post-page

Spam floods and Performancing Problems

17
responses
by
 
on
January 15th, 2007
in
General
Performance Graph

Persistent Spam floods have taken over again. I wish these people would quit since it is not only hurting my blog, it is also hurting their own purposes. If spammers realize that if they flood/kill their victims, they do not get the spam on the blog. It is a lose-lose situation. In addition to spam floods, Performancing has been having some serious problems with their servers (I read something about a server move) and that has been causing slowdowns and random problems. I have disabled both for the time being. I have a message in to Chris about the ad problems and I hope to hear back soon but the ads will stay off until things settle down. As for comments, they will remain turned off until the spammers decide to move on.

There HAS to be a solution to stop comment floods. For those that have suggested Bad Behavior in the past, I would like to report that it also fails in stopping the flood. As a matter of fact, it added to the http load and spawned off enough processes that Apache reached its set limit. At this time, the comment post script has been removed to reduce some of the load. As you can see from the processor graph for this particular server, it has been taking quite a beating from all of this.

I would like to say that I have the inclination to come up with a clever script to automagically rename the comment post script when a flood starts, but sadly I doubt I will have the time.

[EDIT] Comments are back on. No word from Performancing.

IMPORTANT: Speaking of issues that need to be addressed. WordPress 2.0.7 has gone gold. Only a few files need to be updated for this release. Please download and upgrade as soon as possible.

[EDIT] Received a second email from Chris from Performancing and it has been restored.

heading
heading
17
Responses

 

Comments

  1. Mark (5 comments.) says:

    I feel your pain. In fact, I’m living it too. We’ve had to upgrade our hosting and it’s still not enough at some times during these floods. These people are idiots. They are taking down all the little guys.

    I am not a programmer but if there is anything you think I can do to help, I would be more than happy to do so.

  2. Matt (1 comments.) says:

    I feel your pain too, my meagre blog was/is being hammered consistency with requests that were more than enough to cause a kernel out of memory exception to be thrown, which then kills of whichever processes it feels need to die, in my case mysql and apache.

    Bad Behaviour didn’t help, neither did Spam Karma 2 or Akismet, as the problem was not the spam getting onto my blog, but the severe number of requests coming through that was crashing my system.

    I’ve found renaming my comment page and then blocking all requests to the old wp-comments-post.php file using Apache’s mod_security has so far been a successful bandaid, as well as some IP blacklisting of the most common offenders.

    I’d love to hear a real solution for this too.

  3. Ajay (72 comments.) says:

    Mark, I think spammers are trying to hit the wp-comments-post.php to try and post their comment.

    One solution could be to change the name of this file and all references to it and then block access to the wp-comments-post.php file to throw up 403 errors.

    This is a workaround like Matt suggested above, but it may help curb the attack a bit.

  4. Everton Blair (7 comments.) says:

    I was having the same problems, and I renamed my comments post file and all has been well since.
    http://www.connectedinternet.c.....1/01/1263/

    Some spammers caught on, so I just changed the name again -takes 1 min to do.

  5. Chris Garrett (1 comments.) says:

    Sorry about that, am hoping our server woes are behind us

  6. Michael eh? (2 comments.) says:

    One sure fire way that got rid of spammers from newsgroup alt.binaries.pictures.anime was to track down the site that the spammers were spamming for and complain it off the server. Some ever track down info 3 to 4 links up to the hosts main trunk. Within 2 weeks, spamming in that newsgroup was dead after I made the comment ‘if the spammers have no site to spam for, what would they spam for?’

    I love moderation function though I’m not sure if it blocks the user IP when it is marked for spam. Maybe wp-comments-post.php should check who references it, maybe a parameter from wheither it’s inside the site or externally linked.

    I seen enough multilink spam that an upper limit should be set for URLs in a comment. Since spam is automated, it’s pointless for warnings.

    I also wonder if RSS feed is being used to aid spammers.

  7. Raj says:

    Could there be a script that can get the IP of spammer and add it to the .htaccess file for certain duration of time to completely deny access to the domain? I thought about doing it many a times, but with my limited knowledge of coding, I could not go any further than just dreaming about it.

