Fighting Comment Span - /trackback/ hack!

  1. bnwmovies


    Hi everyone,

    My site bnwmovies.com is a wordpress driven website which was getting hit by over 500 spam comments per day, even with several comment blocking plugins installed. At first I wrote a small function which goes in functions.php which removed all comments with links in them (my URL field is removed but spammers are using POST requests which include links):

    add_action('pre_comment_on_post', 'remove_http_comments', 1);
    add_action ('comment_post', 'remove_http_comments', 1);

    function remove_http_comments() {
    if (strlen($_POST['url']) > 0 ||
    strpos($_POST['email'],'http') !== false ||
    strpos($_POST['comment'],'http') !== false ||
    strpos($_POST['comment'],'[url') !== false
    ) {
    header('Location: ' . $_SERVER['HTTP_REFERER']);

    This worked initially but then somehow the spammers managed to get around it.

    After examining my server logs I discovered that spammers were sending POST requests to URLs with the following format:

    http:// domain.com /some-post-url/trackback/

    Event though trackbacks are disabled on my blog this url not only successfully records their comments but it also skips my automated filtration function above and the spam fighting plugins that I had!

    I think it will be very helpful if the /trackback/ POST comment saving function is disabled completely or at least disabled for people who have their trackbacks disabled.


    Yavor Milchev

    P.S. As a temporary solution I redirected all traffic going to (.*)/trackback/(.*) to a URL showing a funny picture =) This stopped the spam COMPLETELY!

    Posted: 5 years ago #

RSS feed for this topic


You must log in to post.

  • Rating

    3 Votes
  • Status

    This idea is under consideration