WordPress.org

Ready to get started?Download WordPress

Forums

124

Spam? Read this. (117 posts)

  1. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Here are 3 solutions for fighting spam:

    Akismet
    Get the plugin: http://akismet.com
    Signup at http://wordpress.com for your API key.
    ( You do not need a blog there, just sign up)
    Help here: http://wordpress.com/api-keys/

    Bad-behavior
    Get the plugin: http://www.ioerror.us/software/bad-behavior/
    Does NOT work at godaddy

    Spam Karma 2
    Get the plugin: http://unknowngenius.com/blog/wordpress/spam-karma/

    Do NOT ask 'Which is best because....' or 'Which one do you suggest I get' or any variation of that - they are ALL good and yes, they can all be used together.

    --

    SK2 will run all existing comments through it's filters to catch spam already there.

    CJD Spam Nuke from http://chrisjdavis.org/category/wp-hacks will also ID and let you remove spam with one click

    --

    Captcha (where you have to type words in to verify you are a human) are NOT effective. You will still get spammed. So use one of the above.

    --

    You may also see little 'Donate' buttons on the above sites. As their work was given freely and saves you masses of time (do you want to delete spam by hand every morning?), saying Thanks by dropping a tip into their jar would be appreciated I'm sure.

  2. adeco2
    Member
    Posted 8 years ago #

    Hello, I still need help.

    1. Spam Karma allows comments that are not labelled as spam to be published unmoderated. This is NOT what I'm looking for. What options do I have?

    2. I need a program that prevents spam from being posted, not just a filter. If not possible, I need to disable the 15-second rule. A great number of legitimate commentators are prevented from posting in my blog for this 15-second thing.

  3. kickass
    Member
    Posted 8 years ago #

    Do be aware that on some installations MANY of these plugins shut the native moderation option OFF. This means that the spam that does get through goes directly onto your blog.

    This spam problem should be dealt with at core level, and without making us jump through api registration hoops to get it. Textpattern doesn't seem to have this problem . . .

  4. iand
    Member
    Posted 8 years ago #

    Do be aware that on some installations MANY of these plugins shut the native moderation option OFF. This means that the spam that does get through goes directly onto your blog.

    If you want SK2 to also obey the WP moderation options use this. That said, with BB and SK2 running only one of thousands of spams have made it even as far as my moderation queue.

  5. liucougar
    Member
    Posted 8 years ago #

    I don't know others, but in my site, I only use Captcha, and it works fine without a single spam. On the contrary, if I disable it, I can get 10 spams in less than 5 hours

  6. internetpilot
    Member
    Posted 8 years ago #

    I admit that I came here looking for this topic because in two days I received 84 spam comments for prescription medication. I'm definitely going to go buy some Vioxx right now, because these sites look very legit (sarcasm).

    Anyway, after looking at a few of these options, I decided to just do what I've been doing. Quickly scrolling through the comments where the real comments stand out in an obvious manner. I approve the real comments, click on the "Mark all as Spam" option at the bottom of the page, and then click the moderate button. All-in-all, not too bad of a system, and it's built-in to WordPress already. Admittedly, I don't get very many real comments anyway, so it's not too hard for me to do things this way.

  7. cynthiablue
    Member
    Posted 8 years ago #

    I have my blog set so that people can only comment when they are registered and logged in, and yet I'm getting comments. How is this possible?

  8. linda115
    Member
    Posted 8 years ago #

    A few days ago, my site showed a popup ad that was not installed by me. I have no clue as to how it happened. Then my blog started being spammed with comments (casino, hotels, pharmaceuticals...) About 10 a day. Anyone has this happened to their site? Are the two related? Is it a web hosting server problem or my computer? I did virus and antispyware check. Nothing found. I also changed all the passwords. That didn't help either. I would appreciate any advice.

    Linda

  9. CharlieSummers
    Member
    Posted 8 years ago #

    Actually, my "problem" is somewhat different than most, and I'm not looking for a "solution," just some opinions on how best to keep my blood pressure in check. (NB: I am currently using 1.5.2 - I know I should upgrade, and will eventually, but I'm reluctant to upgrade just because.)

