Support » Fixing WordPress » On Spam And Avoidance

  • Of course, the first thing to do is install a good anti-spam plugin – Spam Karma, Spaminator, Bad Behavious, etc., and make sure it’s working.

    What I’d like to see for WP 1.5.2 (or maybe 1.5.1.2, whatever) is something more rigorous.

    It seems that most spam (at least, most of mine) comes from spammers accessing the comment file directly and placing their shnit via HTTP POST (or GET, whichever is actually used – I haven’t looked at the source for this, and it doesn’t matter). Could this not be alleviated by randomizing the filename for this file? Some simple PHP script would be able to keep track of this and I recall that mod_rewrite can do an external lookup to find stuff it needs. For people that don’t use mod_rewrite, it would be even easier when this is run through the index.php method.

    To control bots, why not use Javascript to embed the destination page into the code?

    In both cases, mod_rewrite (or even just referer lookups in the destination page) would prevent the comment file from being run directly.

    Thoughts? Criticisms? More details? I’m aware that this would leave people hosted on IIS with users who have Javascript disabled exactly where they are today, but the majority of browsers will run Javascript, and even IIS works with the index.php method most of the time.

Viewing 15 replies - 1 through 15 (of 15 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    WordPress’ anti-spam techniques should be no more rigorous than the already are. Most of the plugins you have mentioned already generate more than enough false positives for some of our more advanced users (just search these forums to find a few complaints). Imagine the difficulty for new users wondering why completely legitimate comments are being deleted. Any anti-spam measures beyond WP’s default tools should exist only as plugins with an “activate at your own risk” disclaimer.

    As a side note: To control bots, try Bad Behavior: http://www.ioerror.us/software/bad-behavior/

    http://codex.wordpress.org/Combat_Comment_Spam

    Reality, since switching to 1.5, my comment spam is down by 90%. I have no plugins for comment spam installed as of right now.

    Two weeks ago, after my new 1.5 site had been up for two months, I had my first big batch of casino spam. I never saw any of it. How do I know I even had it? I use Paged Comment Editing by Coldforged which also features the ability to “see” comment spam caught by WordPress. I wanted the other features and got this additional one.

    This allows me to delete the comment spam from my database, even though I might never see it otherwise.

    Maybe I’m lucky but it’s been two weeks and I’ve only had one comment spam that came from some twit who said something nasty just to be nasty. Great time wasters, and that was caught, too. Even hidden spam is gone.

    Now, with the great comment spam controls built into WordPress helping me, and the availablity of more comment spam protection from plugins, this sudden quiet for the past two weeks makes me wary. I know those time wasters are up to something worse and nasty.

    Problem is that if WordPress spent all the time they need to prevent and protect against comment spam, the developers would have little time for developing the rest of the neato features. There has to be compromises and luckily there are enough pissed off WordPress users with plugin building experience to help keep a lid on some of it.

    Thread Starter rustindy

    (@rustindy)

    Macmanx, the method I’m suggesting (or rather, asking about) doesn’t have anything to do with false positives or making WP decide what is and is not spam. The operation of either method would be 100% transparent to the user. I’d like to see WP somehow hide the comment file itself so that bots can’t find it but users will still see it.

    There *must* be a way to do it, and now I’m asking for people to suggest how 🙂

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    If by “it”, you mean to prevent bots from directly accessing wp-comments-post.php with a “POST” header, then there is a way to do it. A plugin by the name of Bad Behavior does it. You could either use that plugin, or dissect it and figure out how it works.

    http://www.ioerror.us/software/bad-behavior/

    It seems that most spam (at least, most of mine) comes from spammers accessing the comment file directly and placing their shnit via HTTP POST (or GET, whichever is actually used..

    I suggested allowing the filenames to be changed .. the fact is bots are looking for default file names when accessing pages. I renamed my defualt pages ions ago for BOTH trackbacks and comments submission. Guess what? No spam. If I can suggest anything to do out of the box, that would be it.

    Unfortunately, RustIndy, most people around here are content to rely on spam plugins and the accompanying false positives and OTHER headaches, rather than take a more creative approach to solving things. Its the wp spam mantra: “use one of the gazillion plugins”

    edit: there is an additional thing you can do as well. comment_post.php or whatever that file name is that is actually responsible for the posting of comments — ONE simple line in your .htaccess restricts that to only being called from YOUR domain. NO MORE REMOTE comment submissions, end of story.

    doing both — renaming the page, and then restricting access alleviates the need for basically all comment spam related plugins.

    ———-

    ONE, and i could come up with others, major issue with all of these plugins is that spam has to hit your site before it’s dealt with. The beauty and simplicity of Apache and mod_rewrite is that all of that crap is dealt with before it takes up any of your bandwidth, before it hits your site.

    Thread Starter rustindy

    (@rustindy)

    Whooami – I didn’t know Bad Behaviour did that, I’ll look at it for sure. I have also thought about just hardcoding the renamed comments file, but I thought it would be too easy for a spammer to figure out if they wanted to. It’d be nice to have the filename completely randomized on a per-use basis.

