WordPress.org

Ready to get started?Download WordPress

Forums

How to eliminate automated comment spa (20 posts)

  1. Brak
    Member
    Posted 9 years ago #

    We all know it's a problem.. however, I think there needs to be a pre packaged spam fighting tool... so here's my proposal to effectively eliminate all automated comment spam.
    1. When a user makes a WordPress installation, a new option is added in the database... something like "commentkey" this is a randomly generated string.
    2. This string is required by wp-comments-post.php as a querystring value. The form action field would then be: action="http://www.domain.com/wp-comments-post.php?key=44JKsl30Jsl" This could easily be done with a simple edit of the wp-comments.php file.
    3. This string is checked against in wp-comments-post.php if it does not exist, comment gets disqualified.
    4. There would be an option in the interface to generate a new key, should spammers custom write a script for their specific installation.
    While this would not completely elimintate spam, it would be make it terribly difficult for spammers to get around and require some very creative coding.
    So, there's my idea. Comments?

  2. It's been done, but thanks for chiming in.
    http://www.tamba2.org.uk/wordpress/spam/

  3. charle97
    Member
    Posted 9 years ago #

    it's not difficult to beat this.

  4. Brak
    Member
    Posted 9 years ago #

    It's been done, but thanks for chiming in.
    http://www.tamba2.org.uk/wordpress/spam/

    Please read the first sentence of my post. Thank you.

  5. I have, but there are hacks to implement this. It doesn't have to be pre-packaged, and probably won't. So far, I'm using the pre-packaged tools and have changed the name of my comment posting file. And, as Charle said, "it's not difficult to beat this." Why? Because the bots can learn the string by dissecting wp-comments-post.php. This is one reason why hacks like this have not been included in WordPress. A blacklist cannot be beat, and TG's code plugs a hole that shouldn't have existed in the first place. The devs will not include hacks that can be beaten, much less hacks that have all ready been beaten.

  6. charle97
    Member
    Posted 9 years ago #

    packaging an anti comment spam tool is not a good idea. comment spamming is worthwhile because of the homgeneity of installs makes widespread spamming easy. a packaged anti comment spam tool would be rendered useless in a short period of time.

  7. Brak
    Member
    Posted 9 years ago #

    Exactly charle... the point of this specific hack is that it effectively makes every install unique (to an extent). The hackers would be required to write scripts hundreds of times more complex than their current ones to circumvent it. Currently, spam scripts do not read the pages they come from at all - they simply target domains and directories. This would require them reading the page... and at that point, they would realize that it's just not worth the added effort.
    I'm saying it needs to be pre-packaged because the average user is an idiot. Sorry to say... but you know it too. Tell them to edit a PHP file and they'll just stare at you. If you truely believe the average WP user is capable of applying hacks like this, perhaps you should rethink your position :)

  8. Incorrect. All a spammer needs to do is write a script that discovers the code. It's been done, trust me.

  9. Brak
    Member
    Posted 9 years ago #

    macmanx... I don't mean to be insulting, but are you reading my posts? Please do, you'd find statements like this:

    Currently, spam scripts do not read the pages they come from at all - they simply target domains and directories. This would require them reading the page... and at that point, they would realize that it's just not worth the added effort.

    I'm all down for intelligent discussion, but I would like for each of us to read each other's statements before saying things first.

  10. Brak, I've read your statements, really. And what you want, has all ready been countered. We have bots that can dissect files and pull out randomly generated code to get past captchas. Therefore, I don't see how your idea (of having one randomly generated key per blog) is going to be of any use. Every time a bot visits a blog with this hack enabled, it will dissect the file, pull out the code needed, and post with it. The whole process takes less than five seconds.

  11. Brak
    Member
    Posted 9 years ago #

    Can you please cite a wordpress spamming bot that does this. As far as I'm aware, 98% of wordpress spamming bots simply ask for wp-comments-post.php. Since I've implemented a version of this hack of various sites, I haven't gotten one single spam comment in over 2 months. I'd call it a pretty viable solution.
    I agree that it's possible for them to circumvent this.. but not likely. Right now WP is more or less the easiest way to post comment spam... you just call wp-comments-post.php and send your data and it shows up. Doesn't even check against whether a post exists yet or not.

  12. Brak
    Member
    Posted 9 years ago #

    Another idea just came to mind: Cookies.
    While requiring cookies for comments might be against some people's religion, it would be a great way to prevent comment spam. Simply have the site send a cookie whenever someone looks at a post - and check against that cookie in wp-comments-post.php. This would all but eliminate bots.

  13. Yes, that would be far more effective. But, there are MT bots that accept cookies. It shouldn't be hard to port one over to WP, or extend its function to WP.