    I do not have a comment spam problem; I have (knock on bloody wood) not attracted the comment bots yet. I do have a trackback spammer, who's hitting me constantly. I have trackbacks moderated, and I'm using the Trackback Validator so each of the trackbacks get placed in the moderation queue, then deleted, and none of them make it to my readers. He's not accessing wp-trackback.php directly, instead posting to the "proper" URIs (<permalink>/trackback).

    But because of the way Trackback Validator works, I get a moderation mail for each of them anyway...which annoys me no end, knowing this slime is stealing my bandwidth. (Not just mine, of course, since he's using an army of zombied machines to send these things in.) Of course, he doesn't care that his trackbacks are ineffective, since he has this army of other machines all over the world to do his dirty work for him, it doesn't really matter if it works or not....no cost to him one way or the other.

    Anyway, seems my choices seem to be currently limited to 1) turning off trackbacks, or 2) shut up, stop whining, and be pleased that Trackback Validator is doing such a swell job. Truth is, I get very few legit trackbacks, but I hate to make the blog less useful because of some thief. Still I hate getting these hundreds of emails two or three times a day...makes me grit my teeth together so hard I get a headache. ;)

    I did see a WP-Hardened-Trackback plugin; anyone have any direct experience with it they'd like to share? Or other methods for hanging or altering the trackback URLs to avoid this cruft? Any other thoughts about the annoyance of trackback spam?

  10. donellis
    Member
    Posted 8 years ago #

    Strange thing: I originally set up a WordPress blog on my portfolio website so I could test it before installing one for my wife. That was months ago and because I don't update the blog or the site, I never get comments. Fine.

    But the other day, I decided I needed to revamp the website, so I replaced the homepage so that it is the only page available. It has no links to underlying pages (which are still on the web).

    What's strange is that I've now received 23 spam comments in four days. I assume these spam programs can find unlinked pages, but I'm surprised that I'm suddenly getting spam when nothing has changed on the blog.

    Any thoughts? Worse case, I'll remove the blog because it was just for testing.

    Don

  11. Chris_K
    Member
    Posted 8 years ago #

    Did you see the plugins listed at the very top of this thread? Akismet or Spam Karma 2. Either of those with Bad Behavior and you'll pretty much (imho) be spam free.

  12. donellis
    Member
    Posted 8 years ago #

    Thanks... I'll certainly try them. The puzzle is why these things are suddenly appearing.

  13. Parcival
    Member
    Posted 8 years ago #

    I am pondering the same question as cynthiablue.

    I have been running my blog for half a year without any spam. For the entire time, only registered users are allowed to post comments with me being the only registered user. When the spamming started two days ago I completely turned off the comment function in the options section and upgraded from WP 2.0 to 2.0.2, yet the spamming still persists.

    How is it possible spam keeps getting into my moderating queue when comments are turned off and noone is a registered user except my admin profile?

  14. moshu
    Member
    Posted 8 years ago #

    Parcival, please, see this post:
    http://wordpress.org/support/topic/73049?replies=30#post-381674
    (actually the whole thread is worth reading)

  15. donellis
    Member
    Posted 8 years ago #

    Interesting, moshu... thank you for the link.

  16. adeco2
    Member
    Posted 8 years ago #

    Some powerfull spam bot was set up a couple of days ago. Seems that I'm not the only one getting hundreds of spam comments or trackbacks every day. Wouldn't it be fair to send the police to look for this criminal spammer/s?

    Is there a way to help catch them? I've got plenty of logs and stored information about this spammer. It's all the same: drugs, hotels, etc. All spam comments look the same.

  17. PozHonks
    Member
    Posted 8 years ago #

    When you study the log, and see the IP address or the host name, it comes from all around the world. I believe these are computers hacked by spywares or virus, trojan, etc. So, it can be you and me. If you wish to prosecute, do it against the advertised web site, not the one that sent the spam (who may be not aware his computer is not under his control).

