post-page

Three Strikes and Out Damned Spam, Out I Say!

85
responses
by
 
on
September 24th, 2004
in
WordPress Hack

I call this the “Three Strikes” Spam Prevention Plugin.

This plugin is designed to prevent comment spam from even hitting your system and leaving you with a flood of approval requests and a bunch of comments to be deleted. While dealing with some moderated comments on my system, I started to realize that most of the REAL Spam could easily be categorized as delete fodder by a “fuzzy” points system. In toying with the idea and testing the various scenarios, I have put together a plugin that keeps tracks of the “strikes” of a comment and then prevents the comment from ever getting into your database and making more work for you.

Here are the possible strikes (so far in the beta):

  • Every SpamWord (default WordPress) match within the comment is a single strike
  • A greater than allowed number of links inside a comment is a strike
  • A match between the commenters’ IP and a SpamWord IP is a heavily weighted strike
  • An empty referer field for the posted comment request is a strike

The strike system can be configured to be aggressive or moderate by a simple value change. I have it set at 3 and it seems to work well at that level. Higher numbers = more moderate spam checking (less spam gets deleted). Various users might have to play with that value to see what works for them.

Once a commenter/comment is determined to be “Struck Out”, they are redirected to (by default) the FBI site. This redirect site can be configured in the plugin as well.

The plugin can be downloaded here. Please post suggestions and bugs.

Installation is very simple. Just copy the plugin to your wp-content/plugins directory and activate through your admin interface. I suggest the use of a more moderate spam checking (SpamThreshold greater than 3) and the use of Kitten’s Spam Words for the first few days/weeks till you have some spam words filled up. The more robust your Spam words, the more effective this plugin.

[EDIT] For a method to get notified of Spam when it gets bounced, check out this comment.

[EDIT] 10/3/04 – There is a small bug in this plugin where the WordPress comment approval/delete was borked because of this plugin. To fix the problem, just download the plugin again and copy it to your plugins folder. In other words, the problem has been fixed in the download.

[EDIT] Now with Trackback checking built in.

heading
85
Responses

 

Comments

  1. Jeff Minard (8 comments.) says:

    You may also wish to have it do a “demo” spam check.

    For instance, have it process all (or a large sample) of previous comments so that users can see what kind of comments will be accepted, moderated, or just bounced.

  2. Mark says:

    That is a great idea! I will have to think about how to implement that though.

  3. Charles (2 comments.) says:

    Works like a charm (tested on my local machine) – though I guess one thing that would be nice would be to have it email you (as comments get emailed, when you have that option enabled) when it has diverted someone away. Couldn’t see how to do that. Or would it happen anyway?

  4. Mark says:

    Actually, I monitor strikes as well as keeping track of who got diverted. Look at the source of this page to see the strikes for each comment. I also have the script send me an email when it gets triggered. I will post that part of the script here in a few.

  5. Mark says:

    Look towards the bottom of the plugin and find

    //This is where the strikes are processed.
    if ($strike >= $SpamThreshold) {
    header("Location: $RedirectSite");
    die('Too Bad Spammer');
    }

    Replace that with:

    $_POST['comment'] .= "<!-- strikes = ".$strike." -->";
    //This is where the strikes are processed.
    if ($strike >= $SpamThreshold) {
    // Your email address
    $email = "your@email.com";

    // The subject
    $subject = "Mail from blocked comments";

    // The message
    $message = $comment."<br />".$author."<br />".$email."<br />".$url."<br />".$userip."<br />"."<!-- strikes = ".$strike." -->";
    mail($email, $subject, $message, "From: $email");
    header("Location: $RedirectSite");
    die('Too Bad Spammer');
    }

    Now, replace your@email.com with your real email address.

  6. Kaimi says:

    Very nice. I had previously tinkered with setting blacklist to auto-block. This might be a better approach.

