WordPress.org

Ready to get started?Download WordPress

Forums

Question about spam (15 posts)

  1. Storyman
    Member
    Posted 5 years ago #

    Just received comments on 2 different sites. They each have a different user name and email address, which I'm sure are fakes.

    IP Addresses:
    Site 1) 94.102.60.151
    Site 2) 94.102.60.152

    Messages:
    Site 1) zpwb08bg3d254up
    Site 2) nmmle0g7hpdjo7h7

    Are they testing to see if the comments are automatically posted? Or is there some other nefarious purpose

  2. mickmel
    Member
    Posted 5 years ago #

    I've been getting a LOT of these today, across virtually all of my sites. I have no idea what's going on...

  3. doubletake
    Member
    Posted 5 years ago #

    Hi, I'm having the same trouble tonight.

    It looks very much like some sort of automated 'water testing' kit looking for wordpress sites to which it can automatically post.

    It doesn't appear very bright, although it posts a hash or random code to presumably identify itself with it's own kit, it doesn't seem to test whether it can post links or not (perhaps they've dreamed up a nefarious use which doesn't involve links?!)

    In the mean time, all the hit's I'm getting seem to originate from one of three servers on the same range from 94.102.60.151-153 in the Netherlands (so says RIPE)

    If you want to block them off for now, you can use your .htaccess file for Apache and block 94.102.60.151-153 with a 'Deny' statement but make sure you know what you're doing with htaccess Allow/Deny or you could block the lot ;)

    That should at least stop this bot posting. I don't think Akismet is going to handle it as all it will get is an apparently random string.

    It's not going to help much if this starts coming from other servers outside that range though

  4. Storyman
    Member
    Posted 5 years ago #

    Doubletake,

    We are on the same page. I'm thinking that they post to every imaginable site, then later search for those identifers left as a comment. Eventually, they will spam all of those sites that posted their comment(s). Still, it doesn't make a lot of sense because they could be spamming while going through this exercise.

    An alternative is that they are going to sell the list for some nefarious activity.

  5. AldebaranJill
    Member
    Posted 5 years ago #

    I've just gotten hit today (11/12/08) and written this article. I think it's better to block the IP via WordPress built in comment blacklist.

    http://aldebaranwebdesign.com/blog/wordpress-comment-spam-from-amsterdam/

    J

  6. doubletake
    Member
    Posted 5 years ago #

    I've just gotten hit today (11/12/08) and written this article. I think it's better to block the IP via WordPress built in comment blacklist.

    Ah yes, I'd forgotten the WordPress has a built-in blacklister.

    I think it may be a bit more resource intensive to block this way than via htaccess but in this particular case, the hit rate is low and I've elected to use your method.

    Thanks :)

  7. doubletake
    Member
    Posted 5 years ago #

    I've just gone over one of my server logs.

    It's definitely automated as the whole process from the first GET to POST takes just a second or so.

    Interestingly, there's also another 'random username signup' process originating from within the same IP block (I saw it on 94.102.60.77 This whole IP range seems to be owned by the same company in the Netherlands.

    I'm seriously wondering whether I should block the whole range :/

    I don't like to be too quick to block ranges as legitimate users can be affected.

  8. cbahm
    Member
    Posted 5 years ago #

    I noticed this on all three of my blogs over the last couple of days. Glad I've got it set so that I approve all comments!

  9. Storyman
    Member
    Posted 5 years ago #

    Like Doubletake, I've elected to use WP's comment IP blocker even though approval of comment is required.

    Still, I'd like to know if the person doing this is a genius or lunatic. The purpose eludes me and can only think that if it does have a purpose it is malicious.

    Any ideas?

  10. ronchicago
    Member
    Posted 5 years ago #

    not sure if this is " new " phenom as i have recently turned off my spam blocker on isp. i've given up scrutinizing over all the ip's, which i did in the beginning but became overwhelmed.

    now i use akismet and quickly scan at least 10-times a day what this plug catches and hit the "delete all." this has proven to be much more efficient.

    will continue this process until something better / worse develops.

  11. Happyworker
    Member
    Posted 5 years ago #

    Hi there, not sure if this is the correct place to write this.

    I just received a comment which is awaiting moderation. According to this comment my site is being used to solicit bank details.
    Is this just another spam, or can this really happen? Not sure how to stop this if it is indeed real.
    Obviously I don't want this to happen.
    Has this happened to anyone else?

    Cheers

  12. moshu
    Member
    Posted 5 years ago #

    Hmmm...
    The website linked to your profile goes to a "domain for sale" page.
    Are you fishing for buyers?

  13. ronchicago
    Member
    Posted 5 years ago #

    since i commented on this post a day or so ago i did put several ip addresses in the blacklist because they are submitting a lot of what looks like trackbacks, not comments. well, i just noticed that they are back today. akismet caught them. does that mean coming from inside? i did look at my db two weeks ago on another issue but did not notice anything while lurking around.

    also, the last last 2-3 months of spam here most are formatted in a similar fashion = 20-40 links, flush left, one link per line. it does not matter what ip it comes from but the layout suggests same source or copycats.

    the blacklist thing though is bothersome.

  14. Happyworker
    Member
    Posted 5 years ago #

    Nope not fishing...just haven't updated my profile in awhile.

  15. ehanson
    Member
    Posted 5 years ago #

    I'm having similar issues, although not from the same IP block. Does anyone know if these problems disappear with version 2.7?

    thanks

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags