Dan caught what I did, so here is the full explanation, along with my explanation/theory of how spammers work:
Basically, all I did was rename the default .php file that WordPress posts the comments to (wp-comments-post.php) to some other name, and changed the one line in the comment form to post to the new .php filename. (I say rename rather than copy, since the idea is that the default post file is no longer there).
The reason this works is that spam-bots don’t actually click through your site and submit comments the way a normal user does, since that would be very inefficient. What they do instead is just identify that your site is a WordPress site, and then just have their script post comments to http://yoursitepath/wp-comments-post.php with the proper form fields, including randomly assigning post ids (usually low numbered ones, which are more likely to exist). They are relying on this file being the same, since most users don’t change the default filenames used by their blogging software.
If they got really smart, they could have their initial probe pull this custom information from the site when it is initially scanned and identified as a WordPress target, but I doubt they do. If so, you could also easily implement further restrictions that would enforce that their comment post is coming from your comment page that has been loaded by an actual user, rather than just a “blind” post, by a bot. Some of these methods could include hidden custom form fields, referrer filtering, etc.
Of course, they could always build ways around those as well. They could build their spam software to more closely simulate a user’s actions by actually loading a comment page first, and addressing all the customizations that a particular site may have implemented, but the fact is they won’t do this. In fact, I’m betting that they won’t even get past the simple name change restriction, and here’s why: a little principle called return on investment.
Spam is completely based on this idea - the fact that the effort to reward ratio is very favorable. Sure, the reward may be small, such as in the case of e-mail spam, where almost no one buys their products. BUT, when you factor this against the level of effort required (which is almost non-existent), it is worth it for them. (See here for more on this concept)
However, when you introduce basic measures to prevent it, such as this recent fix I describe above, the effort level to overcome it immediately increases. While it isn’t very difficult at all to overcome, it just isn’t worth their time to do it, especially when there are multitudes of completely unprotected sites out there that their code will continue to work on. The loss on one target is almost meaningless, and therefore the value of spending time just to target it specifically is not justified.
4 Comments
Thanks Jared, I havent received any spam throughout my 8 blogs, except for 2 that spamminator deleted for me.
This really works.
But I am also thinking of what is stopping someone from manually going to our sites and finding out the name of our post file, then letting there program clip out 50 comments. I wonder if there is a way to hide the name.
No, there’s no easy way to prevent them from finding that name, but it’s just not likely that they would go to that kind of trouble, since it would take too much time. (see above)
The only ways they could do it would be (1.) to go to your site “by hand” and dig through the code (which I guarantee they won’t do), or (2.) built their spam-sending application to go through your site and automatically figure it out. This is definitely possible, but they probably aren’t going to go through the trouble to write that code since almost no one changes the name of their post page.
But, since it wouldn’t be too difficult for them, and someone may decide to do it if enough people start implementing this fix, there are ways to prevent that from working also.
Based on how their spam posting application works (just going through and submitting a standard WordPress comment post to your posting page directly, rather than loading the page in a browser and clicking through to post a comment), there are still several workarounds you could do to stop this kind of thing.
You could add a hidden form field to the comment form, and make your post page check for that field and disregard any post that doesn’t have that field (which theirs wouldn’t unless they also coded their probing application to scan for any custom fields in your comment form, which is highly unlikely). You could also set the value of this field to be some sort of unique identifier (like the PHP session ID) that the post page would check against also, but their app could not predict the value of. This would force their spam app to actually simulate a full browser session by loading your comment page first, then pulling out all the fields (including your custom ones), filling in their spam, and then submitting it. Of course, this is possible too, but again, it’s way too much trouble for them to go through just to get a few sites, when what they have now already works on everyone else’s. Also, their spam app would run a lot slower that way, since the way (I’m sure) that they do it now is just firing off a series of posts without ever having to wait for a reply, their workaround would have to connect, load the comments page, parse it, reformulate their post, and then submit - way too many steps.
Of course, none of this would stop someone from manually going through and posting spam comments as a real user, but I doubt and spammer would ever take the time to do this.
I fully understand, why bother when 95% of other wordpress users don’t use this measure. It makes sense.
And if they ever did find the post file (which is very easy, just press say it with your name or a comment missing. (I don’t think you can get it any other way, can you?)) you could actually change it every so often, it’s so easy. or you can do one of the many other things that you stated above.
I am still getting spam from the infamous texas holdem guy; at least I am still 100%. Because with the spamminator killing his manual comments, and the change killing the bots there is nothing else to worry about…for now anyways.
Why do they bother, the texas holdem guy commented 36 times in 30 minutes on my blog today and the plugin grabbed them all. But 30 minutes, why the waste of time.