[wp-hackers] Simple comment spam experiment

Alexander Beutl xel at netgra.de
Wed Apr 16 15:25:33 GMT 2008

If possible nonces may be great - agree but i am not too sure if they would
be realy help or just increase server load on the long term because spammers
would start to crawl the page every time...

As to my experiments so far the contact form of each blog will be loaded at
least once or once a day, many seem to do it every 2 hours (as far as I can
tell this depends on the spammer himselfe or his software). There may be
some left which do not load it even a single time but they seem to be rare.

How I can tell?
I tried the following:
<input type="hidden" name="some_name" value="<?php echo my_hash_function();
?>" />

While the my_hash_function creates a hash depending on several factors
including post id, hour and date and some not informations not available to
When the comment is posted this hash will be evaluated against the hash
which would be used now and the hash used last hour.

It seems obvious that no spam will go through this if the spammer didn't
load the form within this or the last hour. Whoever wants to write a comment
needs to do it within 1.5 hours at average, differing from 1 to 2 hours,
after page load. However this only decreased spam - there is plenty spam
left anyway which will have to be catched by other plugins.

I stole that code however by another plugin (which I didn't want to use as a
whole for performance issues) so the footprint may be known to spammers
allready and they are aware of it and react when it is inside the form when
they first load it.

I think the best guess is not to write any tool which will leave a clear
footprint such as a specific name for a form field. And if your example
would be a often used plugin the spammers would start sending that 1 or
whatever anyway, nomatter if needed or not. If that random name would be
different from blog to blog they would load the form one time for each blog
- if it would be different from post to post they'd load each post one
time... if it differs from time to time they would simply load it in that
time intervall

The thing I want to mention is:
Preventing spam on a not so valuable blog (valuability measured as spamers
do)  is quite easy - you only need to do something which is uncommon.
Preventing spam on a more valuable blog (which spammers would work or pay
for being able to spam it again) is a bit harder since you must be
obfuscating enough for them not to know how the algo works.
While preventing spam with a plugin which will be widely spread is quite
difficult because it needs something a spammer is not possible to hack no
matter if he knows the algo or not. (And he will know it if you make it
available to public)

Maybe using nounces - which would limit the use to a defined time and a
defined "user" (you'd need to identify by IP or Cookie) and a defined post
and only one comment - may be like shooting yourselfe in the foot, cause
they would have to load the page every time, which they might do if that
plugin is widely spread. But that is only a vague guess.

I simply can not imagine them stopping to spam WordPress Blogs, no matter if
this would require the pages to be loaded or not, cause they seem to be
about 0.98 percent of current webpages.
Remember: There are some spam tools out there which even feature JavaScript
capabilities and solve grafphical captchas to trick anti-spam software...
Yes that all sounds pesimistic - but anyway when someone creates this tool
we will notice soon how spammers do react.

2008/4/16, Otto <otto at ottodestruct.com>:
> I got curious about the WP-Spamfree plugin a while back, so decided to do
> a
> little experiment of my own.
> WP-Spamfree basically blocks spam by doing the following:
> 1. Inserts a javascript into the comment space that, when run, sets a
> cookie.
> 2. Checks the cookie when a comment is submitted, and kills the comment if
> no cookie is found.
> Simple solution, albeit not really a way of checking "spam". Still, I was
> curious, so I implemented my own little version in a much simpler way:
> In my theme's comments.php
> <input type="hidden" name="some_random_name" value="1" />
> Near the top of wp-comments-post.php
> $nospam = (int) $_POST['some_random_name'];
> if (!$nospam) {
>     header('HTTP/1.1 403 Forbidden');
>     exit;
> }
> Easy, yeah? Simple check for an extra form field, quick death if it's not
> there.
> I also disabled Bad Behavior, to let the deluge in and see what happened.
> Results after a month or so:
> - Instant drop in comment spam. I mean *instant*. It went from several
> hundred a day to zero.
> - Large drop in CPU load, since I put this before any of the other PHP
> code
> loaded.
> - Regular comments have continued with no issues or complaints or any
> noticeable decline in quantity.
> - Akismet still catches lots of trackback spam (since I'm not doing
> anything
> about that), but the number of comment spam I've had since putting this in
> is in the single digits.
> Conclusion:
> Spammers, for the most part, are not loading the comments form and using
> it.
> They're merely hitting a list of sites and the wp-comments-post.php file
> directly. Renaming this file and adjusting accordingly has much the same
> effect as using a hidden field, of course.
> Question: Could nonces be used for this sort of thing? Or something
> similar
> that would be a bit more secure than a simple field like this?
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list