Comments on: Spam floods and Performancing Problems

By: Fudeblog by Cesar Cardoso » Normal, para um valor x de normal

Fudeblog by Cesar Cardoso » Normal, para um valor x de normal — Sun, 21 Jan 2007 15:32:35 +0000

[...] Parece que tivemos mais uma botnet entrando no ar, porque o Weblog Tools Collection notou um aumento no flood de spam de comentÃ¡rio. Particularmente sÃ³ notei um ou dois falsos positivos a mais que a mÃ©dia, mas teve gente que notou aumentos maiores. [...]

By: Charles

Charles — Fri, 19 Jan 2007 03:31:24 +0000

OK, Never Mind! My main site’s host server was down yesterday and software issues unrelated to WordPress turned out to be the culprit in my ‘undeletable blogspam’ - but many thanks to Everton Blair for your suggestion - I did rename my blog file today & will do so regularly. Cheers.

By: Charles

Charles — Thu, 18 Jan 2007 17:15:12 +0000

My business site’s blog has a new wrinkle in blogspam today. The spam has flooded in daily for months, but my assistant moderates it by marking it as spam & it disappears. Today there are 4 comments that will not go away - they remain in the queue for moderation, even though we have deleted them repeatedly, marked them as spam, even repeatedly tried to singly delete them. Nothing has worked. They persist in the queue. Here’s the URL for one of them:
http://ws.arin.net/cgi-bin/who.....225.177.14
If anybody has any ideas, we’d appreciate it.

By: Michael eh?

Michael eh? — Wed, 17 Jan 2007 20:46:26 +0000

While checking my 404 errors I notice some strange file requests. Since my blog is in another directory than root these attempts didn’t work and were logged.

/xmlrpc.php twice
/xmlrpc/xmlrpc.php Once
/xmlsrv/xmlrpc.php Once
/blog/”" Once
The actual file was accessed 8 times this month alone.

Obviously spammers are using this file maybe as an access point. The question is of what use is it? No doubt spammers are taking apart WP to find openings to hack their way in. Though this points to a file other than wp_comments_post.php. Maybe those who are having problem should check their logs on this howmany times this file is being accessed.

By: ColdForged

ColdForged — Wed, 17 Jan 2007 15:11:13 +0000

They were getting me again as well. I couldn’t test the efficacy of my mod_security SK2 plugin — mentioned in a comment the last time you posted about these floods — as my host had left mod_security out of the installation when they rebuilt the server.

I refer to these as “Maxthon floods” as the culprits have user agents containing “Maxthon” which isn’t too common. As such, I tried to help stave off the attacks with this bit of htaccess ruleset:


   # Maxthon killing

   RewriteCond %{REQUEST_METHOD} POST

   RewriteCond %{HTTP_USER_AGENT} Maxthon

   RewriteRule .* - [F=412,L]

By: steve

steve — Wed, 17 Jan 2007 07:39:46 +0000

on my end, i regularly update my mod_security filters and overall, works quite well. filtered spam doesn’t even reach WordPress at all - and for those keywords/phrases that do get through, i’ll let SK or BB handle them - just a simple and elegant 412:precondition failed. however, mod_security is not for everyone.

By: Michael

Michael — Tue, 16 Jan 2007 22:50:57 +0000

I frequently advocate the use of John Sinteur’s Block-Lists anti spam measures.
Find it here http://weblog.sinteur.com/index.php?p=8106 (The Daily Irrelevant).
In combination with Akismet and Bad Behaviour it has prevented all but three spam comments from penetrating my site.

By: Michael B

Michael B — Tue, 16 Jan 2007 18:43:29 +0000

My site got hit yesterday morning hard, harder than I’ve ever seen. Luckily, SK2 got everything, some 1000 comments. Not being very familiar with how most of these work, I guess I was lucky. I don’t know if while it was happening the site suffered any, but nothing seemed out of the ordinary. I’ve seen a plugin that uses some JS to manipulate the wp-comments file’s name, I’ll look for it.

By: Raj

Raj — Tue, 16 Jan 2007 18:31:59 +0000

Could there be a script that can get the IP of spammer and add it to the .htaccess file for certain duration of time to completely deny access to the domain? I thought about doing it many a times, but with my limited knowledge of coding, I could not go any further than just dreaming about it.

By: Michael eh?

Michael eh? — Tue, 16 Jan 2007 17:07:37 +0000

One sure fire way that got rid of spammers from newsgroup alt.binaries.pictures.anime was to track down the site that the spammers were spamming for and complain it off the server. Some ever track down info 3 to 4 links up to the hosts main trunk. Within 2 weeks, spamming in that newsgroup was dead after I made the comment ‘if the spammers have no site to spam for, what would they spam for?’

I love moderation function though I’m not sure if it blocks the user IP when it is marked for spam. Maybe wp-comments-post.php should check who references it, maybe a parameter from wheither it’s inside the site or externally linked.

I seen enough multilink spam that an upper limit should be set for URLs in a comment. Since spam is automated, it’s pointless for warnings.

I also wonder if RSS feed is being used to aid spammers.

By: Chris Garrett

Chris Garrett — Tue, 16 Jan 2007 11:46:15 +0000

Sorry about that, am hoping our server woes are behind us

By: Everton Blair

Everton Blair — Tue, 16 Jan 2007 09:45:37 +0000

I was having the same problems, and I renamed my comments post file and all has been well since.
http://www.connectedinternet.c.....1/01/1263/

Some spammers caught on, so I just changed the name again -takes 1 min to do.

By: Rugjeff’s Blog About Blogging » Blog Archive » How Can We Control Blog Spamming

Tue, 16 Jan 2007 07:22:59 +0000

[...] For some strange reason, my blog is being bombarded with spam comments.Â This has always been a minor issue but this past week the spam comments on my blog have tripled.Â At first I thought nothing of it, then I came across a post from Weblog Tools Collection. [...]

By: Ajay

Ajay — Tue, 16 Jan 2007 05:15:12 +0000

Mark, I think spammers are trying to hit the wp-comments-post.php to try and post their comment.

One solution could be to change the name of this file and all references to it and then block access to the wp-comments-post.php file to throw up 403 errors.

This is a workaround like Matt suggested above, but it may help curb the attack a bit.

By: Matt

Matt — Tue, 16 Jan 2007 04:56:42 +0000

I feel your pain too, my meagre blog was/is being hammered consistency with requests that were more than enough to cause a kernel out of memory exception to be thrown, which then kills of whichever processes it feels need to die, in my case mysql and apache.

Bad Behaviour didn’t help, neither did Spam Karma 2 or Akismet, as the problem was not the spam getting onto my blog, but the severe number of requests coming through that was crashing my system.

I’ve found renaming my comment page and then blocking all requests to the old wp-comments-post.php file using Apache’s mod_security has so far been a successful bandaid, as well as some IP blacklisting of the most common offenders.

I’d love to hear a real solution for this too.

By: Mark

Mark — Tue, 16 Jan 2007 02:56:20 +0000

I feel your pain. In fact, I’m living it too. We’ve had to upgrade our hosting and it’s still not enough at some times during these floods. These people are idiots. They are taking down all the little guys.

I am not a programmer but if there is anything you think I can do to help, I would be more than happy to do so.