codeblog code is freedom — patching my itch

5/24/2006

easy wordpress anti-spam

Filed under: Blogging,Networking,Security — kees @ 11:06 pm

After getting about 40 moderation requests a day, I figured I should spend some time finding some anti-comment-spam plugins for WordPress. After digging around a while, I found one that doesn’t require JavaScript, doesn’t perform vision tests, but works just fine for the kind of comment-spam-bot that seemed to have taken a liking to my blog (even though no spam ever appeared in my comments ever…)

I found lr2Spam which has a great setup, but an incomplete final step. I merged it with ideas I saw in the RBL measures plugin, and got some good results. By replacing lr2Spam’s comment_post with pre_comment_content (see the WordPress Plugin API), I was able to redirect spammers away from from my site with PHP’s header("Location: [URL]") technique. (This is what I borrowed from the RBL plugin.) The patch is almost as big as lr2Spam itself (both are very small). Honestly, I’m surprised it works at all. Someone wrote a comment-spam bot that can’t correctly parse a totally valid HTML form, but does correctly handle a 302/Location redirect. Weird.

I thought briefly about redirecting all the spammers to http://fbi.gov/i-am-a-spammer/?ip=[IP] but then realized their requests’ referer header would show my URL still. On further thought, I realized that comment-spam is very different from email spam because the bot has to implement a much larger set of protocol elements. Since they must respect the 302/Location redirect, someone who is getting hit really hard with comment spam could effectively DDoS somone’s link by redirecting to somewhere with big files. Say, for example, instead of using fbi.gov above, I used http://mirrors.example.com/iso/DVD-distro-image.iso. Every spam bot in their network would start a giant-ass download from example.com after hitting my anti-spam system. Ewww.

Implemented early on May 20th, after 4 days, I’ve seen 250 comment spam attempts from 162 unique IP addresses (most in China — maybe they need to turn their firewall around). The volume of spam isn’t big when compared to my daily email spam statistics, but each one of those would have been an email in my inbox, asking for moderation. Interestingly, they all stopped on May 23rd. Maybe they got a clue.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

4 Comments »

  1. you can expect new spammers to try
    your blog – I’ve been sending redirects to large files for quite a
    while, and usually spammers pick up on the slowdown of their botnet
    after about ten attempts or so. They stop trying your weblog, but new
    spammers are appearing all the time..

    Comment by John — 5/25/2006 @ 5:13 am

  2. Yeah, I’m kind of expecting that. :) They’ve always got new tricks. Keeps it interesting, I guess. :P

    Comment by kees — 5/25/2006 @ 7:28 am

  3. As I see this, it’s all about anything individual that keeps spammers away. Almost all spambots just crawl the web for common software like wordpress, phpbb or mediawiki and try to add their links there (probably to increase their google ranking?).
    So e.g. in my blog I just noted in natural language that you have to type nospam@nospam.org into the email-field and changed the code to check for that. The modification involved only 2 lines of code, but since then I never had any spam in opposite to about 2-3 / day before, and surely no spammer will visit my site himself an modify a bot for a single blog :)

    cu,

    Jan

    Comment by Jan — 6/20/2006 @ 1:29 pm

  4. Nice article, you already have a god anti spam bot plugin installed so i guess you don’t have nearly as much trouble with that as you used to. I personly think that math sums like i’ve seen before are the best method right now, or some random generating number/word captcha

    Comment by fora — 2/6/2007 @ 1:26 pm

Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by WordPress