Support » Plugins » Is it possible to bypass SecureImage?

  • Hi all,

    I have a blog (http://www.daylightatheism.org/) running WordPress 2.0.1 with SecureImage 1.0rc2. Thanks to that plugin and Akismet, I’ve had a relatively easy time keeping comment spam out.

    However, today I noticed one piece of comment spam that had slipped past Akismet. After deleting it, I checked my server logs, and this is what it showed (in order, the fields are database index number, IP, date and time, requested URL, referring URL, and user-agent):

    33040 85.255.113.74 2006-05-13 02:14:02 /2006/03/damned-if-you-do.html unknown Mozilla/5.0

    This is the IP address that left that piece of comment spam, and it’s also the only appearance of that IP address in my logs for at least 24 hours back. There was no accompanying request for the “/index.php?image=” string that SecureImage would normally require; in short, these spammers seem to have figured out a way to leave comments that bypasses SecureImage entirely.

    Obviously, I’d like to fix this problem. I’ve tried to e-mail the author of the plugin, but wasn’t able to contact him. Can anyone else offer any insight into how this might have been accomplished? Is it a bug in SecureImage’s code that could be fixed, or might it be an implementation error on my part, or a problem with WordPress itself in some other way (e.g., someone calling wp-post-comments.php directly)?

    Any help would be greatly appreciated.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Any chimp can, with a bit research, craft their OWN page that performs HTTP POSTS to your pages — including your comment pages. Is it WP specific? heck no. Anyone with a form on the web might have similar issues.

    Akismet is a good start, but you might want to add Bad Behavior as well: http://www.homelandstupidity.us/software/bad-behavior/ It looks a little deeper and sooner at the http requests coming at your blog.

    And I’m not sure what SecureImage is, but from the context I’m guessing it is a Capcha type plugin? Just remember that you’re losing all of your visually impaired potential commenters with that one. For some folks, accessability isn’t a big deal… but for others it matters a lot.

    Ebonmuse,

    the solution to that problem is rather simple. Ive posted it already, over here: http://wordpress.org/support/topic/70606?replies=4

    Have a look there. 🙂

    Good stuff, whooami!

    Thread Starter ebonmuse

    (@ebonmuse)

    HandySolo: Yes, SecureImage is a captcha plugin (see http://dev.wp-plugins.org/wiki/SecureImage). I allow readers to my site to register, which requires only a valid e-mail address, and bypass the captcha entirely from that point on, so I’m not concerned that visually impaired readers are being excluded. I’ll check out Bad Behavior as well, thanks.

    whooami: That seems like a good temporary solution, but what happens if someone’s browser doesn’t send referrer strings, or sends them improperly? They won’t be able to comment at all then. Also, this solution could be trivially bypassed by a spambot, simply by setting it up to send referrer strings corresponding to the domain of the site being spammed.

    I’m glad I know how the spammers are doing this now, but I’m surprised that SecureImage can be bypassed so easily just by directly invoking wp-comments-post. What’s the point of a captcha that doesn’t hook into that file? It seems to me like the only thing that would do is inconvenience legitimate users. I’m going to give rewriting that file a try so it interfaces more directly with the captcha.

    Actually, I just posted a response to whooami’s advice.. 😉

    Thread Starter ebonmuse

    (@ebonmuse)

    Well, I’ve disabled SecureImage for the time being, since it’s really not stopping any spammers as is. I have another solution that doesn’t rely on referrer strings: I’ve renamed wp-comments-post.php to something else, and modified my theme files accordingly. This will help, I think, since automated attacks against standard WordPress blogs will now fail; the spammers would have to parse the code on my site to figure out where to aim their bots.

    I dont think I presented it as anything other than the answer to the topic title in the other thread within that other thread. As such, david’s reply ought to have been put here, imo, but no matter.

    It is ONE way to block a good deal of spammers — I have never advocated as the only thing a person should do. Obviously, if a script is smart enough to use your domain as the referer it would fail.

    And obviously it would fail on a blank referer — guess what, not too many ppl block referers.. and its NOT alot to ask, in my purely philosophical opinion, to except that those leaving comments on MY blog do send a referer.

    Thats the breaks in other words.

    You mention using a captcha, You essentially block unsighted people. Thats the breaks.

    Renaming that file is a great thing to do, btw. Its another one of my most common reccomendations.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Is it possible to bypass SecureImage?’ is closed to new replies.