dreamerfi

Found it. In wp-content/plugins/wp-cache/wp-cache-phase2.php, change in the function wp_cache_ob_end, the call to ob_end_clean() to ob_end_flush().

(hmm – forum software mucked up the urls – read “https://” everywhere where a link is inserted by the software..)

Denis, I’ll email you seperately. I may be able to help you.

“online-deals-4u [dot] info” – not yet – most of his sites are not up yet, and the domain has only two (non-functioning) name servers at this point. I suspect it’ll take us a few hours at most once he turns on his domains…

Well, get a good night of sleep, and look at the discussion! Indeed, I’m talking about wordpress 1.2.2 for this fix. Multiple IP addresses is simple, just duplicate the if-statement. glo, thanks for the reference to “users online”!

Glo, my pleasure, thanks for the kind words! By the way, what plugin are you using for the “3 Users Reading” bit in your right column?

And here’s another interesting twist. I modified wp-comments-post.php as well. Find the code that reads:

$url = trim(strip_tags($_POST[‘url’]));
$url = ((!stristr($url, ‘://’)) && ($url != ”)) ? ‘https://’.$url : $url;
if (strlen($url) < 7)
$url = ”;

and after that, add:

if (strpos($url, ‘ttp://’) > 0)
{
$pieces=explode(“/”, $url);
$lookup = gethostbyname($pieces[2]);
if ($lookup == “161.58.59.8”)
{
syslog(LOG_ALERT,”redirected $pieces[2]”);
header(“Location: ” . $url);
exit();
}
if ($lookup == “68.167.234.66”)
{
syslog(LOG_ALERT,”redirected $pieces[2]”);
header(“Location: ” . $url);
exit();
}
}

I could probably make a plugin for this if there’s an interest – but Kitten’s plugin(s) seems to catch most of them anyway…

You’re no moron, no worries. Anywhere within <?php ?> tags early in the index.php will do.

here, here and here are some other postings about this spammer.

here is adescription of another attack, including solution. It may help you as well.

Ia€?ve been hacking wordpress again.
This time, Ia€?ve added a plugin that scans the content of a comment, and any URL it finds is checked against a public list at surbl.org.
Whata€?s great about this list is that if a spammer uses a site to a€?sella€? his stuff (say, a€?www.ultra-cheap-crap.infoa€?) he has to link tot hat site in his spam messages. surbl.org lists the sites used by spammers in this way.
Which means, if a comment is posted that mentions a site that is used by spammers, it is assumed that it is comment-spam. Usually, that is true, since most comment spam Ia€?ve seen is of the form a€?I think youa€?d like to check out https://www.my-crappy-shit.coma€?
You can find it here

My experience is that the spammer will never see the message. They’re running bots these days, and don’t care how many calls are succesful or not.. But the message is indeed better ??

I fully agree with you – it’s just that on the “admin” mailing list for dsbl.org, you get a lot of “upset” people who compain “you claim I’m a spammer, I’m not, and I’m going to sue you for defamation!” – followed by a reply from the dsbl folks “no, we’re not claiming you’re a spammer – we just have proof you were an open proxy at some point in time, that’s all, so go ahead and try to sue us for stating facts.”

Oh, and technically, “you’re a spammer” is not the text one should use in the dsbl.org check, since all the dsbl.org list really means is that an IP address has demonstrated to be an open proxy – no more, no less. It’s perfectly acceptable to say “since you’re proven to be an open proxy, we’re not accepting comments from you” – saying “you’re a spammer” would be incorrect…

No, it won’t slow down page generation – since check_comments is only used just before posting a comment to the database it will only slow down posting comments a little bit.