    FYI, one thing I did slightly differently. I worried about false positives, which are a real possibility with any filtering. And I didn’t want someone to type up a great comment, inadvertently trip a filter, and lose their comment. So my die looks like this:

    {
    echo (‘Your Comment: ‘);
    echo ($comment);
    echo (‘

    ‘);
    die( __(‘Sorry, but some of the content of this comment appears to violate our comment policies. This determination has been made using filtering software. If you believe you have received this message in error, please contact us by e-mail as soon as possible. In addition, please note that this comment will not be saved on our server. Therefore, if you wish to preserve any of the content of this comment, you should copy it from this screen right now. Thank you.’) );
    }

  7. Charles (2 comments.) says:

    I like Kaimi’s suggestion, though what’s frustrating is that what we *want* to do is slow the spammers down. But I don’t think they wait for the site to respond. I expect they have systems that spew out these spams by connecting to the site and pressing the buttons and ignore any response *at all* from the systems they’re targeting.

    How then do we get the server to hold them up? And do they ever, ever look to see if their stuff appears? Only IP banning would work, I suspect, but that’s not going to work because they use networks of Trojanned machines.

    This feels like trying to eradicate malaria. Some damn fool keeps leaving empty tyres out in the rain.

  8. Stephen (1 comments.) says:

    I don’t currently have a blacklist and yet any comment anyone tries to post gives 5 strikes right away – why is this?

  9. Mark (34 comments.) says:

    Try adding one word to your blacklist, not sure what else you have installed.

  10. pmk (2 comments.) says:

    I’ve dropped this in along with my other WP plugins, but it never appears in the Plugins admin section. Anyone else had this problem?

  11. Mark says:

    What version of WordPress are you using?

  12. Mark says:

    Hmmmm….thats weird and not necessarily a bug in the code. Can you do me a favor and look at the comments in your wp-admin and see if there are any IPs recorded there?
    Either this is something new that the spammers have started OR your server somehow does not have the $_SERVER superglobal for PHP implemented. The second error can be fixed by making sure that register_globals is turned on for PHP and replacing $_SERVER with $HTTP_SERVER_VARS['REMOTE_ADDR'].

    For $_SERVER to work, you should be on PHP version 4.1.0 or above.

  13. Pamela (2 comments.) says:

    I’m in the process of converting an MT blog to WP. I have about half my old posts uploaded. I have the WP blacklist, Kitten’s Spam Words, and Three Strikes plugins. The first test comment I tried to post, using my own name/email/domain and body consisting of ‘test’ got me redirected to fbi.gov. Deactivating Three Strikes let the comment go through. I haven’t yet messed with the threshold for Three Strikes, so I’m kind of surprised that the default level blocked me.

  14. Mark says:

    Make sure that there are no exmpty spaces or line breaks in the common spam words inside your wp-admin. Empty lines would cause problems and I have noticed that Kitten’s spam words sometimes puts in empty spaces.

  15. Charles (4 comments.) says:

    I’m not getting the IP of blocked comments – which I’d like to see.
    My code:
    $subject = “Mail from blocked comments”;
    // The message
    $message = $comment.”
    “.$author.”
    “.$email.”
    “.$url.”
    “.$userip.”
    “.”“;
    mail($email, $subject, $message, “From: $email”);

    However the mail I get when a comment is blocked doesn’t have anything in the $userip field. It gets the comment, the author and author email (faked as they are) fine.

    Seems like a bug in the code?

  16. Charles (4 comments.) says:

    Sorted it – it was a bug, but in my code. I had put $userip instead of $user_ip in the thing I wanted mailed.

    Now have put together a much more comprehensive response, which includes hyperlinks to ARIN and RIPE (as I get Euro-generated comment spam). Here’s the code:

    $message = $comment.” allegedly by “.$author.” at “.$email.” Url “.$url.” IP: “.$user_ip.” (RIPE) “.$user_ip.” (ARIN) \n \n “;

    Untested so far, but some spammer somewhere has been banging on my server all day, so sure to get tried out in a moment.

  17. Charles (4 comments.) says:

    agh, my hyperlinks in the code got commented out. If you copy the code above and the text of the link you’ll get close to it. Apologies. I may try to post the code on my site.

