Category Archives: Spam
Removing Website URL from Comment Forms Stops Spammers
Another way to stop spam comments – get rid of the website URL in comment forms. We’ve finally got rid of nearly all spam comments on graphicline.co.za. Although the site was already protected by Project Honeypot, and comments use a CAPTCHA challenge, we were still getting a lot of spam. Instead of switching to RECAPTCHA with it’s more difficult text, we looked for another way to reduce successful spam comments.
The common factor to all spam comments was the inclusion of a homepage URL in the form field. The thinking was; if there’s no field for the URL, then spambots may fail as they can’t finish their job. Without a homepage URL field, manual spammers may be discouraged from posting rubbish as well.
Taking Spam Control to an Extreme Level
We took spam control to a ridiculous level. As an exercise in discovering just how effectively spam can be blocked with WordPress it’s been an interesting exercise. We looked at the 4 main types of spam one is likely to see on their blog; comment spam and trackback spam, spam registrations and finally e-mail spam from contact forms.
The site chosen was our WordPress information site. A few months back a plugin support forum was added to the site, and public registrations allowed. Almost immediately there was a spate of spam registrations – “visitors” registering an account. Most were bots. How do we know? Well, the only link to the registration form is from forum pages, and only a few registration attempts came from one of these referrer pages – the others all arrived at the form directly, without visiting the site at all.
A Bunch of Spam Registrations
I’m getting a lot of spam registrations for a WordPress site. Interesting thing is; I’ve only allowed user registrations for about 5 days, but have had subscribe to new posts forms all over the site for ages.
A normal person would think anyone wanting to subscribe to post/page updates would use one of the convenient subscription forms. But no, it seems they want to register accounts 🙂
The other interesting thing is, the only links to the registration/login forms are from a very small forum section, literally less than a handful of pages. So how are these users finding the form?
Spam Comments Even When Comments Off
Spambots are able to bypass WordPress.com comment settings for individual posts and pages, and submit comments even when comments are off for the page. That’s what it looks like, on first impression anyway.
The spam looks like it’s a comment submission, the spammers name, and of course the outgoing link fields are filled in. The content is typical spam rubbish. These spam submissions certainly look like the spammer has bypassed the comment settings, and submitted a comment using wp-comments-post.php.
Looking closer, we see most of the time these spam comments are actually posted using WordPress trackbacks (pings).
Another Spam Scam – Fix this Message
“If you are the owner of the site, you can fix this message by publishing…” is appearing all over blog comment forms. The spammer would have the blogger believe there is an error message somewhere on the site, and publishing the contents of the comment will some-how fix the supposed problem…
Mysteriously fix the Error Message
Publish the comment and the problem with the site is gone! Wow – as easy as that. No checking code files or testing plugins, all your problems are solved if you are the owner of the site… Publish the comment and you can fix this message. So simple.
Of course this is a spammer trying to get the link to some trash site published, hoping to attract click-throughs to the site, hoping to sell some rubbish product like cheap black-market Viagra or install malware on the visitor’s computer, steal personal information such as your banking details. Are we really that naïve – I don’t think so.
Honeypot Trap for WordPress.com and Blogger
Project Honeypot is a Spammer, Hacker and Mail Harvester monitoring service intended to find and list IP addresses used by people with malicious intentions. Project Honeypot is free to join and provides bloggers with a means to identify these types of visitors.Use the database to check IP addresses for threat level and type of threat, join the movement by installing a honeypot trap on your own sites and blogs, report spambots and other ill-intentioned visitors…
Users of WordPress.com and Blogger.com cannot set-up a hosted honeypot trap as we don’t have access to the server, however we can use a quicklink to assist Project Honeypot in collecting data about spambots and automated dictionary attackers etc.
Using the honeypot trap will not interfere with your normal comment system, it is solely to catch the bots used by spammers. It will also not prevent bots spamming your own comment forms – that’s for Akismet or however else you choose to limit Spam.
Read the rest of this entry
Spambot – Check the Names and Websites
Spambots getting better? This spammers auto spam-bot message is almost convincing. I had to stop for a moment and think; almost started moving the mouse to find the list of e-mail subscribers when I remembered something – the posted name and website link was not one of the available sign in services (WordPress, Facebook, Twitter), so how did this commenter manage to subscribe by e-mail when leaving a comment. SPAMBOT…
It nearly got published – It is still a bit early for me, I don’t function too well until I have seriously diluted the blood level in my caffeine stream, even the eyes don’t see too well until caffeine overtakes the red cell concentration, and almost missed the “great site dod” intro and the spam terms “cheap” and “viagra”.