Do you have an example of the full URL being used? I’d like to try to duplicate this. Also, what version of WP are you using?
Thread Starter
fxpal
(@fxpal)
I’m using 2.9.1.
http://%/JoJozuru.ru is one of the URLs that was used.
What are your comment settings in wp-admin->Settings->Discussion? Sorry. Should have asked that to start.
Thread Starter
fxpal
(@fxpal)
Important Checked options: (All the Default article settings), Comment author must fill our name and e-mail, Comment author must have a previously approved comment, Hold a comment in the moderation queue if 2 or more links, and a number of phrases in the Comment Blacklist.
Not Checked options: Users must be registered and logged in to comment, An administrator must always approve the comment
So a random reader should be able to post a comment, but it should be held for moderation if they haven’t had an approved comment before or if they include blacklisted strings or too many links.
The comments that are causing trouble come from unregistered users, and they put an http://%/….. url in the “Website” field of their comment. They put regular spam stuff in the comment content field.
Thread Starter
fxpal
(@fxpal)
I’ll have to hunt in the DB for the offending posts, because they also seem to have null email addresses, but I’ll need to verify that.
I can’t replicate the behavior using URLs like that, and it has only been a few offending posts, but still annoying.
i have the same situation:
VIRGIL
http://%/zzvwuok8
spam comment
and spam comment is automatically confirmed, even i had option –
Before a comment appears “Comment author must have a previously approved comment” – enabled
also E-mail is empty – theoretically user can’t post comment with an empty e-mail address
also i found that “comment_type” is trackback …
—
Other comment settings:
Comment author must fill out name and e-mail.
Before a comment appears:
Comment author must have a previously approved comment.
I’m using:
WordPress 3.0 stable
“Unfortunately, there is no actual verification performed on the incoming trackback, and indeed they can even be faked.”
sou – as i understand – trackbacks can be faked and trackbags always are automatically confirmed ?
Moderator
James Huff
(@macmanx)
Volunteer Moderator
Yes, the trackback protocol is primitive at best. A trackback requires nothing more that a simple submission of data to a specific file and therefore the origin cannot be validated.
The moderation list, blacklist, Akismet, and various other anti-spam plugin are capable of filtering all incoming trackbacks.