  18. Charles (4 comments.) says:

    OK, and now I’ve worked out what I did wrong. This version now has a lookup so you can do a lookup all round the world for where the IP is coming from. This is if you get an email telling you whether you’ve had blocked comments.

    I haven’t put HTML in this because I don’t use an HTML email client. It converts text beginning with http: directly into links. Your mileage, as they say, may vary, in which case you’ll have to write the a href= stuff yourself.


    $message = "Comment: "$comment."
    allegedly by ".$author." at ".$email." Url ".$url."

    RIPE: http://www.ripe.net/whois?form.....earchtext=".$user_ip."

    ARIN: http://ws.arin.net/cgi-bin/whois.pl?queryinput=".$user_ip."

    LACNIC: http://lacnic.net/cgi-bin/lacn.....N&qr=".$user_ip."

    APNIC: http://www.apnic.net/apnic-bin.....earchtext=".$user_ip."

    strikes: ".$strike;
    mail($email, $subject, $message, "From: $email");

  19. Raena (2 comments.) says:

    It’s user_ip, that’s why.

  20. Raena (2 comments.) says:

    …oops, never mind. ;)

  21. Bowen (1 comments.) says:

    BTW, you can use $email = get_settings(“admin_email”); instead of hard-coding $email = “your@email.com”;

  22. Kelson (20 comments.) says:

    Great plugin! It’s just saved me from a positively ridiculous spam run (230 comments in one day. All moderated, but I got all the notices…)

    One problem: On my site, the add_magic_quotes lines cause apostrophes to get double-escaped in comments that pass. My guess is that it’s because magic_quotes_gpc is disabled on my server, so both this plugin and the regular WP code run it — and the comments end up with backslashes in front of every apostrophe.

    It *looks* like it’s not necessary in the code this plugin runs, so I’ve commented out those lines on mine and things seem to be working OK.

    Another suggestion I’d make is having it issue a 403 error instead of redirecting. While I like the idea of sending the spammer to the FBI’s page, chances are it’s a bot doing the posting, and an “Access denied” error is more likely to get noticed in the unlikely event that the bot’s been written well. Simple version:

    if ($strike >= $SpamThreshold) {
    // this next line depends on what version of PHP you have.
    // see wp-blog-header for an example
    header('Not allowed', TRUE, 403);
    print '

    Get lost, spammer!

    ';
    die();
    }

  23. Kelson (20 comments.) says:

    D’oh! In a comment about problems with escaping, I forgot to escape my HTML sample code! Sorry about that!

    print '<html><head><title>Access Denied, Spammer!</title></head><body><h1>Get lost, spammer!</h1></body></html>';

  24. Pamela (2 comments.) says:

    Currently, there aren’t ANY words in my spam words list. I think I’m looking in the right place: Options -> Discussion -> Comment Moderation.

  25. Jeroen Evers (1 comments.) says:

    Hi,
    thanxs alot for the plugin!

    have a question though: when someone leaves the URI blank it automatically gets a strike? if so, is there a way to remove the URI strike, because i would like to make it a non-required field!

  26. Mark says:

    That is not true. As long as you allow blank URIs in your blog, comments should still go through. The three strikes plugin does not check it.

  27. pmk (2 comments.) says:

    1.2.1

  28. Sarah says:

    Your plugin has saved the day – I was being innundated with spam, and while it all got caught and put into a queue it was still a big nuiscence. Since using your plugin, the numbers have dropped rapidly, and I’m not having to moderate my site comments every day. Cheers :)

  29. Brenda (1 comments.) says:

    Hi, I have installed this plugin. But how do I test to see if it is working?

  30. Lauren Noelle (1 comments.) says:

    Where are the configuration options? What do we do after activation? How do we set the number (3)?

  31. Vitaly Friedman (2 comments.) says:

    Hm…. Actually, I use SpamPal (www.spampal.org) – and I haven’t experienced any problems so far… Still I’ll try this plug-in. Thanks!

    With warm greetings from Saarbruecken, Germany,
    Vitaly Friedman, http://www.alvit.de/vf

  32. Ella says:

    All I did was post “test” and I was directed to the FBI page!

