Michael Dale
Spam sucks. I talked briefly about spam by $_POST here: http://blog.dalegroup.net/archive/blog/newsid/142
Stuart (http://smkz.is-a-geek.net/) has been receiving vast quantities of spam on his wordpress site. This is because the system is standard across all wordpress installs making it easier for bots to target these sites.
The bots have customised settings that randomly send $_POST information directly to the wordpress (or other) site, in this case to the file wp-comments.php.
I tried to help Stuart with his problem by writing an htaccess rule that blocked direct access attempts to this file (and a few others).
RewriteCond %{HTTP_REFERER} !^http://smkz.is-a-geek.net/(.*)$ [NC]
RewriteCond %{REQUEST_URI} .*wp-comments-post.php$ [OR]
RewriteCond %{REQUEST_URI} .*wp-comments.php$ [OR]
RewriteCond %{REQUEST_URI} .*wp-comments-popup.php$ [OR]
RewriteCond %{REQUEST_URI} .*wp-comments-reply.php$
RewriteRule .* - [F,L]
Although it didn't take long for the bots to work around this.
I have now modified his wordpress install to have a hidden input field. What this does is sends a value to wp-comments.php when the user submits a comment. It is then checked to make sure it is correct, otherwise the comment isn't posted.
So it looks something like this:
wp-comments.php (and popup one if used)
wp-comments-post.php
//Start Dale's spam block here
if ($_POST['the-dale-spam-block'] != 'same random number here') {
die('spam block');
};
//Finish Dale's spam block here
If people really wanted to spam his site they could just take this random number and modify the bot settings. Although I don't think they will (too much effort for one website).
Although I've developed a new system that is currently working on this site which is much better. I do plan to port this to wordpress, but it currently doesn't make use of sessions (except in the admin panel) and therefore doesn't support what I am doing on this site.
Think of this system as one like those random image number generators but without the user needing to enter anything extra in.
I randomly generate a string that is entered into a hidden post field. This string is also stored in a session. When the user posts this string is sent to the post file. The file then reads the sent string (from the user) and the string out of the session. If both are the same the comment can be posted.
This is good for two reasons.
1) The number changes every reload and thus a bot cannot be customised around this
2) The use of cookies is needed, almost every user has cookies turned on but bots don't and thus cannot store the session id.
Cool. So I'll look into wordpress support later but use the system I've done above to block stuff for the time being.
To be continued...