    The problem with using referer fields to prevent spam is that many people surf with them blocked. Isn’t that what using mod_rewrite would rely on?

    Any solution would also have to be completely cross-platform and server independent (so it should work equally well on *NIX and Windows, with at least IIS and Apache). That also removes mod_rewrite from the equation since most IIS servers don’t have an equivalent filter.

    Thread Starter rustindy

    (@rustindy)

    I should also say that I don’t really care what *most* people do. Let them eat cake, so to speak. I’ll learn to grow cattle so I can have my damn steak 🙂

    I’m not sure where to buy cow seeds though…

    Whooami – I didn’t know Bad Behaviour did that, I’ll look at it for sure.

    I didnt reccomend that, but feel free 🙂

    I have also thought about just hardcoding the renamed comments file, but I thought it would be too easy for a spammer to figure out if they wanted to.

    Well, Im merely expressing what works for me — LOTS of people have tried to tell me thats “its too easy ..” blah blah wont last — its lasted. Thats all I can say.

    The problem with using referer fields to prevent spam is that many people surf with them blocked. Isn’t that what using mod_rewrite would rely on?

    Huh? Are you talking about empty referers? Thats doesnt affect a hardened .htaccess one bit.

    Any solution would also have to be completely cross-platform and server independent (so it should work equally well on *NIX and Windows, with at least IIS and Apache). That also removes mod_rewrite from the equation since most IIS servers don’t have an equivalent filter.

    Im not trying to suggest changes to the WP core — I guess you are, though. I am going to hazard a guess and reiterate what appears to be the official position on how to handle spam –“use a plugin”.

    I am telling you what works for me. I dont give a crap about IIS – I wouldnt host my site on a Windows Server for anything.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    RustIndy is trying to build a foundation to suggest a feature for an upcoming version of WordPress, so cross-platform compatibility and ease of use/implementation for the end-user is a must in this situation.

    I think I understood that —

    Im not trying to suggest changes to the WP core — I guess you are, though.

    The thread is in how-to and troubleshooting. My reply is as equally valid as your first reply — directing him to plugin.

    Thread Starter rustindy

    (@rustindy)

    I chose this thread because it didn’t seem to fit into any other 😉

    Whooami: That’s exactly what I’m doing, asking about a change to the WP core to build in at least this basic amount of functionality. There will always be bots that can get past it, but adding this filename randomization (in a method besides a very basic rename function) would probably knock out 99% of the spam for a while.

    There is a serious problem with spam in WordPress right now, and something (besides “go track down a plugin and see if it works”) needs to be done about it. I believe it is something that should be in the core because it can be considered a basic feature – spam avoidance.

    As for your fancy htaccess, try this: create a rewrite condition that’ll send Firefox to a different page than IE (or whatever). Test the rule with your browser(s). Now, using a personal firewall (or whatever), block your browsers referer field. Does your htaccess rule still work?

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    There is a serious problem with spam in WordPress right now

    Just to clarify, there is a serious problem with spam in almost every blogging platform right now.

    I agree that the anti-spam features could be improved at some point, but as long as there are plugins to fill in the gaps, this focus will probably not receive a very high priority. Matt is a very big supporter of the plugin community.

    Thread Starter rustindy

    (@rustindy)

    There are a few platforms where spam is not a problem – TextPattern comes to mind. Maybe because it’s lower profile than WP (my perspective, FWIW), maybe because it’s just harder to spam for some reason.

    To clarify, this is a very serious problem with WP right now. Moreso than just about every other platform I can think of that I’ve investigated (I’m no researcher, but there are plenty of user communities out there for every platform – pretty easy to search for spam problems with an application).

    So I stand – there needs to be some kind of basic spam-avoidance mechanism built into the core. Please understand that spam-avoidance is different than anti-spam. Think of WP as a door. Your anti-spam plugins might be locks. But would you need so many locks if you could just hide the door? Is there any reason not to hide that particular doorway? Especially if that door keeps moving 🙂

    You could move the wp-comments-post.php file, but the spammers are already ahead of you: they simply scrape your comment form to determine where the script is, and then post there. This is already fully automated.

    Your analogy of hiding the doorway doesn’t work, since the “doorway” has to be visible, in order for anyone to comment!

    As macmanx noted, Bad Behavior stops most automated spambots from accessing the comment form, regardless of its name.

    Thread Starter rustindy

    (@rustindy)

    That’s exactly why just a simple file-rename won’t work. Most bots don’t understand Javascript, so the link to the posting form should be written with Javascript. The Javascript, in turn, should be written by the PHP because that posting form will be renamed (or rather, via mod_rewrite and/or some other mechanism, a random name assigned that will point to the posting file, while blocking access to the posting file with it’s original name) by a PHP function.

    So the doorway could be hidden from robots, but not from humans. It’s not the be-all and-all of spam prevention, but it should be good spam-avoidance, and something that is built into the system.

    It should go without saying, but I’ll say it anyways. Who cares what the “other” guys are doing! Let them get spammed all they want. Where is it written that WP has to wait for Blogger (or whomever) to do something before it’ll happen in WP??

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘On Spam And Avoidance’ is closed to new replies.