  33. Mark (118 comments.) says:

    Ummm…just FYI for Ella, that plugin is not active on this blog so redirection to the FBI page is impossible.

  34. Newer says:

    Nice site!



Trackbacks/Pingbacks

  1. [...] spam on my blogs. Looks like someone’s heard my prayer after all. Mark releases the Three Strikes Plugin and explains the rationale [...]

  2. [...] ging tools. (WordPress, MT, Expression Engine, Textpattern) [via Weblog Tools Collection] Three Strikes You’re Out – spam plugin Another [...]

  3. [...] an ik nu dus twijfel of die naar behoren werkt, heb ik nu ook Kitten’s Spam Words en Three Strikes geïnstalleerd. Spam Words voegt [...]

  4. [...] nly around 10 clicks for 140 messages – but it was annoying enough. So now I am using the “Three Strikes” Spam Prevention Plugin by M [...]

  5. [...] f your comments redirect you.. I’ve just activated a WordPress plugin called “Three Strikes” which should kill a [...]

  6. [...] ges
    Filed under: Site News — Julian @ 7:11 pm

    I’ve installed the Three Strikes plugin from Mark Ghosh. Any prob [...]

  7. [...] Some idiot comment spammer has been trying to flood my comments. I activated the Three Strikes plugin and I hope it’s good [...]

  8. [...] — Mark I thought that it would be useful to post my own experiences with the Three Strikes Plugin that I recently released. [...]

  9. [...] e comment spammers finally found their way into my WordPress set up. But no worries. The Three Strikes plugin “scores” each new [...]

  10. [...] t weeks and I was getting tired of removing/disapproving it manually, so I installed this: Threestrikes Spam blocker If you try to commen [...]

  11. [...] Back in If your comments redirect you.. I mentioned a new plugin for WordPress called Three Strikes for simply pushing annoying comme [...]

  12. [...] i kön som ska godkännas så har jag nu installerat ytterligare ett antispam-tillägg för WP, ThreeStrikes Spam prevention plugin. Detta till [...]

  13. [...] i kön som ska godkännas så har jag nu installerat ytterligare ett antispam-tillägg för WP, ThreeStrikes Spam prevention plugin. Detta till [...]

  14. [...] riva kommentarer…men vad ska vi in på FBI:s hemsa att göra? Läs mer! Weblogg Tools Collection [...]

  15. [...] ng also check you are invited Danke für das:) Ausserdem kann ich jedem WordPress Blogger “Three Strikes” Spam Prevention in Verbindung mit Kitten’s Spam Words empfeh [...]

  16. [...] ion Filed under: General — scruss @ 13:59 Okay, I’ve now installed ThreeStrikesSPAM and Kitten’s Spam Words [...]

  17. [...] #8212; Pinwiz @ 6:21 am

    What have I accomplished? 1. I have installed both the Three Strikes Spam Filter and Kitten’s Sp [...]

  18. [...] en modération) Vu notre emploi des plugins Spammer Tar Pit, Kitten’s Spam Words et Three Strikes Spam, il a du soumettre ses spams [...]

  19. [...] I apologize. I’m using two anti-comment-spam plugins – Kitten’s Spam Words and Three Strikes SPAM. I marked the first piece of [...]

  20. [...] earlier… This was due to me messing up some characters in my editing of the Three Strikes Plugin which has been sorely test [...]

  21. [...] seems to work, I still end up having to “moderate” WordPress comment spam. The Three Strikes plugin works like SpamAssassin to [...]

  22. [...] s, automatically adding IP addresses, keywords, url’s etc to the spam word list. 2) Three Stikes This works in conjunction with th [...]

  23. [...] Mike helpfully suggested the combination of Kitten’s Spam Words and a plugin called Three Strikes< [...]

  24. [...] The current hooks in WP 1.2.1 don’t allow for this, but things look better in 1.3. Three Strikes Plugin This is another really coo [...]

  25. [...] pblue.com/blog/%year%/%month%/%slug-name% anti-spam plugins: Kitten’s Spam Words and Three Strikes SPAM post-by-mail: via secret e- [...]

