Anonymous
I guess another way to do it is to:
1) if your site allows comments then on the comments page, have another page (maybe the homepage or a page that only logged in users get sent to during the process) plant a cookie.
2) on the wp-comments-post.php page, check for the referrer AND the presence of the cookie before going on. No cookie=no comment post.
There is no method that is going to be foolproof because the spammer can always write a smarter and smarter program that can emulate a real human browsing thru and posting comments…
Anonymous
@wellard1981 – yes just like that.. I’m a ASP.NET C# programmer (breaks so much it creates jobs for people like me), not PHP so pardon my ignorance.
Checking for a referrer is never going to work.
Simply because many actual users just choose not to send referrers out of unsensed fears about privacy and black helicopters hovering around.
Likewise, checking for a cookie is not going to go well with people who browse with cookies disabled or selectively enabled.
The actual bug is that we accept comments on non-existing posts, and this shall be fixed.
Any other solution is going to be a nuisance for too many real commenters, IMHO.
Or we could implement some basic accesslog table. It would be used for stuff like checking if the comment posting script is accessed directly, but also for stuff like letting people edit their comments some minutes after they made them.
It could be an event logging table aswell, that could be filtered by type of event.
Just throwing random ideas around, that wouldn’t likely be done before 1.3 ships…
And there are other solutions too. I’ve posted a similar “fix” to help prevent comments from being loaded on non-existant posts. There isn’t any one thing to solve the problem, but rather it’s going to take a number of ideas.
Personaly, I think this spamming incident has been helpful in a way. Now we all know that the wp-comment-post.php file is vulnerable to outside intervention. Problem is, no one will truly know if any of our fixes really work. Am I not begin spammed because I wasn’t targeted? Or is it because the prevention I’ve put into place sufficent to ward off such attacks? I don’t know. I suspect it’s more the former than the latter.
Something I learnd while in the military regarding attacks: If some one is determined enough, you can’t stop him. The most you can do is to make as difficult as possible in an effort to slow him down that he gives up, you can catch him and deal with him.
Same kind of thing applies here. There’s very little that can be done to 100% lock things down, but you can make it difficult. Hopefully to the point where it becomes more of a bother for them that they give up.
TG
wellard1981: the average Joe doesn’t know, but very vocal Joes install placebos like Zone Alarm that block sending of referrers, and think they’re fine and WP is the one with the problem. Or they block cookies because they discovered that they could.
And since they’re very vocal, they go claiming WP has a fundamental flaw and soon profess their love to $other_blogware.
@michel v: Agreed, but thats the same with everything. For example, look how many Linux Distro’s are out there. Gentoo, Debian, RedHat, SuSE, just to name a few. If something doesn’t work in one, they’ll move onto the next.
As TechGnome pointed out, if some is determined to get in they will. There is no ulitmate solution to this problem, and there probably never will be.
The code I have submitted is just an idea to make things just that little bit harder for a spammer to do his/her job, and I have not touted it to be the ultimate solution to the problem either.
I’m just trying to help people who are getting these problems. I’ve been a victim of this spam myself, and have put in preventative measures to stop it, so far it’s been quite successful, however if the spammer was determined enough to spam my site, they will, there is very little I can do about it.
LOL! Love the idea of sending spammers to Google!
I’ve been playing again and currently writing an AuthCode hack. I know there is one out there which uses GD, however I can’t get PHP to complile with GD support very well, so I am writing one to work with ImageMagik. So far it’s been working and can be seen working on my site (http://www.wellardsworld.com).
It means making changes to wp-comment.php and wp-comments-post.php to look for the new vars (and currently a cron job to clean up which I will change). If the authcode is not passed over or incorrect, the wp-comment-post.php halts. It’s using an MD5 so hopefully spammers wont be sensible enough decrypt it too quickly.
Once I’m happy with the code, I will release it for anyone to use if anyone want’s to give it a go.
