Bluetrait (Program)
                IBM N2200 8363

Sun, 21 May 2006 11:41 PM


Michael Dale

I've just added support to my blog for Akismet through the use of this php class. I'm currently waiting on my API key before I enable it.

spam settings

Sun, 21 May 2006 9:20 PM


Michael Dale

Looks like some spam is finally getting past my spam filter. I'm going to look into adding support for this

Wed, 17 May 2006 12:50 AM

trackback spam

Michael Dale

I've been getting my fair share of trackback spam in the last month or so. I've decided to disable trackbacks for the time being. Unfortunately I cannot use my spamblock code on them (which works great for normal comments).

Wed, 08 Dec 2004 10:39 PM

Spam by $_POST part 2.

Michael Dale

Spam sucks. I talked briefly about spam by $_POST here:

Stuart ( has been receiving vast quantities of spam on his wordpress site. This is because the system is standard across all wordpress installs making it easier for bots to target these sites.

The bots have customised settings that randomly send $_POST information directly to the wordpress (or other) site, in this case to the file wp-comments.php.

I tried to help Stuart with his problem by writing an htaccess rule that blocked direct access attempts to this file (and a few others).

RewriteCond %{HTTP_REFERER} !^*)$ [NC]
RewriteCond %{REQUEST_URI} .*wp-comments-post.php$ [OR]
RewriteCond %{REQUEST_URI} .*wp-comments.php$ [OR]
RewriteCond %{REQUEST_URI} .*wp-comments-popup.php$ [OR]
RewriteCond %{REQUEST_URI} .*wp-comments-reply.php$
RewriteRule .* - [F,L]

Although it didn't take long for the bots to work around this.

I have now modified his wordpress install to have a hidden input field. What this does is sends a value to wp-comments.php when the user submits a comment. It is then checked to make sure it is correct, otherwise the comment isn't posted.

So it looks something like this:

wp-comments.php (and popup one if used)

//Start Dale's spam block here
if ($_POST['the-dale-spam-block'] != 'same random number here') {
die('spam block');
//Finish Dale's spam block here

If people really wanted to spam his site they could just take this random number and modify the bot settings. Although I don't think they will (too much effort for one website).

Although I've developed a new system that is currently working on this site which is much better. I do plan to port this to wordpress, but it currently doesn't make use of sessions (except in the admin panel) and therefore doesn't support what I am doing on this site.

Think of this system as one like those random image number generators but without the user needing to enter anything extra in.

I randomly generate a string that is entered into a hidden post field. This string is also stored in a session. When the user posts this string is sent to the post file. The file then reads the sent string (from the user) and the string out of the session. If both are the same the comment can be posted.

This is good for two reasons.
1) The number changes every reload and thus a bot cannot be customised around this
2) The use of cookies is needed, almost every user has cookies turned on but bots don't and thus cannot store the session id.

Cool. So I'll look into wordpress support later but use the system I've done above to block stuff for the time being.

To be continued...