WordPress.org

Support

Support » Requests and Feedback » How to eliminate automated comment spa

How to eliminate automated comment spa

  • We all know it’s a problem.. however, I think there needs to be a pre packaged spam fighting tool… so here’s my proposal to effectively eliminate all automated comment spam.
    1. When a user makes a WordPress installation, a new option is added in the database… something like “commentkey” this is a randomly generated string.
    2. This string is required by wp-comments-post.php as a querystring value. The form action field would then be: action="http://www.domain.com/wp-comments-post.php?key=44JKsl30Jsl" This could easily be done with a simple edit of the wp-comments.php file.
    3. This string is checked against in wp-comments-post.php if it does not exist, comment gets disqualified.
    4. There would be an option in the interface to generate a new key, should spammers custom write a script for their specific installation.
    While this would not completely elimintate spam, it would be make it terribly difficult for spammers to get around and require some very creative coding.
    So, there’s my idea. Comments?

Viewing 15 replies - 1 through 15 (of 19 total)
  • Moderator James Huff

    @macmanx

    Support Team Rep.

    It’s been done, but thanks for chiming in.
    http://www.tamba2.org.uk/wordpress/spam/

    it’s not difficult to beat this.

    It’s been done, but thanks for chiming in.
    http://www.tamba2.org.uk/wordpress/spam/

    Please read the first sentence of my post. Thank you.

    Moderator James Huff

    @macmanx

    Support Team Rep.

    I have, but there are hacks to implement this. It doesn’t have to be pre-packaged, and probably won’t. So far, I’m using the pre-packaged tools and have changed the name of my comment posting file. And, as Charle said, “it’s not difficult to beat this.” Why? Because the bots can learn the string by dissecting wp-comments-post.php. This is one reason why hacks like this have not been included in WordPress. A blacklist cannot be beat, and TG’s code plugs a hole that shouldn’t have existed in the first place. The devs will not include hacks that can be beaten, much less hacks that have all ready been beaten.

    packaging an anti comment spam tool is not a good idea. comment spamming is worthwhile because of the homgeneity of installs makes widespread spamming easy. a packaged anti comment spam tool would be rendered useless in a short period of time.

    Exactly charle… the point of this specific hack is that it effectively makes every install unique (to an extent). The hackers would be required to write scripts hundreds of times more complex than their current ones to circumvent it. Currently, spam scripts do not read the pages they come from at all – they simply target domains and directories. This would require them reading the page… and at that point, they would realize that it’s just not worth the added effort.
    I’m saying it needs to be pre-packaged because the average user is an idiot. Sorry to say… but you know it too. Tell them to edit a PHP file and they’ll just stare at you. If you truely believe the average WP user is capable of applying hacks like this, perhaps you should rethink your position 🙂

    Moderator James Huff

    @macmanx

    Support Team Rep.

    Incorrect. All a spammer needs to do is write a script that discovers the code. It’s been done, trust me.

    macmanx… I don’t mean to be insulting, but are you reading my posts? Please do, you’d find statements like this:

    Currently, spam scripts do not read the pages they come from at all – they simply target domains and directories. This would require them reading the page… and at that point, they would realize that it’s just not worth the added effort.

    I’m all down for intelligent discussion, but I would like for each of us to read each other’s statements before saying things first.

    Moderator James Huff

    @macmanx

    Support Team Rep.

    Brak, I’ve read your statements, really. And what you want, has all ready been countered. We have bots that can dissect files and pull out randomly generated code to get past captchas. Therefore, I don’t see how your idea (of having one randomly generated key per blog) is going to be of any use. Every time a bot visits a blog with this hack enabled, it will dissect the file, pull out the code needed, and post with it. The whole process takes less than five seconds.

    Can you please cite a wordpress spamming bot that does this. As far as I’m aware, 98% of wordpress spamming bots simply ask for wp-comments-post.php. Since I’ve implemented a version of this hack of various sites, I haven’t gotten one single spam comment in over 2 months. I’d call it a pretty viable solution.
    I agree that it’s possible for them to circumvent this.. but not likely. Right now WP is more or less the easiest way to post comment spam… you just call wp-comments-post.php and send your data and it shows up. Doesn’t even check against whether a post exists yet or not.

    Another idea just came to mind: Cookies.
    While requiring cookies for comments might be against some people’s religion, it would be a great way to prevent comment spam. Simply have the site send a cookie whenever someone looks at a post – and check against that cookie in wp-comments-post.php. This would all but eliminate bots.

    Moderator James Huff

    @macmanx

    Support Team Rep.

    Yes, that would be far more effective. But, there are MT bots that accept cookies. It shouldn’t be hard to port one over to WP, or extend its function to WP.

    AFAIK the only “bots” that accept cookies are ones using IE via COM controls, which are terribly complex at that point – and completely not worth the effort of the script makers.

    funny how you tell people to read your statements, when you don’t read others. anti comment spam tools should not be packaged, since that will encourage the spammer to create a countermeasure. you would only be giving the average user a false sense of security.

    I’m saying it needs to be pre-packaged because the average user is an idiot. Sorry to say… but you know it too. Tell them to edit a PHP file and they’ll just stare at you. If you truely believe the average WP user is capable of applying hacks like this, perhaps you should rethink your position 🙂

    I don’t see how we’d be giving them a false sense of security… the average user is completely oblivious to comment spam as a whole until it affects them. I understand your point, however the point isn’t to create a bulletproof option, but rather an option that makes it so difficult on the spammer’s end that it’s just not worth their time. That’s the goal. Whether it’s a hack or not doesn’t change the subject… it’s the same solution, and in the end a spammer could potentially work around a hack just as well as a pre-packaged countermeasure.
    If you can honestly give me a good reason why we should not pre-package a method like this, please do tell me. And don’t use the “spammers will create countermeasures” excuse, because we both know you cannot eliminate spam – not even with required user registrations and automatically generated images – eventually some spam will get through. But that’s not the point as I said earlier… we’re trying to make it so hard that it’s not worth the spammer’s efforts.

Viewing 15 replies - 1 through 15 (of 19 total)
  • The topic ‘How to eliminate automated comment spa’ is closed to new replies.