SPAM Getting Through

there must be something else going on with your site then because there are literally thousands of blogs with this plugin and they’re all not reporting this so perhaps there is a vulnerability in your theme (like the timthumb vulnerability) or another plugin is putting a back door in

every blog gets spam.. if you let in spam previously then you’re marked as someone who gives backlinks so you’ll get more spam

the plugin helps to prevent spam and detect it, set your settings to send suspicious comments to spam and you wont have to moderate them and eventually the bots will see you don’t give links and make sure you’re using the latest version so comments awaiting moderation don’t show links

Hi Andy

It might be a matter of people not bothering to report it to you, I don’t know, but I can confirm the same issue. I’m running the latest version of WordPress (3.7.1) and the latest version of GASP (1.5.4) and I also still get about 300 or 400 or so automated spam comments per day. I’ve used GASP for only about a month, and from reading the reviews I anticipated a drop to zero spam comments, or close to that, but alas they continue. It’s perhaps a half, or a third of what I used to get, but still they come. Site: https://www.permaculturenews.org

Andy:

Yeah, same thing as Permasolutions. Everything was fine when I had WordPress 3.6.xxx. As soon as I upgraded to 3.7.1 the spam started again. Most major sites aren’t going to upgrade to 3.7.1 right away, so that might be why you’re not receiving a lot of people reporting issues either.

Now while you can just “brush off” these reports as nothing wrong, so far you have at least two users who upgraded WordPress to 3.7.1 from an earlier version and are now reporting issues with spam coming through. To me that would raise a flag that maybe as a developer I would want to upgrade a site to 3.7.1 and see what happens.

Anyway, here are my settings as a reference:
* Checkbox Label: Check to verify you are NOT a spammer
* Checkbox Name: cl_check_568
* Secret Key: Use secret key? (is ticked)
* Allow Trackbacks?: (unticked)
* The user forgot to check the checkbox: Please check the box to confirm that you are NOT a spammer
* The user does not have javascript enabled: You may have disabled javascript. Please enable javascript before leaving a comment on this site.
* The form has a hidden field added with a labe…: You appear to be a spambot. Contact admin another way if you feel this message is in error
* User refer check?: YES
* Maximum comments in moderation?: DISABLED
* Maximum number of URLs allowed in comment text: 0
* Maximum number of words allowed in name field: 0
* Where to send suspicious comments?: PENDING

I also do not have any cache plugins.

Thank you.

PS: Andy: you also never responded to the bug report below:

On my plugin page is says it’s using GASP “Version 1.5.4 “. However, when I click on “settings” for the plugin it says, “Version 1.5.2 GASP has caught this many bot comments : 0”

I’ve never had a version of GASP prior to 1.5.4, so don’t know why it would say version 1.5.2?

???

I’m having the same issue. This was a problem with 3.6 before the last update. And when I upgraded to 3.7.1, the spam floodgates seemed to open again. I’m getting hundreds through, and almost nothing is being sent directly to the spam folder (and that’s where my GASP settings are telling suspicious emails to go).

This worked just fine with my previous plugin line-up. The only new plugin I’m using is a match captcha plugin, and that was put in after GASP started letting a ton of spam through to try to minimize the problem. I’ve since disabled the captcha for everything but the registration form as spam seems to have picked up there significantly too lately. Spam is getting through on multiple sites using this plugin — I’ve noticed it on at least three of my own, although I haven’t dug into the rest of them yet. All of their plugin line-ups are different, and I tested two sites with nothing else enabled, so it doesn’t appear to be a plugin conflict. All of those sites are on 3.7.1 now. I’m hesitant to update the rest of my installations.

On my main site as an example (although settings are different on each), the secret key is on, trackbacks are off, user refer check is on, it’s set to 3 maximum comments in moderation, and it’s set to send suspicious comments to spam (although it doesn’t appear to be doing that).

I also have CommentLuv enabled on that site if that matters in any way.

Hey all:

Shortly after my last post I deactivated the GrowMap plugin and installed the “HumanCaptcha” plug-in; the spam count for both comments and user registration on my sites has dropped to zero.

For those in a bind, here’s a link to the plugin which after a few days is working fabulously for me:
https://www.ads-software.com/plugins/humancaptcha/

are they spam comments or spam trackbacks? (trackbacks aren’t tracked by gasp)

I’ve had numerous reports of users who say they’re being spammed and gasp is not catching it only to find it is not comment spam but actually trackback spam

you can tell it is a trackback if it does not have an email address showing on the comment in your dashboard

@permasolutions

is it possible to show screenshots of 300 or 400 spam comments in a day?

even without gasp and commentluv not running, I don’t get that on a very big site with tens of thousands of hits so it appears that it must be something else causing this on your site

—

if this is happening with blogs that upgraded to 3.7.1 from 3.6 then perhaps it is a wordpress thing that is bypassing gasp?

if the same plugin is being used on 3.6 and 3.7.1 and you’re only getting spam on 3.7.1 then the finger is pointing at wordpress

I’m sorry I can’t help more. WordPress is a complex piece of code and literally every blog is different so perhaps something changed in 3.7 that allows spammers to bypass the normal actions that wordpress uses and GASP listens to?

Andy, could you please take a look at my problem?

GASP checkbox and text are misaligned and they show up somewhere in the right. I have no idea why. First I’ve suspected the Subscribe to Comments plugin is conflicting with GASP which also uses a checkbox (the checkbox with “Notify me of followup comments via e-mail”). So I disabled “Subscribe to Comments” but that didn’t fix the problem.

I tried other ways to fix but nothing worked. How can I fix this issue? Which GASP file do I have to edit and what do I need to do?

I have attached a screenshot so you can see what I’m talking about:

https://img834.imageshack.us/img834/1806/o2r8.jpg

@justatest47: It is considered impolite to interrupt another poster’s ongoing thread unless you are posting a solution or suggestion. It causes significant problems for the forum’s volunteers and prevents us from being able to track issues by topic. Please post your own topic.

Hi Andy

The spam comments I’m getting are definitely not trackbacks.

In regards to how many I get a day, I only guessed at about 300-400 per day. The reason it was just a guess is because I empty the spam comments folder about 10 times per day (while I’m moderating legitimate comments), so I wasn’t clear on the total for a 24 hour period. But, after I made the comment above, I found that the amount of spam is actually a lot higher – as after a lazy Saturday I had over 1000 comments in a 24 hour period.

Back to today: I had cleared the spam folder just before getting notification of your above comment. Here’s a screenshot from only 20 minutes or so after clearing the spam folder (you’ll see that after only 20 minutes I already have 21 spam comments):

https://www.permaculturenews.org/temp_screenshots/spam_comments.jpg

Not sure what else to tell you, except that I’m running the latest WordPress, with the bootstrap theme.

I’ll just keep clearing the spam folder I guess. ??

Andy,

I’m following up here. I deactivated GASP about two weeks ago as just like everyone else here I’ve been inundated with spam.

Strange thing is with GASP deactivated suddenly the spam slowed down to a bare crawl.

I activated GASP again and it shot up. Deactivated and the spam virtually stopped.

As I’ve been using GASP for years it’s a shame to see this happen. There’s no theme conflict unless your last couple of updates would have changed that. Likewise other plugins. Just like everyone else this all started with the last big WP upgrade.

For now my spam issue is under control as I don’t have GASP activated.
I hope this helps you in fixing this plugin. And if not then maybe others reading here can try similar things or alternative solutions if GASP is not working for them.

About two months ago spam started getting through GASP on my site (it had been working wonderfully until then). The amounts getting through have gotten larger and larger (over the past day or so, over 2000). I suppose this could have something to do with a wordpress update, but I doubt it. It seems very clear that someone out there has written a GASP-aware bot that can get around it. I’m willing to help look into this, I control completely the web-server being used. From the logs, nothing looks unusual to me, a typical spam comment that bypasses GASP just looks like

222.77.225.122 – – [22/Dec/2013:17:17:31 -0500] “POST /~woit/wordpress/wp-comments-post.php HTTP/1.1” 302 – “https://www.math.columbia.edu/~woit/wordpress/?p=6476/” “Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0”

I finally deleted GASP on my blogs, and the problem resolved immediately. So if there isn’t a problem with the plugin itself, then it does look like spammers found a way to target it and get past the spam filters. So for those getting slammed with hundreds of spam comments a day like I was, your only option seems to be deleting the plugin, at least temporarily.

Hi,
I had the same problem, but I think I found out why SPAM was getting through.

I think spammers found a way to use the trackbacks. So I disabled trackbacks and the flood of spam diminished. Go to Options > Discussion panel to disable trackbacks on future posts.

For existing posts Go to Edit posts and uncheck Allow Pings from the Write Post SubPanel.

Hope this helps and Andy thanks a lot for making this great plugin. It still works great for me with this settings for trackbacks.

handig, I don’t think that was the issue. I had trackbacks off on multiple blogs when trying to troubleshoot this. And I was getting hundreds of spam comments in my queue every day with this plugin installed. It didn’t matter if the blog had a few thousand posts, a few hundred, or a few dozen. Spam comments were in the hundreds regardless. And it all stopped the moment the plugin was deleted. It seems pretty clear that someone figured out a way to target users of this plugin.

I can’t explain why all sites using it weren’t hit. Perhaps the spammers are targeting only blogs with several factors — like the plugin being installed plus a certain Pagerank. Only my oldest, highest pagerank sites were being slammed (in different hosting accounts too, so it wasn’t an issue on my server letting them in). All sites hit were several years old and had a Pagerank of at least 3. That’s the only similarity other than the plugin that I could find. Newer and smaller blogs didn’t have the problem.

Even if it were an issue of trackbacks, spam wasn’t coming through on other blogs with trackbacks enabled. The plugin shouldn’t be doing anything that makes trackbacks more susceptible to spam. While I’m not sure exactly what the problem is, it really does need to be looked into, especially given how long people have been pointing out these problems.

Anyone here heard of Cloudflare? If you are getting that much spam then you are being targeted. Perhaps a hole in the code spammers have found.

I use Cloudflare, a free service and it works. You have to jump through a few hoops to get setup and it takes a couple days, but well worth it.

CDN, speed boost and security… for free. I do not work for them, just thought I would mention it…

I still get a few spam from time to time that manages to slip through but considering they stop tens of thousands a month, works for me..

John
[sig moderated as per the Forum Rules]