  14. Brak
    Member
    Posted 9 years ago #

    AFAIK the only "bots" that accept cookies are ones using IE via COM controls, which are terribly complex at that point - and completely not worth the effort of the script makers.

  15. charle97
    Member
    Posted 9 years ago #

    funny how you tell people to read your statements, when you don't read others. anti comment spam tools should not be packaged, since that will encourage the spammer to create a countermeasure. you would only be giving the average user a false sense of security.

    I'm saying it needs to be pre-packaged because the average user is an idiot. Sorry to say... but you know it too. Tell them to edit a PHP file and they'll just stare at you. If you truely believe the average WP user is capable of applying hacks like this, perhaps you should rethink your position :)

  16. Brak
    Member
    Posted 9 years ago #

    I don't see how we'd be giving them a false sense of security... the average user is completely oblivious to comment spam as a whole until it affects them. I understand your point, however the point isn't to create a bulletproof option, but rather an option that makes it so difficult on the spammer's end that it's just not worth their time. That's the goal. Whether it's a hack or not doesn't change the subject... it's the same solution, and in the end a spammer could potentially work around a hack just as well as a pre-packaged countermeasure.
    If you can honestly give me a good reason why we should not pre-package a method like this, please do tell me. And don't use the "spammers will create countermeasures" excuse, because we both know you cannot eliminate spam - not even with required user registrations and automatically generated images - eventually some spam will get through. But that's not the point as I said earlier... we're trying to make it so hard that it's not worth the spammer's efforts.

  17. charle97
    Member
    Posted 9 years ago #

    individuality is the key to making spamming not worthwhile. ideally, everyone should come up with their own tools to combat spam and not share their solutions. a spammer would then be forced to customize his script for each blog, thus increasing his efforts probably to the point where he wouldn't want to spam anymore.
    that's not going to happen. the average user won't have the knowledge to create his own tools. even most above average to expert users wouldn't be able to create their own tools because they probably have better things to do with their time.
    wide adoption of a certain anti spam tool may incovenience a spammer for a while, but the fact that the tool is widely adopted makes his effort of finding a countermeaure worthwhile. once the tool is beaten, the spammer will be merrily spamming away. you're doing the spammer a favor when you pre package a tool.

  18. moisie
    Member
    Posted 9 years ago #

    Surely pre-packaging something just makes it the default which spammers will configure their systems to beat. Which once they have makes it useless.

  19. robertswift
    Member
    Posted 9 years ago #

    i've been suffering from a string of SPAM messages recently and hacked the check_comment function in wp-includes/functions.php to put a comment in the moderator queue if the e-mail domain doesn't have an MX record. my personal experience of these spam messages is that they assume the worst and include all fields whereas most genuine commentors don't seem to leave their e-mail. the reason i mention this is because the hack i've put in place undertakes a DNS query which slows down page loading by a good few seconds. people posting a comment won't notice this as the query is bypassed if no e-mail address is provided.
    i'm sure that others will have a view on this hack which i insert as the last checks in the function:

    // hack to query the MX record for a given e-mail domain
    // uses getmxrr (http://uk.php.net/manual/en/function.getmxrr.php) which
    // the documentation states shouldn't be used for address validation.
    // on the basis that an MX record will typically appear for a valid domain
    // it is reasonable to assume that an e-mail address that doesn't hail from
    // a domain *with* an MX record *might* be a spammer
    //
    // RDS - 20/12/2004
    $address = Array();
    $mxrecords = Array();
    $address = split('@', $email);
    if (strlen($address[1]) > 0) {
    // a domain name was found, check it
    if (!getmxrr($address[1], $mxrecords)) {
    return false;
    }
    }

  20. gdsawyer
    Member
    Posted 9 years ago #

    The MX solution is a good idea, but it may also reject legitimate posters. We tried this at work, and we uncovered some flaws.

    The MX record effectively is an alias for a general domain name to a specific mail server so that senders don't have to remember that your mail server is "mymailserver.example.com" when sending email -- they can just send to "example.com" and the MX entries for the domain will automatically pull up an email server.

    The problem is -- as we found out -- that there are a fair number of domains out there that do not use MX records. Apparently, it is their policy to specify the name of the actual mail server machine in the address. Thus, as a fallback, you have to query the domain for a DNS A or CNAME record. Most mail transport agents such as Sendmail and Postfix automatically retry for an A if DNS doesn't return an MX, but it does not look like the getmxrr() function does.

    From what I've seen, the poker folk like to completely spoof their email addresses, and the domain portion of the address is some odd hexadecimal string that looks like an encryption key. So their addresses will fail no matter what type of DNS record you query for the domain. Its just those folk who come from odd domains that may be affected. (Anyone coming from the RoadRunner domains will definitely be affected, e.g. ny.rr.com, rochester.rr.com, etc.)

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.