[wp-hackers] Another anti-spam technique

Carthik Sharma carthik at gmail.com
Thu Oct 28 13:59:22 UTC 2004 

The HTTP_VIA idea sounds great. Even without JavaScript, a simple way
to change the name of wp-comments-post.php system-wide would be good
enough to tackle most spammers.

Can the HTTP_VIA elimination be made into a plugin easily?

Carthik.


On Thu, 28 Oct 2004 09:22:19 -0400, Owen Winkler
<ringmaster at midnightcircus.com> wrote:
> Ok, I have a couple of new-ish ideas...  The first uses Javascript, but
> be patient with it.
> 
> Add an onclick to the comment form submit button that calls a javascript
> function, say, validate_comment().
> 
> Inside validate_comment(), code will take the post ID (inserted into the
> client-side script by PHP) and a site-unique hash (also inserted by PHP)
> and build a new hash (in client-side javascript).  This hash is appended
> as a querystring to the form's action.
> 
> If the hash exists and is verified by the wp-comments-post.php, it is
> approved.  If the hash does not exist or is incorrect, the comment is
> moderated.
> 
> If a user has javascript off (who does this these days?), then the
> comment is not lost, but is only moderated.
> 
> Thoughts?
> 
> Next idea:  Move the wp-comments-post.php page.
> 
> Assuming that mod_rewrite is enabled, first create a rule that makes it
> impossible to access wp-comments-post.php directly, instead returning a
> 403.  Then, create a rule that redirects a randomly generated URL to
> wp-comments-post.php.  Change the comment posting page so that it uses a
> PHP function in the form action to insert the appropriate redirected URL.
> 
> If mod_rewrite is not enabled, or a config option for this is off, then
> the rules wouldn't exist and the post page would function as normal.
> 
> The logic behind this rule is that automated systems may simply submit
> to wp-comments-post.php without looking at the post page for the form
> action.  At the very least, it forces the spam tools to parse the page.
> 
> It might be possible to implement this with a plugin, since the rewrite
> code can be hooked.
> 
> Thoughts?
> 
> Also, has anyone received comment spam that did not have the "HTTP_VIA"
> header?  I have configured WordPress to send a complete set of server
> variables ($_SERVER[]) in every admin comment notification email so that
> I can examine these.  Every spam I've received has had this header,
> indicating that a proxy was used to submit the comment.
> 
> Needless to say, my comment spam filtering system now automatically
> moderates any submitted comment with the HTTP_VIA header present.
> 
> Owen
> 
> _______________________________________________
> hackers mailing list
> hackers at wordpress.org
> http://wordpress.org/mailman/listinfo/hackers_wordpress.org
> 


-- 
When nothing is done, nothing is left undone -- 老子 Lǎozi

University of Central Florida

<a href="http://www.spreadfirefox.com/?q=affiliates&amp;id=2904&amp;t=1">Get
Firefox!</a>
Homepage: http://carthik.net

More information about the hackers mailing list