    I confirm that most comments are not spammed if you have all the moderation / registration system on. Trackbacks are spammed, and you do not need any password to post a trackback. As comments and trackbacks are very alike when displayed in a post, there is a confusion. So, disable this trackback system, and it should be ok.

    If you need a definitive protection, add this line at the top of your .htaccess file (above the WordPress commands):
    RedirectMatch gone .*/trackback.*

    It tells the server (and the client) there is no trackback system. Or, instead of "gone", put "404" (without quotation mark) if you wish to use your customized error page.

  18. CharlieSummers
    Member
    Posted 8 years ago #

    > Some powerfull spam bot was set up a couple of days ago.

    Not bot...zombie network. There are thousands of zombied computers hammering our servers (BTW, including unbroken URIs of spam sites here the way someone did on another thread simply gives the slime more Google-exposure) all over the world. Since I root my box, I can add huge blocks of China, Korea, and other countries to the firewall, but although it's slowed the tide, no one could block every zombied Windoze machine that this moron controls. (There's been a lull...the last one was at 8:20 this morning eastern time.)

    > If you need a definitive protection, add this
    > line at the top of your .htaccess file (above
    > the WordPress commands):
    > RedirectMatch gone .*/trackback.*

    That's my rather draconian second choice, although I'd probably redirect to my blank.html file instead to save outbound bandwidth. Again, though, Trackback Validator handily removes all this garbage (see http://trackback.cs.rice.edu/ for the plugin and information), so if the only issue is them showing up on your blog, TV makes that a non-issue without the overhead of the more complex anti-spam systems.

    My questions go deeper, though, into how to be the least annoyed by the trackback spam. Has no one here first-hand experience with the WP-Hardened-Trackback plugin? (I should probably just download and run through the code to see how it does what it does; maybe if I get some time this afternoon.)

    > Wouldn't it be fair to send the police to look for
    > this criminal spammer/s?

    The police have a whole lot better things to do than try to track down the owner of this botnet, I'm afraid. I wouldn't mind flooding the slime's machines off the net, but (although I haven't researched it) I'd wager the target sites are also part of the botnet, shifting by rapidly expiring the DNS entries for the domains, so that's no help, either. Much as I'd love to see this slime become the wife of an inmate named Tiny, it ain't gonna happen any time soon.

    (Although if you're in to spammer revenge, read this article from last July...it'll make you feel a little better... ;)

  19. donellis
    Member
    Posted 8 years ago #

    Interestingly, I went through the four entries on my test blog and unchecked the Comment box for each. This morning, I get another spam comment in spite of this.

  20. charle97
    Member
    Posted 8 years ago #

    did you uncheck the allow pings box too?

  21. donellis
    Member
    Posted 8 years ago #

    No I didn't... so I will now. Thanks.

  22. linda115
    Member
    Posted 8 years ago #

    Under 'Options', 'Discussions', I unchecked:
    1. llow link notifications from other Weblogs (pingbacks and trackbacks.)
    2. Allow people to post comments on the article

    Didn't work. I still get spam comments.

    I went back to that page and noticed this caption:
    Usual settings for an article:
    (These settings may be overridden for individual articles.)

    Therefore, I went to each of my posts to uncheck 'allow comments' and 'allow pings'.

    It's been 5 hours since I did that. So far, no spam emails. Hope this works.

  23. Flumbph
    Member
    Posted 8 years ago #

    I installed Akismet and whie it blocked over 1000 comments in a day it missed about 300 since this mess began. Finally I just installed the plugin to turn off comments on EVERY post, turn off comments in general, turned off pings, trackbacks and all that other junk and as a last resort altered my email address in the user profile so there's no way the moderation notices can be sent to me.

    So now, no more spam...no more comments either but I can live with that. At the rate it was going I was set to hit about 9000 spam comment a week!

