Comments on: Comment Spam Fix: Explained

By: Dan

Dan — Sun, 05 Dec 2004 22:49:12 +0000

Why do they bother, the texas holdem guy commented 36 times in 30 minutes on my blog today and the plugin grabbed them all. But 30 minutes, why the waste of time.

By: Dan

Dan — Sun, 05 Dec 2004 19:56:41 +0000

I fully understand, why bother when 95% of other wordpress users don’t use this measure. It makes sense.
And if they ever did find the post file (which is very easy, just press say it with your name or a comment missing. (I don’t think you can get it any other way, can you?)) you could actually change it every so often, it’s so easy. or you can do one of the many other things that you stated above.

I am still getting spam from the infamous texas holdem guy; at least I am still 100%. Because with the spamminator killing his manual comments, and the change killing the bots there is nothing else to worry about…for now anyways.

By: JB

JB — Sun, 05 Dec 2004 18:26:02 +0000

No, there’s no easy way to prevent them from finding that name, but it’s just not likely that they would go to that kind of trouble, since it would take too much time. (see above)

The only ways they could do it would be (1.) to go to your site “by hand” and dig through the code (which I guarantee they won’t do), or (2.) built their spam-sending application to go through your site and automatically figure it out. This is definitely possible, but they probably aren’t going to go through the trouble to write that code since almost no one changes the name of their post page.

But, since it wouldn’t be too difficult for them, and someone may decide to do it if enough people start implementing this fix, there are ways to prevent that from working also.

Based on how their spam posting application works (just going through and submitting a standard WordPress comment post to your posting page directly, rather than loading the page in a browser and clicking through to post a comment), there are still several workarounds you could do to stop this kind of thing.

You could add a hidden form field to the comment form, and make your post page check for that field and disregard any post that doesn’t have that field (which theirs wouldn’t unless they also coded their probing application to scan for any custom fields in your comment form, which is highly unlikely). You could also set the value of this field to be some sort of unique identifier (like the PHP session ID) that the post page would check against also, but their app could not predict the value of. This would force their spam app to actually simulate a full browser session by loading your comment page first, then pulling out all the fields (including your custom ones), filling in their spam, and then submitting it. Of course, this is possible too, but again, it’s way too much trouble for them to go through just to get a few sites, when what they have now already works on everyone else’s. Also, their spam app would run a lot slower that way, since the way (I’m sure) that they do it now is just firing off a series of posts without ever having to wait for a reply, their workaround would have to connect, load the comments page, parse it, reformulate their post, and then submit - way too many steps.

Of course, none of this would stop someone from manually going through and posting spam comments as a real user, but I doubt and spammer would ever take the time to do this.

By: Dan

Dan — Sun, 05 Dec 2004 17:57:20 +0000

Thanks Jared, I havent received any spam throughout my 8 blogs, except for 2 that spamminator deleted for me.
This really works.
But I am also thinking of what is stopping someone from manually going to our sites and finding out the name of our post file, then letting there program clip out 50 comments. I wonder if there is a way to hide the name.