Author: H.User7152 (18 Jun 12 6:41am)
I've been repeatedly pestered by spambots who post straight to the script of my Wordpress installation that handles posting comments, i.e. wp-comments-post.php. Most recently that's happened with 18.104.22.168, which has constantly been attacking my page with comment spam for the last 2 weeks, trying to post spam about once or twice an hour while also using numerous proxies, so that I've even come to assume that there might be a botnet behind it. My host unfortunately doesn't allow me to ban IPs via .htaccess, but you'll have to write to their customer support to add the IP or CIDR range to their iptables records, which they usually do quickly and without cost or anything.
However in the case of such spammers posting to wp-comments-post.php straight, they'll probably never step into Honeypots, so Project Honeypot will likely never become aware of them. A typical attack looks like this:
1. Check whether the URL of some article returns 200, not loading any prerequisites like images or CSS (this is usually a straight access, no idea where they're getting correct URLs from)
2. POST to wp-comments-post.php 1 or 2 seconds later
(3. If not successful, retry with another proxy)
To retaliate the ongoing spam attacks, I've been forwarding 22.214.171.124 to my honeypot already on accessing index.php, but of course, since the honeypot page is not Wordpress, the spammer won't post to the form on the page. Thus, their "Last seen" value on the IP reference page here at Project Honeypot increases, but not the threat rating. Although they won't stop spamming.
Is there anything Honeypot-related I can do to block such spammers (besides lowering the get-through threshold in Bad Behavior) and make Project Honeypot aware of their abuse so that the threat rating increases? The problem is, if I have an IP banned, spam from there will sure stop for a while, but only to return from another IP a week later and trying even more aggressively.
Post Edited (18 Jun 12 6:49am)