Forums

WordPress › Support » How-To and Troubleshooting

[resolved] Spambots using exploit? (13 posts)

  1. Kazerad
    Member
    Posted 7 months ago #

    I use WordPress to host a comic at http://prequeladventure.com/ . Up until now, I've been kept spam-free using the simple "Comment Quiz" plugin. However, a couple days ago hundreds of spam comments began slipping past my quiz - sometimes up to one every minute! My moderation queue catches most of them, but I prefer systems that keep the spam from ever being sent.

    I tried a few different quiz questions, tried ReCaptcha, and so far nothing has stopped the spam. A moment ago I even tried an impossible-to-answer spam question (featuring over 50 alphanumeric characters and no clues) and the spam is still coming in.

    At this point I think it's safe to assume the spambots are somehow slipping past all my comment requirements. Has this happened to anyone else, and is there any way to fix this?

  2. Mark Jaquith
    WordPress Lead Dev
    Posted 7 months ago #

    If many of your posts use the default question, they may have just figured it out and scripted it in. If they're answering post-specific questions, they're probably using human labor to spam you. At that point, Akismet is your best bet.

  3. Kazerad
    Member
    Posted 7 months ago #

    That's the thing though, I've ascertained that it's not due to the questions themselves. I literally had a blank question, a string of 56 random characters as the answer, tested it to make sure comments would only be posted if the 56 character answer was given, and the spam still came through. No human labor could do that (since I gave no hints as to what the answer was), and it would take ages for a machine to brute force it. Not just that, but it was the same spam that was coming through when I was using ReCaptcha.

    I'm not an expert at using WordPress, but the evidence I've found seems to suggest that whatever is posting the comment spam is somehow bypassing all of the captcha/quiz mechanisms entirely.

  4. Mark Jaquith
    WordPress Lead Dev
    Posted 7 months ago #

    And these are comments, not Trackbacks or PingBacks?

  5. Rev. Voodoo
    Volunteer Moderator
    Posted 7 months ago #

    http://wordpress.org/extend/plugins/cookies-for-comments/

    May I suggest this one? Dropped me from hundreds of spam to about 5 a month. No captchas, no quizes, etc

    I set it to auto delete the spam (I like to live dangerously). No hassles!

  6. Kazerad
    Member
    Posted 7 months ago #

    They might be trackbacks, I'm not sure I understand trackbacks enough to tell. Some of them follow the "teaser excerpt" format, some don't. Picture below:

    http://foxmage.com/trackbackmaybe.gif

    I unchecked "pingbacks and trackbacks" in the Discussion settings, and the spam is still coming in, and with the same format. I also installed the plugin suggested by Rev. Voodoo, and am still getting spam (all it has caught so far was one legitimate comment).

  7. MickeyRoush
    Member
    Posted 7 months ago #

    Cookies for Comments will not stop human spammers. Did you try Bad Behavior? You can probably use Akismet, Bad Behavior, Ban Hammer, Cookies for Comments, SI Captcha, and WordPress' built in features combined all together to stop spammers. If that doesn't work, then you have more serious problems.

    Did you update or install any new plugins/themes not too long before this happened?

    I had this problem with a user once. It was because they decided to install a plugin or theme before asking for my recommendation. It didn't come from a reliable source. Nevertheless, I had to treat it as an infection and did a full re-install. That was just in my situation, yours could be different.

  8. Kazerad
    Member
    Posted 7 months ago #

    I have no doubt that with enough spam-identification plugins, I could have most my spam automatically identified and sent to my spambox. My concern, though, is that this latest wave of spambots seems to by bypassing my posting requirements. Preventative measures such as ReCaptcha and Comment Quiz have been having no effect, and the spam continued to come through even when I temporarily required a 56 character password to post comments. Even if they were using human labor to read ReCaptcha entries, it be impossible for them to guess a 56 character password.

    All the plugins I have installed right now are pretty tame things directly from the WordPress site (Google Analytics, NexGen Gallery, Cookies for Comments, WP Super Cache, etc) and nothing new was installed prior to the latest bot wave. I am using Suffusion version 3.8.1, which is one version behind, but as far as I know this shouldn't affect the internal mechanics of the comment box.

  9. Ipstenu
    Half-Elf Support Rogue & Mod
    Posted 7 months ago #

    Captcha's are broken, and quiz's can be answered.

    Cookies for Comments and Bad Behavior use neither and are, long term, more sustainable.

    Of http://foxmage.com/trackbackmaybe.gif all but the one at the bottom "Value for my care" are pingbacks. You can tell because they all look like [...] blah blah blah [...]

  10. Kazerad
    Member
    Posted 7 months ago #

    I've unchecked pingbacks in the discussion options and it hasn't had any effect. Is there something else I have to do to keep pingbacks from appearing?

    Up until a few days ago, I was kept entirely spam-free by a simple quiz question until the spambots found a way around it. Given the fact that they can still post when I set it to require an actual password to post comments, I think it's safe to assume they aren't actually answering the quiz, just bypassing it. The same bots post when I use Comment Quiz, ReCaptcha, or even Cookies for Comments, so it seems as though they are somehow bypassing all comment requirements.

  11. Roy
    Member
    Posted 7 months ago #

    I've unchecked pingbacks in the discussion options and it hasn't had any effect.

    That's onle for NEW posts. The rest you have to change manually, or perhaps there's a plugin.

    Do you have Bad Behavior running? It might help keeping away the/some bots themselves.

  12. Kazerad
    Member
    Posted 7 months ago #

    That's onle for NEW posts. The rest you have to change manually, or perhaps there's a plugin.

    Aha! That would certainly explain it; I had assumed the default discussion settings for each post told it to use the default settings, rather than simply being set to whatever the default was at the time of posting. Lemme switch these old posts, then I'll report whether it solves the problem.

  13. Kazerad
    Member
    Posted 7 months ago #

    Yup, spam waves are now mitigated. Trackbacks remain disabled, but I wasn't really using them much anyway. Thanks a bunch, Roy and Mark, for helping identify and fix the problem!

Reply

You must log in to post.

About this Topic

Tags