Cursing My Blessings on the Spam Front
Just my luck. In the week I’ve been testing spamvalve I’ve had no comment spam… until 5am this morning.
The spammed post was viewed by one IP address then, moments later, a comment was left on that post from a second IP address which then (re)loaded the entry. My traffic is low enough to make it highly probable that the first IP address and the second belong to the same person: neither IP address resolves to a known host so I assume they’re both spoofed.
The post was clearly spam: a vague meaningless statement along the lines of “great info guys thanks” linked to a portal site. It didn’t trigger Wordpress’s built-in spam defences nor the spamvalve plug-in.
By default any comments on this site have to be approved by me before they show up, unless you’ve been whitelisted following a previously approved comment. Clearly this little spambot is designed to move on and spam elsewhere if its comments are held in a moderation queue. A well behaved spambot, who would’ve thought it?
So, I’ve just had one spam to delete manually but the reminder that there’s nothing to stop a spammer from spoofing a different IP for every request thus preventing blocking by address from working. Spamvalve will prevent a less well behaved spambot that makes multiple spam posts from one IP from bringing down your site with unwanted traffic but it’s not a magic bullet.
(To be fair, Dougal never claimed otherwise:
The plan I’m proposing won’t do anything to stop a large number of hosts who only send a couple of spams each. Those will have to be caught by the other anti-spam measures such as content filtering. What I’m primarily aiming for is to keep the worst of the repeat-offenders from tying up my resources for no good reason.
Comment #16 on Spammers should all DIE DIE DIE)
I’m just fortunate that I’m not yet on the spammers radar: obscurity has its advantages. But it’s annoying not to have the chance to properly test out my defences. I’ll regret those words when the storm hits.
There’s a new update for Michael Hampton’s Bad Behaviour anti-spam plug-in out today for anyone using it. I’m going to update and re-enable it from today and keep it running in parallel with spamvalve. I think it’s safest to have several different anti-spam tools in your arsenal.
Of course, the only sure way of blocking comment spam is to blacklist based on the sites the comments link to but that seems an unrealistic goal. Or is it?
June 12th, 2005 at 8:43 pm
Yep, that’s a common spammer. They generally use compromised Windows boxes as proxy servers - or occasionally manage to get their own software running on these machines. I would ask you to send me a report, but If I read your post correctly, Bad Behavior was disabled at the time?
June 12th, 2005 at 8:59 pm
You read it correctly. Bad Behaviour was disabled at the time. I didn’t want it interfering in my tests of spamvalve.
I haven’t looked at the source to your plugin yet but I’m guessing re-enabling it means spamvalve won’t get to see any spam. It would be nice to find a way to blend both plugins, perhaps adding an option to Bad Behaviour to hand over spamblocking to spamvalve when faced with a steady torrent of spam from one IP. Just a thought.
Blocking an address at a firewall level appeals to me as a very low impact way of defending a server - too bad those damned spammers won’t settle down and pick just one address from which to spam at a time…
June 13th, 2005 at 1:57 pm
The WordPress plugin for SpamValve hooks into the comment_post action. So it should see anything that makes it that far. If Bad Behaviour blocks spams earlier than that (which it probably does), it shouldn’t be hard to hack into it and add a call to SpamValve’s add_spammer() function.
June 13th, 2005 at 7:16 pm
Thanks for the info and encouragement Dougal. I was thinking out loud when I wrote the above, then, looking at it, thought it wasn’t such a bad idea. I looked through the source to Bad Behaviour last night: it blocks spam by identifying common bots and sending them to bad_behaviour_banned.php that returns a “412 Precondition Failed” error. I’m going to try adding a call to SpamValve’s add_spammer() function, exactly as you say, to bad_behaviour_banned.php so persistent bots will get the firewall treatment if they keep on trying. I need to do a little reading on php syntax but I’m confident it should be straightforward to implement. I’ll post and share my results once/if/when I get it working.