Message Board

Tracking Harvesters/Spammers

Older Posts ]   [ Newer Posts ]
 Spammers posting straight to wp-comments-post.php
Author: H.User7152   (18 Jun 12 6:41am)
I've been repeatedly pestered by spambots who post straight to the script of my Wordpress installation that handles posting comments, i.e. wp-comments-post.php. Most recently that's happened with 88.190.236.66, which has constantly been attacking my page with comment spam for the last 2 weeks, trying to post spam about once or twice an hour while also using numerous proxies, so that I've even come to assume that there might be a botnet behind it. My host unfortunately doesn't allow me to ban IPs via .htaccess, but you'll have to write to their customer support to add the IP or CIDR range to their iptables records, which they usually do quickly and without cost or anything.

However in the case of such spammers posting to wp-comments-post.php straight, they'll probably never step into Honeypots, so Project Honeypot will likely never become aware of them. A typical attack looks like this:

1. Check whether the URL of some article returns 200, not loading any prerequisites like images or CSS (this is usually a straight access, no idea where they're getting correct URLs from)
2. POST to wp-comments-post.php 1 or 2 seconds later
(3. If not successful, retry with another proxy)

To retaliate the ongoing spam attacks, I've been forwarding 88.190.236.66 to my honeypot already on accessing index.php, but of course, since the honeypot page is not Wordpress, the spammer won't post to the form on the page. Thus, their "Last seen" value on the IP reference page here at Project Honeypot increases, but not the threat rating. Although they won't stop spamming.

Is there anything Honeypot-related I can do to block such spammers (besides lowering the get-through threshold in Bad Behavior) and make Project Honeypot aware of their abuse so that the threat rating increases? The problem is, if I have an IP banned, spam from there will sure stop for a while, but only to return from another IP a week later and trying even more aggressively.

Post Edited (18 Jun 12 6:49am)
 
 Re: Spammers posting straight to wp-comments-post.php
Author: H.User1325   (18 Jun 12 12:58pm)
Fighting spam is of course an on-going, escalating battle.

On a website I manage I have 2 places were readers can leave comments, about the program/website in general or about the newsletter. Both just forward me an email sense no comments are posted to the web. There has been an increase in spam comments.

So I changed the fixed subject of the emails originating from each web page so I could see where they were posting the spam. With that and looking at the logs I see they are no longer visiting the site, just keep sending the comments. After 3 weeks I am still getting email generated by the spam comments with the original replaced subject.

Like your case, they seem to have copied the comment page/form and just send, with parameters, directly to the php script that handles the comments.

My plan is to add filters to the comment handler to get rid of the obvious spam. Maybe send then a failed code. This should keep my inbox clean(er) until the volume starts to approach DOS.

I am also collecting their IP address so I can comment here about their IP address.

Post Edited (18 Jun 12 1:00pm)
 
 Re: Spammers posting straight to wp-comments-post.php
Author: H.User7152   (19 Jun 12 8:21am)
Yes, however leaving a comment on the IP page here doesn't increase the threat rating either, as far as I can tell, so they still won't be blocked by my plugin.
 
 Re: Spammers posting straight to wp-comments-post.php
Author: H.User1325   (19 Jun 12 5:31pm)
And of course there is the algorithm that relates the number of reports, number of reporters, etc. to when changes in the threat rating are made. A process I am not familiar with.
 
 Re: Spammers posting straight to wp-comments-post.php
Author: D.Wizard   (15 Jan 13 3:12am)
I trap comment form spam by requiring a specific emoticon in the subject line. My PHP handler fronts all the mail, and then my mail application filter dumps to spam any message which doesn't include the emoticon string

Although this doesn't help weight spammer IPs, it is very effective at presenting only valid communication via the contact form.
 
 Re: Spammers posting straight to wp-comments-post.php
Author: H.User1325   (15 Jan 13 8:58am)
DW
What I ended up doing was adding a http:BL call to the script that sends the comment form. If their threat score is to high they get a "403 Forbidden-IP address rejected" status instead of the comment form.

Lou
 
 Re: Spammers posting straight to wp-comments-post.php
Author: N.Morrison   (17 Jun 13 6:30pm)
Hello, I'm a newbie here, just installed my first honeypot, but I have several years experience running a Wordpress blog.

I get several hundred spam comments a day, 99.999% are found & trapped by Akismet (WP plugin ).

Every couple of days I just hit 'delete all spam'. It is very accurate I know as I get an email every time a comment makes it through, maybe one false pass-through a week.

Get a free API key. http://akismet.com/
Install the Akismet plugin: http://wordpress.org/plugins/akismet/
Enter your API key: voila.

Should solve your problem practically no? Not a honeypot solution though I believe they send data to UNSPAM.
Nico M
London UK
 
 Re: Spammers posting straight to wp-comments-post.php
Author: Bot Busters   (18 May 18 2:09pm)
I can fix your spam problems if you are in the USA...

88.190.236.66 > proxad.net A French host with lots of bad bots and hackers.

I blocked the whole 88 IP Range, nothing but problems from it! What other problem makers were eliminated? advancedhosters.com, webzilla.com, fozzy.com and some suspicious international US/.nl fiber host after blocking the 88 IP Range gave up trying to probe my site. Most likely had a Advanced Hosters connection since both are Netherlands based?

You are going to hate this advice: Ditch WordPress - It's like a Please Hack Me Sign on your back!
I avoid CMS whenever possible.



You may browse the discussion topics, but you must sign in to post. If you do not have an account, you can create one for free.

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–24, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email