment spam.

I think you may have gotten the results you did simply because you
didn't wait long enough for the spam bots to spider your site with the
new "some_random_name" field.  I've noticed that often the IP address
submitting the spammy comment had not recently requested the page with
the comment form, and I've seen spammy comments submitted to obsolete
form action attributes, sometimes months old.  This suggests to me
that the spam bots scrape sites then later do the dirty work of
submitting spammy comments.

>  Question: Could nonces be used for this sort of thing? Or something similar
>  that would be a bit more secure than a simple field like this?

What I have found[2] is that forcing comment previews alone reduces
comment (i.e. not ping/trackback) spam by 95%, and then checking for a
nonce based on the IP address of the original previewer gets just
about everything else (my comments preview plugin does this if you set
it to force previews).

By the way, about 55% of my total spam was trackback spam, and I've
eliminated virtually all of it just by using the Simple Trackback
Validation plugin[3], so I've turned off Akismet (which used to catch
hundreds of spams a day).

Of course, these are club solutions[4], but at the moment they're
working great.

[1] http://www.ilfilosofo.com/blog/comments-preview/
[2] http://pressedwords.com/reducing-wordpress-comment-spam/
[3] http://sw-guide.de/wordpress/plugins/simple-trackback-validation/
[4] http://diveintomark.org/archives/2002/10/29/club_vs_lojack_solutions

More information about the wp-hackers mailing list