Wellard1981: I have installed the two hacks mentioned on your website, and have not experienced any spam yet. Perhaps they went to bed or something? In any case, I will see what gives in the morning… π
The post is at e-ZUNI.
Anonymous
Has anyone seen a plugin like the security code addin window to MT, where you have to type in the obscured random number for a comment to be accepted?
I hope that makes sense to someone. π
Also since we all seem to be getting hit by the same advertiser. (Advertisers hire the spammers) Does anyone have any knowledge about class action suits against spammers like this? I’ll bet that we could get quite a few bloggers who would be willing to share information with a lawyer. I’m not looking to make any money from a law suit, the lawyers can have that. I’d be quite happy watching the Holdem Poker company get their pants sued off.
Anonymous
A few thoughts on this issue (I’m getting spammed as well :-()
1) Would it be possible to require commenters to *approve* their comment before it gets posted to the site. Ie. sending the commenter a mail that require them to click on a link for a approval.
1.1) Make a “trusted users”-category, that don’t need to go through the tiresome 1).
2) Looks like the spammer is using compromised machines. As a service to the ISP’s, why not sending automated responses to the ISP’s/owner about their problem?
– Bjarne
1.1) Make a “trusted users”-category, that don’t need to go through the tiresome 1).
1.3 has an option to auto whitelist, so that only email addresses that have a previously approved comment will get posted.
Mostly it seems that this latest golimar/poker-x spammer is annoying people beceause of needing to clean up the mess in the mod queue, not because they’re making it past the filters.
Here’s a IP deny list that will catch about 99% of this assclown’s botnet:
Order Deny,Allow
Deny from 134.214.77
Deny from 148.244.150
Deny from 150.101.110
Deny from 158.42.52
Deny from 164.100.11
Deny from 168.37.253
Deny from 192.114.189
Deny from 193.41.248
Deny from 194.126.30
Deny from 195.117.196
Deny from 195.141.64
Deny from 195.172.182
Deny from 195.224.127
Deny from 195.38.127
Deny from 200.193.237
Deny from 200.208.68
Deny from 200.31.17
Deny from 200.32.86
Deny from 200.35.81
Deny from 202.47.247
Deny from 202.88.149
Deny from 202.97.150
Deny from 203.101.30
Deny from 203.172.181
Deny from 209.150.203
Deny from 209.158.113
Deny from 209.161.205
Deny from 210.0.209
Deny from 210.212.205
Deny from 210.240.188
Deny from 211.147.225
Deny from 211.250.81
Deny from 212.219.119
Deny from 212.235.126
Deny from 212.235.31
Deny from 212.235.40
Deny from 212.235.41
Deny from 212.235.85
Deny from 213.130.53
Deny from 213.172.36
Deny from 213.254.42
Deny from 217.172.65
Deny from 217.52.41
Deny from 217.66.177
Deny from 217.97.128
Deny from 218.59.146
Deny from 220.65.209
Deny from 221.194.28
Deny from 24.106.23
Deny from 24.63.28
Deny from 24.73.149
Deny from 38.113.198
Deny from 61.197.242
Deny from 61.30.47
Deny from 61.95.221
Deny from 62.121.99
Deny from 62.87.152
Deny from 64.172.167
Deny from 65.30.11
Deny from 66.122.214
Deny from 66.98.152
Deny from 66.98.226
Deny from 68.162.220
Deny from 80.16.106
Deny from 80.18.225
Deny from 80.247.76
Deny from 80.53.171
Deny from 80.58.11
Deny from 80.58.22
Deny from 81.117.178
Deny from 81.118.4
Deny from 81.5.140
Deny from 82.112.196
Deny from 82.133.96
Deny from 82.185.182
Deny from 82.81.204
Bjarne: 2) Because ISPs will never do a thing about it, they don’t want to block customers’ access to the internet for fear of losing business, and that’s understandable…
Anonymous
Can anyone give a good reason why we shouldn’t all gang together and mount a DoS on these jackasses?
