Spam? Read this.

When you study the log, and see the IP address or the host name, it comes from all around the world. I believe these are computers hacked by spywares or virus, trojan, etc. So, it can be you and me. If you wish to prosecute, do it against the advertised web site, not the one that sent the spam (who may be not aware his computer is not under his control).

I confirm that most comments are not spammed if you have all the moderation / registration system on. Trackbacks are spammed, and you do not need any password to post a trackback. As comments and trackbacks are very alike when displayed in a post, there is a confusion. So, disable this trackback system, and it should be ok.

If you need a definitive protection, add this line at the top of your .htaccess file (above the WordPress commands):
RedirectMatch gone .*/trackback.*

It tells the server (and the client) there is no trackback system. Or, instead of “gone”, put “404” (without quotation mark) if you wish to use your customized error page.

> Some powerfull spam bot was set up a couple of days ago.

Not bot…zombie network. There are thousands of zombied computers hammering our servers (BTW, including unbroken URIs of spam sites here the way someone did on another thread simply gives the slime more Google-exposure) all over the world. Since I root my box, I can add huge blocks of China, Korea, and other countries to the firewall, but although it’s slowed the tide, no one could block every zombied Windoze machine that this moron controls. (There’s been a lull…the last one was at 8:20 this morning eastern time.)

> If you need a definitive protection, add this
> line at the top of your .htaccess file (above
> the WordPress commands):
> RedirectMatch gone .*/trackback.*

That’s my rather draconian second choice, although I’d probably redirect to my blank.html file instead to save outbound bandwidth. Again, though, Trackback Validator handily removes all this garbage (see https://trackback.cs.rice.edu/ for the plugin and information), so if the only issue is them showing up on your blog, TV makes that a non-issue without the overhead of the more complex anti-spam systems.

My questions go deeper, though, into how to be the least annoyed by the trackback spam. Has no one here first-hand experience with the WP-Hardened-Trackback plugin? (I should probably just download and run through the code to see how it does what it does; maybe if I get some time this afternoon.)

> Wouldn’t it be fair to send the police to look for
> this criminal spammer/s?

The police have a whole lot better things to do than try to track down the owner of this botnet, I’m afraid. I wouldn’t mind flooding the slime’s machines off the net, but (although I haven’t researched it) I’d wager the target sites are also part of the botnet, shifting by rapidly expiring the DNS entries for the domains, so that’s no help, either. Much as I’d love to see this slime become the wife of an inmate named Tiny, it ain’t gonna happen any time soon.

(Although if you’re in to spammer revenge, read this article from last July…it’ll make you feel a little better… ??

Interestingly, I went through the four entries on my test blog and unchecked the Comment box for each. This morning, I get another spam comment in spite of this.

did you uncheck the allow pings box too?

No I didn’t… so I will now. Thanks.

Under ‘Options’, ‘Discussions’, I unchecked:
1. llow link notifications from other Weblogs (pingbacks and trackbacks.)
2. Allow people to post comments on the article

Didn’t work. I still get spam comments.

I went back to that page and noticed this caption:
Usual settings for an article:
(These settings may be overridden for individual articles.)

Therefore, I went to each of my posts to uncheck ‘allow comments’ and ‘allow pings’.

It’s been 5 hours since I did that. So far, no spam emails. Hope this works.

I installed Akismet and whie it blocked over 1000 comments in a day it missed about 300 since this mess began. Finally I just installed the plugin to turn off comments on EVERY post, turn off comments in general, turned off pings, trackbacks and all that other junk and as a last resort altered my email address in the user profile so there’s no way the moderation notices can be sent to me.

So now, no more spam…no more comments either but I can live with that. At the rate it was going I was set to hit about 9000 spam comment a week!

This is the link to the plugin that turns comments off on older posts:

https://codex.www.ads-software.com/Plugins/Auto_shutoff_comments

What I totally fail to understand is how spam comments get through with

“Comment author must have a previously approved comment”
and
“Users must be registered and logged in to comment”

both ticked. Clearly it’s an exploit/security hole in WP.

“Comment author must have a previously approved comment”
and
“Users must be registered and logged in to comment”

both ticked. Clearly it’s an exploit/security hole in WP.

yea, it’s called a trackback.

moshu, thank you very much. =)

We have to repeat this: comments are NOT spammed if you have enabled all the registration, moderation features, unchecked comments on all posts, etc.
TRACKBACKS ARE SPAMMED. Trackbacks have been attacked. Trackbacks look like comments but are not. You don’t need registration, moderation to post a trackback. That’s why it is easier to spam. Disable pings in all post, and trackbacks features.
All blogs (not only WordPress) are concerned, because the trackback system is based on standards.
It is not a WP flaw or security issue (in fact it is not a security problem, they are not controlling the system, hacking your WP server). It is just simple spam, annoying as usual, but harmless.

So, if you still want to use these features, install anti-spam plugins. That’s why WP 2 is bundled with Akismet plugin.

It would be really helpful if the “mark selected comments as spam” in the mass edit bit was available for www.ads-software.com blogs as well as those on wordpress.com – earlier this morning, 20 spam trackbacks slipped through the system and I had to mark them as spam by editing each comment one by one.

Okay, I installed WordPress last year for a client. Suddenly he calls me in a panic… he is getting swamped with email notifications for comment spam.

So I take a look at his site…. no spam. Good, I think. Then I login to the “dashboard” and check the moderation queue and, sure engough, he is getting hit with an average of one per hour. Not unwieldy, but still a pain in the butt. I turn off notifications and then try to trace them back to which registered user is posting them. Only trouble is there isn’t one. Hmmmmm… let me check my notes….

Blog Concepts 101, chapter 2, paragraph 3:

Anonymous spam can be prevented by forcing all
visitors to login before posting articles or comments

“Good concept”, I say. So let’s check his settings in this regard. First of all, I can’t find the setting that allows you to prevent anonymous (i.e. not logged in) comments. Just for reference I logout and navigate the blog to a nice plump message and scroll down to the bottom so I can post a comment. Well, well! I guess that feature does exist because what I get is:

Leave a Reply
You must be logged in to post a comment.

So I logged back in and found that I could post a comment but only under my user name. Also good concept!

So how is the spam getting passed the login requirement? The first thing to go through my head is to not even ask such a question in the forums till you’ve upgraded the software, so that is what I did: I upgraded him from 1.5.something to 2.0.2. Latest version, right?

I go to bed and get 5 hours sleep (there is no time for any more when you’re a system administrator) and when I wake up I check his moderation queue: Empty! So I turned comment notifications back on and sat back to drink a well-deserved pot of fresh-roasted coffee.

Later today (3 pots of coffee later) I had another look: Awaiting Moderation: 32
All spam!

So, guys & gals, how are they getting in there? Is this a feature or a bug?

It’s been 10 hours. No spam comments or whatever that may be since I unchecked ‘allow comments’ and ‘allow pings’ under each post. I can live without comments, trackback and pings.

So how is the spam getting passed the login requirement?

From what I have seen this stuff is mostly track/ping spam

I can live without comments, trackback and pings.

Why do without? For me Bad behavior is stopping upwards of 2,500 per day, and the 10 or so that make it past that are stopped by SK2. The plugins Podz mentioned in the the first post work, honest ??

So, guys & gals, how are they getting in there? Is this a feature or a bug?

smb488292, do you post before reading the thread from the beginning?

look at the first line of the comment. if it has strong tags, it’s a trackback. trackbacks bypass the requirements to comment.