Dougal Campbell's geek ramblings

WordPress, web development, and world domination.

Some blog spam cases you might want to watch for

I like to think that I’ve got some pretty decent spam prevention measure in place on my server. My mail server uses RBL/DNSBL services and sets maximum limits for certain protocol violations. All my blogs use Akismet for comment spam detection. I’ve got a large number of entries in my comment moderation and blacklist lists. And I hook it all together into my SpamValve plugin, which automatically adds firewall rules to block repeat offenders.

Still, though, occassionally I get bursts of traffic that either aren’t detected by these measures, or that are detected, but the process of handling the connection causes excessive load on the system. When that happens, I typically add new code to my SpamValve plugin to automatically block future attempts at the firewall. Here are some of the things that have caught my eye recently that caused me to take action:

GET requests for trackback URIs
When WordPress detects a trackback using HTTP GET instead of POST, it redirects the client to the permalink of the associated post. But that’s all it does. I flag that as a possible spam attempt. If I get several of these from the same IP, I temporarily block that host at the firewall.
Bogus User Registrations
I once saw a flurry of fake user registrations on one of my sites. I’m not sure what the purpose was, but it annoyed me. User registration attempts get flagged. There’s no legitimate reason why I should get more than 5 user registrations from the same host in a 48 hour period. So if I see that happen, I block the host.
Direct (non-referred) posts to wp-comments-post.php
If an attempt to post a comment doesn’t have an HTTP Referrer that comes from this site, it’s flagged as a spam attempt. The comment is still processed normally, with the usual Akismet spam/ham checks, and if it doesn’t appear to be spam by other means, the comment appears on the site. But if more than a few of these come from the same host, the host will get blocked. Yes, there are personal firewalls and browser privacy extensions that strip the referrer information out. But I doubt that anybody using those is going to need to post more than 5 comments here in a 48 hour period. Still, this is probably the one rule of mine that is most prone to false-positives. But it’s not likely enough for me to lose sleep over it.
Too many spam comments from a host
And, of course, if a blog comment is flagged as spam by any of the usual means (i.e. by Akismet or any other spam detection plugins), the host is flagged. More than 5 spams from the same host? Blocked!
Mail spammers
Lastly, I monitor my mail server log. Any time a message is rejected by the anti-spam measures in place there, the client IP is flagged. Again, more than a few spam attempts from the same host earn a place in my firewall rules.

These are some of the things I look for to prevent repeated abuse. There are other things as well, that I consider slightly less serious. For example, I recently discovered that a MySpace user was hotlinking an image of mine. So I’ve put measures in place to ensure that unapproved sites can’t hotlink those particular images.

I’m still keeping an eye on my logs to catch other types of abuse that need blocking. Have any of you other spam warriors noticed any trends of abuse lately?

About Dougal Campbell

Dougal is a web developer, and a "Developer Emeritus" for the WordPress platform. When he's not coding PHP, Perl, CSS, JavaScript, or whatnot, he spends time with his wife, three children, a dog, and a cat in their Atlanta area home.
This entry was posted in Blogs, Plugins, Software, Spam, Tech, WordPress and tagged , , , , , , , , , . Bookmark the permalink.

14 Responses to Some blog spam cases you might want to watch for

  1. Ebonmuse says:

    One rule I found that’s been helpful to me: A lot of spam comments mix HTML links with [url=””][/url]-type links, trying to create valid link text no matter what site they’re posting to. Since my site doesn’t use the latter type of link syntax, I put in code to automatically block any comment which contains it. It does seem to have made a difference.

  2. Marsha says:

    I love my Akismet. I almost gave up blogging a while back because of my spam issues. Life is better now.

  3. Gerald says:

    A simple CAPTCHA plugin works great for me. The best one I’ve tried for WordPress is SecureImage:

    http://uberdork.supertwist.net/2005/03/13/plug-it-in-plug-it-in/

  4. MatGB says:

    Ebonmuse; a problem with that is less web-literate users and commenters. I regularly see people try to post links etc using BBcode on blogs, and regularly those are legitimate links and users. Thee and me know proper html, many more don’t, and bbCode was designed to make things easy for the non web-literate.

    I installed Bad Behaviour last weekend. My Akismet caught stuff has plummetted (one in the last three days) and the uncaught has disappeared. Bad Behaviour has blocked 1955 in the last 7 days, which is about what I was getting before. Very impressed.

    My host doesn’t allow firewall access, so SpamValve no good to me currently, but it looks useful as a set of rules.

  5. Stephen says:

    I have a pretty solid spam-blocking combo on my blogs. I honestly can’t remember the last time an actual spam got through. Details and links on my site:

    Nerdaphernalia – spma blockers post

    (In a nutshell: Bad Behavior + Spam Karma + Spam Karma “Akismet” plugin)

  6. Mathieu says:

    Ditto Marsha (2.) and Stephen (5.), Bad Behavior, Spam Karma and Askimet saved this particular blogger from giving up in disgust.

    I was fielding 2,000 spam comments a day and now Askimet catches perhaps twenty and I hardly ever get any it’s not sure about.

  7. Fitri ulina says:

    I Was 40 comment spam everyday

  8. USA-News says:

    By the way, posts to wp-comments-post.php without referrer variable it’s very rare today. Even a most stupid coder can read documentation for curl, for example and put a fake referrer to GET request. The best solution in this case it’s some sort of Captcha plug-in like mentioned by Gerald above.

  9. Dougal says:

    Yes, it’s easy to fake the referrer. But I based that test on what I have actually been seeing in my logs. I was getting a lot of attempted comment posts without referrers. Pretty much all of the tests I do (the ones mentioned above, and others that I didn’t discuss) are based on direct observation of activity on my server.

    Sometimes I see requests that are not obvious spam attempts, but are at best unfriendly crawlers (doesn’t respect my robots.txt, sucks down page after page of archives, ignores errors, etc). When these start having a noticeable effect on my server, I’ll manually flag those for firewall blocking. When an unfriendly client can no longer access your server at all, it really helps out with your system load. :)

  10. I Had no Idea spam was so prevelant, I guess it’s all about intent, If the person making the post or comment is trying to contribute or share information that might be helpfull than that post is acceptable

  11. Simon says:

    I would like to know what spam filter Gmail uses? It filters the spam accurately. I am also thinking of integrating my gmail account with my blog to filter spam. But I don’t have any idea about it yet! Let me look out for it.

  12. Debra Morgan says:

    spam sux :( i get about 100 msg everyday… I know its sux…

  13. Oturia says:

    Our site is done on WordPress, as our most of our clients’ sites, so Askimet helps, but you are right, inevitably spammy comments will make their way through.

    I’m finding that people are getting more creative with their templated comments and it is making it harder to identify them. One of the more recent ones I received was:

    “I am using the same template that you are using for your site, but mine loads so much slower than yours despite the fact that you have considerably more multimedia than mine”.

    Seems like a valid comment, but the fact of the matter was that it was on a site I had just developed with only one “Hello World” article and absolutely no other content to speak of.

    It would be nice to see some kind of comment network, like an integration of WordPress or Gravatar, that forces users to login in order to post a comment across the major blogging platforms (Blogger, WordPress, etc…). Commentors could be “graded” (like sellers on eBay). Commentors with X number of spammed comments would be banned, making a registered user ID useless after only a day or so of use.

    It wouldn’t stop spam (I really don’t think anything will) but it would make spamming blogs hosted on/with major platforms a real pain in the butt.

  14. nitrome says:

    everyday i received a lot of spam in my comment blog. i hate this comment. I usually use akismet to prevent this spam

Leave a Reply

%d bloggers like this: