post-page

Spam Floods Pissing me off!

46
responses
by
 
on
December 13th, 2006
in
General

This recent trend of almost DOS like spam floods is really starting to tick me off. Akismet seems to be doing its job but the BOT just keeps asking for wp-comments.php even though it is not allowed to post a comment. The IPs, as usual, are very different in each query and the attacks have all the signs of a new bot farm with a new script that just does not want to take no for an answer.

Now before I write something myself, is there a plugin out there that gleams off IPs from commenters that are getting refused (for posting too often, or as spam from akismet) and then appends them to your htaccess? I know something existed for Akismet and htaccess but I also rememeber it being very touchy.

I might whip something up this weekend. Grrrrrrrrrrr.

heading
heading
46
Responses

 

Comments

  1. Donncha O Caoimh (8 comments.) says:

    That’d be the Akismet worst offenders plugin I blogged about a while back. The author created another plugin that allowed the user to select IPs to block. The basic worst offenders part works really well but the .htaccess bit as you said, is slightly touchy.

  2. Patrick Havens (14 comments.) says:

    YEa. soakes Worse Offenders plugin worked good as an integrated part of akismet. but has been touchy as a plugin. Which is sad. But one thing I’ve found that works well is Bad Behavior. Since it stops most of my spam before it gets too me. I literally have hundreds stopped each day by it. I still use Worse Offenders error messages and all to group the akismet spam for deleting.

  3. Mark (5 comments.) says:

    Sorry to say this, but I am glad to hear this. Glad only because I am happy to not be alone in the frustration. I have a good server (way more than I need for the traffic we have) but these attacks have taken my VPS down several times.

    I am now using a software Firewall to block IPs but it often seems like a losing battle.

    I’d love to hear what advice you and others can offer because this is draining.

  4. Mark (118 comments.) says:

    Patrick, the spam is never hitting my servers. It just bogs down the server with thousands of requests. With this sort of a DOS, bad behavior would be a problem and not part of the solution.

  5. ade (4 comments.) says:

    Yeah, I’ve been attacked also by this DoS-like spam. I’ve never experienced this much spam before.

  6. seanrox (7 comments.) says:

    Indeed we are all feeling the bite of holiday spam in comments as well as in email.

    I recently posted about what I’ve done to help alleviate some of the hammering on my servers from spam.

    Not everyone will be able to take the same measures as I have but still a good read for ideas.

    Bad Behavior does work wonders but recently I’ve noticed it’s blocking some legit visitors as well… a lot using Verizon wireless connections.

    Good luck everyone. The spammers are working hard to slam us all it seems this holiday season.

  7. Peng (1 comments.) says:

    I’m glad I’m not the only one seeing this. I’ve even got my blog set to require commenters to be logged in to be able to post, yet here are these damn bots getting past the registration check. Thank God at least Askimet is on the job and catching them.

  8. XSized (2 comments.) says:

    Yesterday i had the same problem on my old blog. There is only one thing you can do: block requests for wp-comments-post.php and wp-trackback.php in the firewall if possible and rename this 2 files. But you have to change some parts in the wordpress-code.
    Nothing else worked for me…

  9. John says:

    Have you tried closing comments on older entries? I did that for a blog I maintain, and the flood slowed to a mere trickle.

  10. Ajay D'Souza (5 comments.) says:

    Does the bot have a useragent? Then you could block it using .htaccess itself.

    Though you feel BB may not work, have you tried giving it a shot? Maybe install it for a while and see what happens?

  11. Pi (1 comments.) says:

    I wrote recently about pointless spam – one of a series of articles – and the actions I occasionally take to get back at the spammers. It seems to work, but it’s not something that you can spend too much time doing if you have a Real Life. Basically I seek out their homepage and send a copy or two of the spam comments to their host. So far every single homepage has been closed down. The worst offender, however, or the most difficult is Blogger, as you need to go to the page and hit Flag which, as we all know, doesn’t work when the spammer has a fast re-direct on his page.

  12. Ozh (88 comments.) says:

    Bad Behavior, Mark. BB blocks about 18000 attempts each 7 days on my blog. When I deactivate it, that’s about 100 spams I get in the moderation queue.

  13. Sam (2 comments.) says:

    With this sort of a DOS, bad behavior would be a problem and not part of the solution.

    This doesn’t make much sense…

    Just install BB, and activate. Test for a day.

    Then feel free to come back and explain how we are wrong based on the results. Seriously, I don’t mind being enlightened.

  14. R. Richard Hobbs (1 comments.) says:

    I use Akismet, Spam Karma and Bad Behavior, so far they play well together and the comment spam is kept to a minimum.

    Now if could just figure out a way to stop the automated stock market spam emails I’d be a happy camper. It’s a new subject each day…about a dozen times.

  15. Mike (1 comments.) says:

    In order to stop DoS, you can drop the whole IP ranges using iptables in rc.local, like this:
    # drop net 111.222.0.0
    iptables -A INPUT -s 111.222.0.0/16 -j DROP
    iptables -A OUTPUT -d 111.222.0.0/16 -j DROP

    Or ask your server admin to do so. Just in case you need this.

  16. Donncha O Caoimh (8 comments.) says:

    Mark – do you use wp-cache? Use my patch to stop wp-cache invalidating it’s cache every time a spam is posted to your blog. Works wonders on my blogs and there’s been a noticable increase in traffic!

  17. dzver (2 comments.) says:

    One idea for reducing spam – if you are using plugin, that supports regexp blacklisted words, then add word nofollow as blacklisted, as I did. Or add rel=”nofollow” in your wordpress blacklisted words (should work).

    I am protecting my blog with:
    a/ recognizing author’s country
    b/ word blacklist

    my akismet plugin is turned off, after adding as spam some real comments, even comments by authors, that I’ve marked as “Not spam” more than once.

  18. Soccer Dad (6 comments.) says:

    I’ve had to really clamp down on my MaxClient setting in Apache due to this. When I’ve had posts Dugg, my server handled approx 350 Apache processes running without an issue. But whatever is happening with the botnet spam, it’s causing apache to use more memory per process to the point that when I get hit, once I hit 100 processes, the server runs out of memory resources (had to buy another couple GB to deal with this mess)

    I use Akismet, Bad Behavior and Spam Karma 2. Bad-behavior is nice, but based on watching the logs and what ends up in Akismet/SK2′s lap – it’s blocking maybe 20% of the hits. SK2 stops the rest (most with such high scores it doesn’t even bother to ask Akismet. It’s nice that way) I’ll see dozens of hits at the same time which drives the Apache child count WAY up and SK2/Akismet are just chewing on it (first time I’ve ever seen spam in SK2 listed in blue with a question mark – that means they’re being processed.) It’s getting out of hand. Its scary to watch your logs as dozens of IPs hit you in under 60 seconds.

    I’ve tried to figure out a reasonable way to stop these clowns. I thought about a plugin that added a nonce to the comment form but that doesn’t work well with wp-cache. You could have the nonce only change once an hour, but then it’s trivial for the spammers to grab it once and use it.

    At least in my case – the botnet requests ALL have ‘Maxthon’ in the User Agent which is some new browser being developed. So you could key on that – but may block some legitimate readers.

    My email server had a queue of 30 children max and I’ve had to boost it to 50 because the botnet email spam has cause spam to jump a magnitude. Thank goodness my bandwidth is unlimited – people paying by the GB have to be getting absolutely hammered by this (at least the email spam – since the comment spammers are only resulting in retuns of 300-1000ish bytes.)

  19. Soccer Dad (6 comments.) says:

    One thing I may try to do is this – a plugin that acts like the Feedburner redirect plugin used to – assigning a random/custom link to your feed for Feedburner to hit. Have wp-comments-post.php renamed with an extra few numbers at the end and the comment theme file updated to use it – just need to see where else the file is referenced. Of course the spammers can just load a comment page and use it – but it’ll help reject the dumber ones with a 404. Just like my backend scanning solution is a blended approach (Bad Behavior, Akismet, SK2), I think fighting off this flood at the front end is going to take a blended approach as well.

  20. Mark (118 comments.) says:

    John, I really hate to close comments on old entries since so many people find them useful and leave important information behind. Removing comments on old entries would not help anyways since the spam never touches my blog(s). The processor gets bogged down from trying to say no.

    Donncha, I am not using wp-cache or APC so I doubt that is the culprit, though that information is very good to know.

    Soccer Dad has the right idea. The sheer load on apache to just turn around and say no the requests, brings the server to its knees. It has yet to cause any further damage but at one point last afternoon, there were over 20,000 connections open on the server, all asking for wp-comments.php.

    Sam, Bad Behaviour would work at first. However, when the volume goes up to these astronomical numbers, the server would have to process Bad Behaviour code before rejecting the comment. This would increase server load more than a simple reject from Apache way before it has to run any pre-processors (for example through .htaccess). Rejection through iptables would be even more efficient but that can be a very difficult task to automate and a very dangerous one at best. I have experimented with Bad Behaviour in the past and I really like the product.

  21. Michael (19 comments.) says:

    John Sinteur of The Daily Irrelevant wrote a very nifty little plug-in that might be of interest to you, called Yet another anti-spam measure.
    (Quote:) This time, I’ve added a plugin that scans the content of a comment, and any URL it finds is checked against a public list at surbl.org.

    What’s great about this list is that if a spammer uses a site to “sell” his stuff (say, ‘www.ultra-cheap-crap.info’) he has to link tot hat site in his spam messages. surbl.org lists the sites used by spammers in this way.

    Which means, if a comment is posted that mentions a site that is used by spammers, it is assumed that it is comment-spam. Usually, that is true, since most comment spam I’ve seen is of the form “I think you’d like to check out http://www.my-crappy-shit.com”

    Here’s the post URL : http://weblog.sinteur.com/index.php?p=8106

  22. Soccer Dad (6 comments.) says:

    Another idea I had that might help is to have wp-comments-post.php keep track of how many comment posting requests came in within the last X seconds/minutes. If it exceeds that threshold, have wp-comments-post.php immediately return a simple, compact error message saying ‘Too many commentors at once – try again in a few minutes’ The check would have to be very high up in the loading of the core to prevent CPU intensive stuff like Sk2 and others from loading and the threshold count would need to be in a lightweight storage spot.

    The risk with this is legitimate commentors might get bounced and lose their post content if their browser is braindead and doesn’t save it when they click ‘back’ Or they just may not bother to try to post again and you lose the comment. But the way these swarms happen, they tend to be short lived (5 minutes or so) before the move on to the next address.

    I absolutely refuse to conceed to these morons. Commenting is what makes blogs great and if you can’t have a discussion with your readers, even on old stuff, why bother?

  23. Mark (118 comments.) says:

    Soccer Dad, that exactly what I was thinking. The details of the flood should be configurable to ensure that false positives do not occur.

  24. Rich Boakes (1 comments.) says:

    Howdy,

    Worst Offenders is not a 1.0 stable plugin – it was released to fill a hole and see if there is a public requirement for something like it – it seems to have proven useful.

    Please do feedback experiences, problems and suggestions. I have my own experience with the plugin, but reading that someone thinks it’s “touchy” doesn’t give me much to go on – I need to know when it fails to live up to expectations, what those expectations are, and why it fails so the next release can do the job better. :)

    Perhaps it’s worth getting it into the WP code management thing so more eyes and fingers can improve it.

  25. GaMerZ (8 comments.) says:

    I got a plugin which bans people from site by IP,

    http://www.lesterchan.net/word.....-100-beta/

  26. Bob (3 comments.) says:

    One thing that bears mentioning, if you have access to your firewall configuration, is that IP addresses can be assigned the DROP parameter as Mike commented above.

    A DROP will tell the firewall to not respond to the bot at all. Typically this works well for DOS type attacks because the server doesn’t waste any overhead or bandwidth telling the bot that it’s rejected. In fact, this often ties up the software on the spammers end because it’s waiting for an http response that never comes.

  27. Stephen (4 comments.) says:

    I use a variation on the Bad Behavior/ Spam Karma/ Akismet combo, in that I use Akismet via a plugin for Spam Karma. That of course only helps if the spammers are actually successfully posting to your blog, which you say is not happening…
    http://www.striderweb.com/nerd.....e-the-jla/

    It occurs to me…
    Would it be helpful to change the name of comments.php to something else? I would think a grep search/replace through all the WordPress files could swap that out for whatever you rename it to.

    Might this throw off some of the spammers who are just blindly hammering away at what they “know” is the comments function? Haven’t tried, because I haven’t needed to, but it seems this might help some….

  28. azrin (11 comments.) says:

    Hey Guys.
    I used none of em, and seems that an effective way to block them is telling yr ISP off. I used to have LOADS,and they still do keep on trying, but at http://Marlindaradzi.com, where my wife puts up her recipes and all, a good trick is to require the index.php as the HTTP_REFERRER in order to pull up the WP-COMMENTS.PHP and other php scripts.

    Also, I made it a point to Spool my spam list from the b2Evolution list,which is updated hourly.(my daughter’s site uses B2E).

    so, it basicly gets themselves killed off, and easy way is to deny eastern european ISP, or IP addresses from SERVERS or ISPS eq: 65.*-70.* unless they produce a user-agent,cos Googlebot too gets on nerves with private posts being published!

  29. Mark (118 comments.) says:

    azrin, that is an interesting idea. I will try and put something together and see if that works. Thanks

  30. Quix0r (2 comments.) says:

    I’m using a battery of spam-kicking plug-ins here: SK2, BB2, Akismet-SK2 plus my own CPR plug-in which prevents spambots sending their POST request to wp-comments-post.php by inserting a server-unique hash. I hope I’m not getting blacklisted when I’m trying to tell people why they can use it additionally… :-/

  31. Michael Hampton (14 comments.) says:

    I’m actually on a blacklist which is floating around amongst the spammers, so not as many of them actually hit my sites as I’d like. So the fact that some spammer was running an overly aggressive bot was news to me, and I actually heard about it from one of my users.

    I’ve been testing some changes to Bad Behavior which should slow down such rapid-fire bots. Not by much, but maybe just enough.

    I should have the next release (and a fix for the Verizon Wireless issue) out in a day or two.

  32. Michael Hampton (14 comments.) says:

    And of course this blog for some reason decides my comment is spam…

  33. Beth (4 comments.) says:

    Earlier this week I was hit with over 1000 spam comments, all caught by Akismet and BB, but the issue still remains with blocking the IPs- it would be a tedious task to say the least to go in and blacklist 1000 different IPs- since none were from the same block. I deleted all without going through them and apologized to my readers if they commented and the comment never showed on the post and explained what happened. Luckily, no legitimate comment was caught and deleted.

  34. ColdForged (2 comments.) says:

    I recently blogged about this very thing and I’ve actually taken the, for me, extraordinary step of simply turning off commenting at this point. I don’t feel like getting booted by my host again and doing the host swap churn.

    I have a feeling the server load was mostly my fault, after further consideration. I’ve been working on a plugin to SK2 that takes the worst offenders, both IP and domain, and generate mod_security rules to block the IPs entirely and block the domains from appearing in POST requests. It had been doing quite nicely up until the fated day that I got hit with 10,000 POSTs in about 18 hours. My account got suspended and I disabled commenting as a result. What I realized after the fact was that I was still logging denials in the mod_security log… to the tune of just over 75M of logs. That is likely what pushed me over the server usage edge, so I’m tempted to keep working at it.

  35. May C (1 comments.) says:

    I have BB, Akisimet and SK2 installed, and although it looks like BB is blocking the spam, I still seem to get some spam caught by Akisimet and SK2, which is disturbing. Previously, with BB, I didn’t get any spam and this is troubling.

    Spam annoys me so much that even knowing that they’re there raises my blood pressure. I just wished there were something else better out there. But at least, it seems that most of them are blocked.

    If there is a better contact form spam blocker, that would be so nice.

  36. Amadeo (1 comments.) says:

    one of the blog I host on my server got more the 40 000 (yep, real numbers) of spam within the last week only, too often DoS style. Okay, akismet caught them, but it caused tremendous server load and provoked some [large] downtime.

    So, akismet caught them, but -after- it had been posted, so I needed to at least prevent the comments from being posted. After trying uncessfully some ip / hostname ban plugins, after tried bad behavior, I’ve tried the last option I’d never use before closing any comments: the did you pass math plugin. It a written captcha, that asks the user to solve a simple math problem (e.g. how much does 1 plus 1?) and the same day I went from 50 spams caught per minutes to…. 2 per day.

    It’s really boring for visitors to do, I know, but hell it’s working!

    http://www.herod.net/dypm/

  37. Abazza (4 comments.) says:

    Seit wir Askimet benutzen ist das Thema eigentlich durch. Nur vereinzeln treten noch kleine Spammereien auf,… im Gegensatz zu Früher ist das allerdings verschwindend gering.

  38. Avrila (8 comments.) says:

    I use Akismet and WP-Ban in combination by manually harvesting IP addresses from Akismet spam when I weed through for false positives every few days (used to be every couple weeks but it got overwhelming). I think I need something a bit stronger, but I don’t want to lose the ability to gather and ban IP addresses since I’ve had some issues with mindless repeating spam from the same IP before. I don’t have it as bad as some of you guys, yet, but my pagerank’s pretty low…I shudder to think how it’ll get as I get easier to find.

    I also have a running list of banned IPs available publicly if anyone’s interested, on a page called “Wall of Shame” on the blog I gave as my URI.

  39. Natasha (1 comments.) says:

    I recently experienced a flood of spam messages rising into the thousands. This happened for at least 1 month and then suddenly stopped. Not sure what was happening behind the scenes but it made approving real comments more manageable.



Trackbacks/Pingbacks

  1. [...] Für mich handelt es sich hier um eine vollkommen neue Qualität von Kommentarspam, in diesem Umfang hab ich es bisher noch nie erlebt und damit stehe ich nicht allein da. In der Größenordnung, wie hier dem Server die Requests um die Ohren gehauen werden – da wird wohl so ziemlich jedes System über kurz oder lang das Handtuch werfen. Den Spammern ist das vollkommen egal, es interessiert sie nicht, ob die Zieldateien überhaupt vorhanden sind oder ob es Umleitung gibt etc., ihre Bot-Netzwerke ballern die HTTP-Requests einfach hinaus und fertig. Es ist den Spammern auch vollkommen egal, ob die Einträge überhaupt in irgendeiner Form auf den betroffenen Blogs auftauchen. Bei der Masse, die hier ins Netz geblasen wird, wird sicher das eine oder andere “tote” System dabei sein, welches die zigtausend Einträge einfach veröffentlicht und somit die gewünschten Backlinks produziert. Insofern scheint mir im Augenblick die oben beschriebene Maßnahme der einzig gangbare Weg zu sein, um die Webserver zu entlasten und diesen Spam wirkungsvoll zu filtern. Tags: Blog , kranke welt , nervend , Spam , weblog , wordpress [...]

  2. [...] Wow! Is this true or is this your usual holiday spam floods attack? [...]

  3. [...] Weblog Tools Collection [...]

  4. [...] “This recent trend of almost DOS like spam floods is really starting to tick me off. Akismet seems to be doing its job but the BOT just keeps asking for wp-comments.php even though it is not allowed to post a comment. The IPs, as usual, are very different in each query and the attacks have all the signs of a new bot farm with a new script that just does not want to take no for an answer.” Weblog Tools Collection [...]

  5. [...] Alex說受害者,都是使用icdsoft.com.hk的用家,不知是否有關連。 其實這一浪的spam侵襲是國際問題。 Weblog Tools Collection在12月13日有這一篇:Spam Floods Pissing me off! Blogging Pro在12月11日有這一篇:Recent Spam on Blogging Pro [...]

  6. [...] 其實這一浪的spam侵襲是國際問題。 Weblog Tools Collection在12月13日有這一篇:Spam Floods Pissing me off! Blogging Pro在12月11日有這一篇:Recent Spam on Blogging [...]

  7. [...] experience this problem, there are many other people also having the same problem too, especially Mark who has been really pissed of by these spam [...]

Obviously Powered by WordPress. © 2003-2013

page counter
css.php