Message Board

Tracking Harvesters/Spammers

Older Posts ]   [ Newer Posts ]
 I think I'm being flooded
Author: H.Shidou   (12 Feb 09 7:42pm)
Hello guys...

I have a Wordpress blog, and all of a sudden somebody started to add a bunch of comments on it. They are of 2 types: they have hundreds of words with some links simulating a big comment, or they have random words with random letters forming 1 or 2 lines with 2 or 3 links, which also use random letters domains...

They are not spam, because their links lead to nothing. I think somebody is attempting to flood me trying to add trash comments to my blog.

Another symptom is that Counterize is reporting thousands of visits all of a sudden. It normally reports 150-350 visits/day, but yesterday and today it reported more than 3000 visits!

All of them have no referer and report using IE6. This bot seems to be scanning all my posts and pages, and then it seems to start posting the trash comments I said above and access posts URL followed by /#comment-XXXX...

Comments are easily cautch by Askimet, but this trash in Counterize is deteriorating stats, because they add fake data do days of month, days of week, browser participation, etc. I had to delete all the trash manually.

This is not a DDOS attempt either, because only 2 IPs were used. It really seems his objective is to add trash comments to my blog. I suspect this is being done by some vegetarian, because I've been debating with them in a veg blog :P

Well, I've just installed Bad Behavior plugin and joined Honey Pot project to try to block whoever is flooding me. What else can I do?
 Re: I think I'm being flooded
Author: J.Brody   (13 Feb 09 5:15am)
If it's on your own server and/or you have access to cPanel then you can block those particular IP addresses from accessing your site.
 Re: I think I'm being flooded
Author: H.Shidou   (14 Feb 09 2:26am)
Hello Brody, just a few hours ago I found clues that make me believe this flood is a retaliation from some criticisms I made about my local university, or somebody trying to make me believe so.

I used cPanel's Raw Access Log, enabling both checkboxes to save logs everyday.

Now I'm gonna search how to block IPs with htaccess and start a blacklist of recurrent IPs.

Tnx for the suggestion :)

Is there anything else I can do to deal with this flood? I'm sure somebody probably from my city is doing it on purpose, they his objective seems to make himself visible in my site stats. I noticed some patterns on accesses, so he could even be sending me a message to stop talking about the university...
 Re: I think I'm being flooded
Author: J.Brody   (16 Feb 09 9:05am)
If you have cPanel then you don't even need to mod .htaccess - on the Security tab in cPanel is an icon called IP Deny Manager.....
 Re: I think I'm being flooded
Author: E.Geier   (17 Feb 09 4:52pm)
Well, another easy measure would be to add a CAPTCHA entry, if ever possible. There are free CAPTCHA providers around:
It makes such mass entries rather complicated and difficult.
 Re: I think I'm being flooded
Author: J.Brody   (18 Feb 09 12:46pm)
Or even using the captcha-free plugin for Wordpress itself ;)
 Re: I think I'm being flooded
Author: P.James   (2 May 09 2:21pm)
Personally, in this sort of instance where only one or two IPs are involved, I would do a whois on the IP addresses and then report the behaviour to their ISP(s), then monitor to see if it stops. If it doesn't then report again and block at your end.

This is sort of revenge for the amount of time wasted on dealing with these things and in the case of innocent malware victims a kick up the backside to get their security in order.
 Not flooded any more
Author: D.Williamson2   (19 Oct 09 2:32am)
For these gibberish comment spams it can be as simple as just correctly validating the email address before you permit the post:

Between that, the P.H.P. http:BL ( and reCAPTCHA ( you should be able to keep almost everything unwanted out of anything.

 Re: I think I'm being flooded
Author: J.Sniderman   (4 Mar 10 2:57am)
Depending on your hosting setup, you may be able to firewall them out entirely. *If* you have root access to the machine (your own server, vps, dedicated etc) outright firewall them.

I've done this on very rare occasion, once involving a former girlfriend, and a couple other times with random spammers. Nothing says "go away" like a big old "Page cannot be displayed" or "Firefox cannot find the site" that noone else is faced with.

Another nice option, is using .htaccess, redirect them to a specific other page. This can be a generic "banned" page, something more hostile, even a mirror of the original page, but with all emails and commenting options disabled.

Also, make sure you are logging the referer headers. I had one instance of a group of 3 such trouble makers who all came from the same URL, which it turns out was a post on their own healthcare intranet site (yes, i was spammed by an actual doctor once, long story, he thought my opinons were harmful to his 'cause') with a link to me, and instructions to their employees to poke around and make trouble. Once armed with such information, you can more effectively block users proactively, and helps to understand exactly who the enemy is, and as in my case, if they leave such pages unprotected, what their entire strategy is.
 Re: I think I'm being flooded
Author: J.Brisebois   (13 Mar 10 1:44am)
If I ever had someone I knew trying to do that to me, I'd redirect his IP to a gay porn site LOL but there are some "flood protection" scripts on the 'net that you can get example code for, works with sessions so that if joe blow tries to access pages more than 1 second at a time, it makes him wait 2 or 3 or whatever seconds before he can make the request again. Kinda like the "you have reached the post limit, please wait 5 minutes and try again" that I get from Projecthoneypot's IP commenting system.

.htaccess is awesome for stopping url injections and other monkey business. I have any "forbidden" errors go to a banme.php page, which will automatically ban their hiney by automatically writting "deny from x.x.x.x" in the .htaccess whenever the event is triggered. This is great especially for attempted url injections, user agents and the most fun, spiders that ignore robots.txt Then it emails me to tell me what happened so I can check it out.

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–18, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email