Categories

Bluetrait
        Bluetrait
                Bluetrait
                    Coding
                    Geek
                    General
                    Videos
                    Solar
                    Coding
                    Geek
                    General
                    Coding
                        PHP
                        Bluetrait
                        PHP
                        Bluetrait
                        WordPress
                            Plugins
                        PHP
                        Bluetrait (Program)
                    Geek
                        Juniper
                        Cisco
                        IBM N2200 8363
                        PCs
                        Spam
                        IPv6
                        Apple
                        NetScreen
                        Internet
                    General
                        Uni

Wed, 08 Dec 2004 10:39 PM

Spam by $_POST part 2.

Michael Dale
Spam sucks. I talked briefly about spam by $_POST here: http://blog.dalegroup.net/archive/blog/newsid/142

Stuart (http://smkz.is-a-geek.net/) has been receiving vast quantities of spam on his wordpress site. This is because the system is standard across all wordpress installs making it easier for bots to target these sites.

The bots have customised settings that randomly send $_POST information directly to the wordpress (or other) site, in this case to the file wp-comments.php.

I tried to help Stuart with his problem by writing an htaccess rule that blocked direct access attempts to this file (and a few others).

RewriteCond %{HTTP_REFERER} !^http://smkz.is-a-geek.net/(.*)$ [NC]
RewriteCond %{REQUEST_URI} .*wp-comments-post.php$ [OR]
RewriteCond %{REQUEST_URI} .*wp-comments.php$ [OR]
RewriteCond %{REQUEST_URI} .*wp-comments-popup.php$ [OR]
RewriteCond %{REQUEST_URI} .*wp-comments-reply.php$
RewriteRule .* - [F,L]

Although it didn't take long for the bots to work around this.

I have now modified his wordpress install to have a hidden input field. What this does is sends a value to wp-comments.php when the user submits a comment. It is then checked to make sure it is correct, otherwise the comment isn't posted.

So it looks something like this:

wp-comments.php (and popup one if used)



wp-comments-post.php
//Start Dale's spam block here
if ($_POST['the-dale-spam-block'] != 'same random number here') {
die('spam block');
};
//Finish Dale's spam block here

If people really wanted to spam his site they could just take this random number and modify the bot settings. Although I don't think they will (too much effort for one website).

Although I've developed a new system that is currently working on this site which is much better. I do plan to port this to wordpress, but it currently doesn't make use of sessions (except in the admin panel) and therefore doesn't support what I am doing on this site.

Think of this system as one like those random image number generators but without the user needing to enter anything extra in.

I randomly generate a string that is entered into a hidden post field. This string is also stored in a session. When the user posts this string is sent to the post file. The file then reads the sent string (from the user) and the string out of the session. If both are the same the comment can be posted.

This is good for two reasons.
1) The number changes every reload and thus a bot cannot be customised around this
2) The use of cookies is needed, almost every user has cookies turned on but bots don't and thus cannot store the session id.

Cool. So I'll look into wordpress support later but use the system I've done above to block stuff for the time being.

To be continued...