I like to think that I’ve got some pretty decent spam prevention measure in place on my server. My mail server uses RBL/DNSBL services and sets maximum limits for certain protocol violations. All my blogs use Akismet for comment spam detection. I’ve got a large number of entries in my comment moderation and blacklist lists. And I hook it all together into my SpamValve plugin, which automatically adds firewall rules to block repeat offenders.
Still, though, occassionally I get bursts of traffic that either aren’t detected by these measures, or that are detected, but the process of handling the connection causes excessive load on the system. When that happens, I typically add new code to my SpamValve plugin to automatically block future attempts at the firewall. Here are some of the things that have caught my eye recently that caused me to take action:
- GET requests for trackback URIs
- When WordPress detects a trackback using HTTP GET instead of POST, it redirects the client to the permalink of the associated post. But that’s all it does. I flag that as a possible spam attempt. If I get several of these from the same IP, I temporarily block that host at the firewall.
- Bogus User Registrations
- I once saw a flurry of fake user registrations on one of my sites. I’m not sure what the purpose was, but it annoyed me. User registration attempts get flagged. There’s no legitimate reason why I should get more than 5 user registrations from the same host in a 48 hour period. So if I see that happen, I block the host.
- Direct (non-referred) posts to
wp-comments-post.php
- If an attempt to post a comment doesn’t have an HTTP Referrer that comes from this site, it’s flagged as a spam attempt. The comment is still processed normally, with the usual Akismet spam/ham checks, and if it doesn’t appear to be spam by other means, the comment appears on the site. But if more than a few of these come from the same host, the host will get blocked. Yes, there are personal firewalls and browser privacy extensions that strip the referrer information out. But I doubt that anybody using those is going to need to post more than 5 comments here in a 48 hour period. Still, this is probably the one rule of mine that is most prone to false-positives. But it’s not likely enough for me to lose sleep over it.
- Too many spam comments from a host
- And, of course, if a blog comment is flagged as spam by any of the usual means (i.e. by Akismet or any other spam detection plugins), the host is flagged. More than 5 spams from the same host? Blocked!
- Mail spammers
- Lastly, I monitor my mail server log. Any time a message is rejected by the anti-spam measures in place there, the client IP is flagged. Again, more than a few spam attempts from the same host earn a place in my firewall rules.
These are some of the things I look for to prevent repeated abuse. There are other things as well, that I consider slightly less serious. For example, I recently discovered that a MySpace user was hotlinking an image of mine. So I’ve put measures in place to ensure that unapproved sites can’t hotlink those particular images.
I’m still keeping an eye on my logs to catch other types of abuse that need blocking. Have any of you other spam warriors noticed any trends of abuse lately?
14 Responses to Some blog spam cases you might want to watch for