All comments are off (for now)

July 11th, 2005

I have turned off all commenting on this blog till I can come up with an acceptable method to prevent spammers from DoSing the mysql server. On average yesterday, the server received ~10,000 comment spam post requests and thus the scattered downtime for the server. I need to prevent a database query for every comment request, somehow. Please email me if you have some ideas or already have something in place.

Be back with comments soon. Sorry for the inconvenience.

PS: I am not really looking for a spam filter (of which I have enough). I need something that would intercept spam comments before the commenting process starts and accesses the database.

[EDIT] Back on again, please report any problems.
Suggestions that I have found useful include:
Apache mod_security, Spam Valve, Bad behavior, WP Hashcash and Referer Bouncer
I have already implemented a couple of these and am in the process of rewriting a couple more to suit my needs. The first three are very promising. Bad Behavio(u)r has some clever code and when used without the logging feature, is very swift. I might tweak the code a bit to make it even more transparent and engage it *before* the WordPress process using Addhandler. Using JS verification is an option that I would consider but would rather stay away from.




  1. Christoph (1 comments.) says:

    Why not use WP Hashcash? It uses JS and md5 encryption and doesn’t cause much higher server load.

  2. Dougal Campbell (35 comments.) says:

    Because WP Hashcash doesn’t come into play until after your web server has already done a lot of work trying to process a comment post request. It stops bogus comments from getting to the database, but it doesn’t do much to save the server’s CPU.

    That’s why I came up with SpamValve. I shifted some of the burden to a much lower level of the operating system (the TCP/IP stack), which takes a lot less work. I still get occassional load spikes, but I think that some of them are from other users’ web applications on my server.

  3. Code (1 comments.) says:

    I use bad behavior. It seems to do a nice job, but I don’t get nearly the traffic you do. Let us know how Hashcash works for you!

  4. LG says:

    Have you tryied to block bad referals? Try to add them to .htaccess and it will block big part of spam posts before accessing your page.

  5. Jonathan (12 comments.) says:

    Have you considered the Bad Behavior Blackhole + Spam Karm2? A very good combo I think.

  6. IO ERROR (2 comments.) says:

    Even run as a plugin with database logging, Bad Behavior should be very fast on reasonably fast servers. With a site exceeding 10,000 hits a day, though, you might not want to log.

    That PHP value for site-wide usage should be about like this:

    php_value auto_prepend_file /server/path/to/bad-behavior/bad-behavior-generic.php

    Note that Bad Behavior does not need to be installed in the WordPress directory in this installation type – indeed, it can be anywhere. And it should not be activated as a WordPress plugin in this configuration.

    Bad Behavior Blackhole is another project entirely (albeit related) and is developing much more slowly.

    Let me know if you have any questions or troubles.

  7. Pariah S. Burke (4 comments.) says:

    If you write something, you’ll be the hero of the WP community.

    Since WP 1.5, even upper level comment spam control is ridiculously inadequate. With WP 1.2, your ThreeStrikes system coupled with Kitten’s SpamWords stopped all comment spam on my high- and low-traffic WP sites. Now that Kitten’s given up, all the anti-spam systems, including Bad Behavior, just don’t cut it.

  8. Angsuman Chakraborty (6 comments.) says:

    For the timebeing you can turn off trackback to stop the deluge. Then you can experiment with plugins/hacks. Most spams in my experience are trackback. Fortunately most of them also carries a referrer spam load, so I can stop many using the Referrer Bouncer plugin.

  9. Mark (118 comments.) says:

    WordPress Spam control HAS to be content based to be effective. Pariah, I apologize for being dormant for this long. I might come up with something soon.

    PS: Slowed down to only 5200 comment spam attempts yesterday :)

  10. Pariah S. Burke (4 comments.) says:

    “WordPress Spam control HAS to be content based to be effective.”

    I don’t disagree, though I apologize if my first comment somehow conveyed that I did.

    Three Strikes, coupled with Kitten’s Spam Words, read the content of comments and bounced spams based on content and URL count. One month after the launch of I was taking in an average of 3,000 spam comments per day. Installing Three Strikes and KSW instantly dropped that count to under 20, with the remainder being manually posted.

    For a while I received the Three Strikes output and, other than a one day issue caused by my user error, it never trapped legitimate comments. Since a forced upgrade to WP 1.5 (due to security issues with 1.2), I’m spending half my day moderating comments the other anti-spam plugins caught and snatching up the dozens they don’t.

  11. Arvind (6 comments.) says:

    I have no clue what the WordPress equiv (if any) is but something MT users have found to work really well is MT Keystrokes which basically tests to ensure that someone has manually inputted something into the comments box, albeit it won’t stop those morons that manually enter their spam it’ll stop the bots.

  12. Jonathan (83 comments.) says:

    I run Spam Karma2 and Bad Behavior and I haven’t had a spam since =)

  13. IO ERROR (2 comments.) says:

    Hm, you have to actually be using Bad Behavior for it to do anything to stop – or even slow – the incoming tide of spam.

Obviously Powered by WordPress. © 2003-2013

page counter