  8. Michael B (1 comments.) says:

    My site got hit yesterday morning hard, harder than I’ve ever seen. Luckily, SK2 got everything, some 1000 comments. Not being very familiar with how most of these work, I guess I was lucky. I don’t know if while it was happening the site suffered any, but nothing seemed out of the ordinary. I’ve seen a plugin that uses some JS to manipulate the wp-comments file’s name, I’ll look for it.

  9. Michael (19 comments.) says:

    I frequently advocate the use of John Sinteur’s Block-Lists anti spam measures.
    Find it here http://weblog.sinteur.com/index.php?p=8106 (The Daily Irrelevant).
    In combination with Akismet and Bad Behaviour it has prevented all but three spam comments from penetrating my site.

  10. steve (1 comments.) says:

    on my end, i regularly update my mod_security filters and overall, works quite well. filtered spam doesn’t even reach WordPress at all – and for those keywords/phrases that do get through, i’ll let SK or BB handle them – just a simple and elegant 412:precondition failed. :) however, mod_security is not for everyone.

  11. ColdForged (2 comments.) says:

    They were getting me again as well. I couldn’t test the efficacy of my mod_security SK2 plugin — mentioned in a comment the last time you posted about these floods — as my host had left mod_security out of the installation when they rebuilt the server.

    I refer to these as “Maxthon floods” as the culprits have user agents containing “Maxthon” which isn’t too common. As such, I tried to help stave off the attacks with this bit of htaccess ruleset:

    # Maxthon killing
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_USER_AGENT} Maxthon
    RewriteRule .* - [F=412,L]

  12. Michael eh? (2 comments.) says:

    While checking my 404 errors I notice some strange file requests. Since my blog is in another directory than root these attempts didn’t work and were logged.

    /xmlrpc.php twice
    /xmlrpc/xmlrpc.php Once
    /xmlsrv/xmlrpc.php Once
    /blog/”” Once
    The actual file was accessed 8 times this month alone.

    Obviously spammers are using this file maybe as an access point. The question is of what use is it? No doubt spammers are taking apart WP to find openings to hack their way in. Though this points to a file other than wp_comments_post.php. Maybe those who are having problem should check their logs on this howmany times this file is being accessed.

  13. Charles says:

    My business site’s blog has a new wrinkle in blogspam today. The spam has flooded in daily for months, but my assistant moderates it by marking it as spam & it disappears. Today there are 4 comments that will not go away – they remain in the queue for moderation, even though we have deleted them repeatedly, marked them as spam, even repeatedly tried to singly delete them. Nothing has worked. They persist in the queue. Here’s the URL for one of them:
    http://ws.arin.net/cgi-bin/who.....225.177.14
    If anybody has any ideas, we’d appreciate it.

  14. Charles (1 comments.) says:

    OK, Never Mind! My main site’s host server was down yesterday and software issues unrelated to WordPress turned out to be the culprit in my ‘undeletable blogspam’ – but many thanks to Everton Blair for your suggestion – I did rename my blog file today & will do so regularly. Cheers.

  15. Shaw (1 comments.) says:

    Wow, I hadn’t considered the load draw on resources caused by spam attacks. I just thought they were a hassle. and…I had bad behavior installed, and thought it would take care of that…guess I better keep looking! Come on…bust out that comment script please :) Shaw



Trackbacks/Pingbacks

  1. [...] For some strange reason, my blog is being bombarded with spam comments.  This has always been a minor issue but this past week the spam comments on my blog have tripled.  At first I thought nothing of it, then I came across a post from Weblog Tools Collection. [...]

  2. [...] Parece que tivemos mais uma botnet entrando no ar, porque o Weblog Tools Collection notou um aumento no flood de spam de comentário. Particularmente só notei um ou dois falsos positivos a mais que a média, mas teve gente que notou aumentos maiores. [...]

Obviously Powered by WordPress. © 2003-2013

page counter
css.php