WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] How spamers avoid comment form!? (6 posts)

  1. truden
    Member
    Posted 7 years ago #

    Hi everybody :)

    It is my first post here, and it comes as question arouse from my first plugin.

    I made a captcha plugin for myself which works on comments.
    While testing it I got few spam comments, blocked by Akismet.
    That surprised me, because I can give guarantee that the image is unbreakable for now. It is used for more than a year in Truden Web Site (+5000 visitors a day) without single spam going through.

    TruBar (my captcha) is using DB.
    After more than nine hours using the plugin I checked the DB. There was no record for opening the image.
    (No visitor or robot opened the image in order to post comment).
    Yet I had two spam comments on moderation hold.

    Does that mean that wp has security hole allowing spammers to post without using the comment form?

    I hope that somebody can answer this simple question. :)

    See how the plugin works in http://mnogo.truden.com

  2. PozHonks
    Member
    Posted 7 years ago #

    It is not comment spam, but trackback spam. Use the search engine and you will know what to do.

  3. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    Does that mean that wp has security hole allowing spammers to post without using the comment form?

    It's not a security hole. It's a trackback. That's supposed to be there.

    Captchas don't stop spam, and not all spam comes through a "form". There's three entirely different ways to post "things that kinda look like comments" on WordPress, and they're all supposed to be there. Two of them are specifically for automated systems.

    http://www.homelandstupidity.us/software/bad-behavior/
    http://akismet.com/

    Install and use these plugins. Poof!
    Spam? Gone.
    Captcha? Unnecessary.

  4. truden
    Member
    Posted 7 years ago #

    Sorry I did not mentioned that I'm using "Trackback validator". It is very good on stopping trackback comments.
    Of course I know Akismet and Spam Karma 2. I used them before installing TruBar.

  5. truden
    Member
    Posted 7 years ago #

    So-o-o... The investigation developed and I got some results.
    This topic is not about using or not using captha.
    It is not about which plugin to use for stopping SPAM.
    It is about weakness in WordPress, allowing spammers to avoid the comment form.

    Yes, in my case the comment form, which POST the comment was bypassed.
    I found it out when a comment was inserted without generating image (generated security images in TruBar are recorded in the DB).

    After I discovered that, I did some research in the Internet and found this code:

    if(!isset($_SERVER['HTTP_USER_AGENT'])){
    die("Forbidden - This page is for normal browsers only");
    exit;
    }
    if(!$_SERVER['REQUEST_METHOD'] == "POST"){
    wp_die("Forbidden - You can post from my form only!");
    exit;
    }
    // Host names from where the form is authorized
    // to be posted from:
    $authHosts = array("yourdomain.com", "yourotherdomain");
    // Where have we been posted from?
    $fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER']));
    // Test to see if the $fromArray used www to get here.
    $wwwUsed = strpos($fromArray['host'], "www.");
    // Make sure the form was posted from an approved host name.
    if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts)){
    wp_die("Forbidden - No, No, No!");
    exit;
    }
    // Attempt to defend against header injections:
    $badStrings = array(
    "spamword1",
    "spamword2",
    "spamword3");
    // Loop through each POST'ed value and test if it contains
    // one of the $badStrings:
    foreach($_POST as $k => $v){
    foreach($badStrings as $v2){
    if(strpos($v, $v2) !== false){
    wp_die("Forbidden - You have used BAD SPAM words! Clean your language and come back again.");
    exit;
    }
    }
    }
    // free up used memory
    unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);

    After I inserted it in wp-comments-post.php the "clever spam" stopped :D

    Next step is to make TruBar intelligent enough to know on which comment to appear ;)

    Thank you for your answers.
    My answer is: You don't need heavy anti-spam plugins.
    TruBar is only 6KB and stops all the SPAM.

    P.S. TruBar is not released and I'm not sure if I'll ever release it. DO NOT ask me for it.

  6. truden
    Member
    Posted 7 years ago #

    The above "fix" does not stop spam robots in avoiding the comment form.
    The problem still persist.

Topic Closed

This topic has been closed to new replies.

About this Topic