  26. [...] den mening veel interessanter, is Kitten’s Spaminator, een combinatie van Tar pit en Three Strikes. De laatste gebruikte ik al in de [...]

  27. [...] e found a pretty damn effective way of dealing with these asshats: Laughing Lizard’s Three Strikes spam filter for WordPress. It doe [...]

  28. [...] installerat ‘Kitten’s Spaminator‘, som kombinerar det bästa från ‘Three Strikes Spam Prevention Plugin‘ och [...]

  29. [...] nder: Reviews — crimespree @ 4:19 pm I just installed the WordPress Plugin ThreeStrikesSpam >by Laughing Lizard and I am s [...]

  30. [...] main interest lies in the fact that it combines the best of the other plugins (Tar Pit and Three Strikes for WP, and the high praise it g [...]

  31. [...] be instantaneously sync’d with a livejournal I created (for my livejournal friends). Three Strikes Spam – not sure exactly how this [...]

  32. [...] features to identify spam, and adds them to the list of patterns to look out for, and also Three Strikes which uses the list of common fea [...]

  33. [...] r 85 since the last time, making for a total of 690 spam comments that were turned away by this awesome plugin in two days [...]

  34. [...] Filed under: Site News — Judd @ 9:01 am

    I’ve installed the “three strikes” comment spam plugin to see [...]

  35. [...] ara stimpla inn random kóða með hverju kommenti. En þá fann ég loksins almennilega plugin! ThreeStrikes! heitir þetta plugin og virðist vera v [...]

  36. [...] at’s a new record for my little corner of the bloggosphere. Thanks to the WordPress Three Strikes pluggin, only 2 w [...]

  37. Kommentarspam
    Eigentlich dachte ich ja, es erwischt uns nicht, aber in der letzten Woche sind um die 800 Kommentarspam-Einträge hier aufgeschlagen. Nur zur Info: Kommentare mit mehr als einem Link landen in der Warteschlange und müssen freigeschaltet (moderiert) we…

  38. Three Strikes TarPit
    I was hit by a wave of spam today. On Raena’s recommendation, I had Kitten’s Spam Words running, so the spam wasn’t visible on the blog, but I still had to log in and delete it all from the moderation queue.

    Pain in the arse.

    So I went looking…

  39. Comment spam
    Sigh

    I’ve been getting hit with a lot of comment spam recently … pain in the a–.

    I found a nifty plugin, however, that let’s me dump comment spam based on certian criteria. Pretty nice.

    So far it has worked well … although I had some c…

  40. SPAM Prevention with WP!!
    Are you being spammed? Do you use WP? If the answer is YES, then you MUST read this…..

  41. [...] Spam protection Since I am receiving a lot of spam comments, I installed ThreeStrikeSpam and Kitten’s Spam Words p [...]

  42. Anti-Spam Plugins

    I finally installed anti-spam plugins. With this being my third new blog, I was lazy. But I hope I found the perfect plug-ins.

    Three Strikes Spam
    This gets rid of spam and doesn’t allow for a notification e-mail!

    The drawback: I’m pretty sure …

  43. [...] mers figured out a new way to leave comments via some trackback URI action. Next came the ThreeStrikesSPAM plugin. It did it’s job [...]

  44. [...] den mening veel interessanter, is Kitten’s Spaminator, een combinatie van Tar pit en Three Strikes. De laatste gebruikte ik al in de [...]

  45. [...] mment Killer Comment Spam Words Three Strikes Anti [...]

  46. [...] ing “500 Internal Server Error”) Maar sinds 16:00 heb ik de deur dicht dankzij ThreeStrikesSPAM. Het resultaat, dankzij een ma [...]

  47. [...] action Okay, I’ve now installed ThreeStrikesSPAM and Kitten’s Spam Words. This should help with my comment spam problem. tags: spamPopularity: [...]

  48. [...] Läs mer! Weblogg Tools Collection [...]

Obviously Powered by WordPress. © 2003-2013

page counter
css.php