[wp-hackers] More anti-spam ideas

Thiago Becker thiago.becker at gmail.com
Mon Sep 27 01:29:07 UTC 2004


For all sugestions, one can always get the comments post page and use
the hash in there to post spam. Very expensive to them but it can be
done.

On Sat, 25 Sep 2004 22:45:56 -0700, Kitty <kitty at mookitty.co.uk> wrote:
> Ok, I got to thinking...
> 
> I would guess that the largest comment spammers would be using scripts
> that directly call wp-comments-post.php, with the proper vars set.
> 
> Now what if there was a unique hash for each comment to check that the
> posting was coming from wp-comments.php?
> 
> In the attached patch, I create a hash by using the list of activated
> plugins joined with the file hash of index.php. This should be
> sufficiently unique across blogs that a spammer couldn't get the hash
> from outside.
> 
> This is then checked when wp-comments-post.php is called, and lets the
> spammer know that scripts won't work if the hash doesn't match.
> 
> I'm proposing this as a core addition, because it would go a long ways
> toward spam proofing WP against the more advanced spammers, and I'm sure
> that this sort of attack will be more common in the future. If you've
> been hit by 100+ spams in a few minutes, this is how it was done.
> 
> Disadvantages:
> o Doesn't prevent manual or screen scraper attacks.
> o Could block a legitimate comment if you activate/deactivate a plugin
> while someone is writing a comment. (Other hash ideas are welcomed.)
> 
> The attached diff is against tonight's CVS.
> --
> Cheers!
> Kitty
> http://blog.mookitty.co.uk/
> http://mookitty.co.uk/devblog/
> 
> 
> 
> _______________________________________________
> hackers mailing list
> hackers at wordpress.org
> http://wordpress.org/mailman/listinfo/hackers_wordpress.org
> 
> 
> 
> 
> 



-- 
===================================
Thiago Rafael Becker
Computer Science Undergraduate
thiago.becker at gmail.com
===================================



More information about the hackers mailing list