    This is the link to the plugin that turns comments off on older posts:

    http://codex.wordpress.org/Plugins/Auto_shutoff_comments

    What I totally fail to understand is how spam comments get through with

    "Comment author must have a previously approved comment"
    and
    "Users must be registered and logged in to comment"

    both ticked. Clearly it's an exploit/security hole in WP.

  24. charle97
    Member
    Posted 8 years ago #

    "Comment author must have a previously approved comment"
    and
    "Users must be registered and logged in to comment"

    both ticked. Clearly it's an exploit/security hole in WP.

    yea, it's called a trackback.

  25. Parcival
    Member
    Posted 8 years ago #

    moshu, thank you very much. =)

  26. PozHonks
    Member
    Posted 8 years ago #

    We have to repeat this: comments are NOT spammed if you have enabled all the registration, moderation features, unchecked comments on all posts, etc.
    TRACKBACKS ARE SPAMMED. Trackbacks have been attacked. Trackbacks look like comments but are not. You don't need registration, moderation to post a trackback. That's why it is easier to spam. Disable pings in all post, and trackbacks features.
    All blogs (not only WordPress) are concerned, because the trackback system is based on standards.
    It is not a WP flaw or security issue (in fact it is not a security problem, they are not controlling the system, hacking your WP server). It is just simple spam, annoying as usual, but harmless.

    So, if you still want to use these features, install anti-spam plugins. That's why WP 2 is bundled with Akismet plugin.

  27. josalmon
    Member
    Posted 8 years ago #

    It would be really helpful if the “mark selected comments as spam” in the mass edit bit was available for wordpress.org blogs as well as those on wordpress.com - earlier this morning, 20 spam trackbacks slipped through the system and I had to mark them as spam by editing each comment one by one.

  28. smb488292
    Member
    Posted 8 years ago #

    Okay, I installed WordPress last year for a client. Suddenly he calls me in a panic... he is getting swamped with email notifications for comment spam.

    So I take a look at his site.... no spam. Good, I think. Then I login to the "dashboard" and check the moderation queue and, sure engough, he is getting hit with an average of one per hour. Not unwieldy, but still a pain in the butt. I turn off notifications and then try to trace them back to which registered user is posting them. Only trouble is there isn't one. Hmmmmm... let me check my notes....

    Blog Concepts 101, chapter 2, paragraph 3:

    Anonymous spam can be prevented by forcing all
    visitors to login before posting articles or comments

    "Good concept", I say. So let's check his settings in this regard. First of all, I can't find the setting that allows you to prevent anonymous (i.e. not logged in) comments. Just for reference I logout and navigate the blog to a nice plump message and scroll down to the bottom so I can post a comment. Well, well! I guess that feature does exist because what I get is:

    Leave a Reply
    You must be logged in to post a comment.

    So I logged back in and found that I could post a comment but only under my user name. Also good concept!

    So how is the spam getting passed the login requirement? The first thing to go through my head is to not even ask such a question in the forums till you've upgraded the software, so that is what I did: I upgraded him from 1.5.something to 2.0.2. Latest version, right?

    I go to bed and get 5 hours sleep (there is no time for any more when you're a system administrator) and when I wake up I check his moderation queue: Empty! So I turned comment notifications back on and sat back to drink a well-deserved pot of fresh-roasted coffee.

    Later today (3 pots of coffee later) I had another look: Awaiting Moderation: 32
    All spam!

    So, guys & gals, how are they getting in there? Is this a feature or a bug?

  29. linda115
    Member
    Posted 8 years ago #

    It's been 10 hours. No spam comments or whatever that may be since I unchecked 'allow comments' and 'allow pings' under each post. I can live without comments, trackback and pings.

  30. iand
    Member
    Posted 8 years ago #

    So how is the spam getting passed the login requirement?

    From what I have seen this stuff is mostly track/ping spam

    I can live without comments, trackback and pings.

    Why do without? For me Bad behavior is stopping upwards of 2,500 per day, and the 10 or so that make it past that are stopped by SK2. The plugins Podz mentioned in the the first post work, honest :)

124

Topic Closed

This topic has been closed to new replies.

About this Topic