Blog Comment Spam Ninja Tools
I’ve been looking at my blog comment spam counts lately and although Spam Karma is doing a fantastic job catching 99.9% of them, I’m still having to go in daily and remove 200 - 300 comments caught in my spam traps. Sometimes more.
I’d like to go a layer deeper now and try to stop blog comment spams before they can actually make a comment. Less work for me that way :).
Some tips:
Looking through my Spam Karma data, I can see several IP numbers that are creating huge amounts of comment spam. I’m going to block them from access to SuperAff:
Combating Comment Spam/Denying Access
Below is an example of the .htaccess that is present in the root directory of a website.
order allow,deny
deny from 123.123.123.123
deny from 456.456.456.*
deny from 789.789.*.*
allow from all
deny from 123.123.123.123
Access is denied to that IP alonedeny from 456.456.456.*
Access is denied to ALL users whose IPs start with 456.456.456deny from 789.789.*.*
Again, anyone at all with an IP that starts 789.789 is blocked.So a total of 256*256 unique IP addresses are blocked
If you do start blocking IPs, then a blocked visitor will see a 403 error page. Try to make sure that such a page has your contact details listed. Check your hosting to see how to make a custom 403 (or see below too).
If you start blocking IPs with the * wildcard, at least give someone the chance to email you to say you may have made a mistake.
By picking through my traffic logs, I can see some comment spammers access the wp-comments-post.php directly. Let’s give them the boot too:
Deny Access to No Referrer Requests
When your readers comment, the wp-comments-post.php file is accessed, does its thing, and creates the post. The user’s browser will send a “referral” line about this.
When a spam-bot comes in, it hits the file directly and usually does not leave a referrer. This allows for some nifty detection and action direct from the server. If you are not familiar with Apache directives, then write the following in your root directory .htaccess file::
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
I can also see that some old blog posts get hit by spam bots more than most. Some receive hundreds of comment spams a week. I decided to edit the blog posts being hit so that it no longer receives comments. I also slipped a note at the bottom of the blog post that comments were turned off due to comment spam.
I could go the captcha route as well, but I don’t like captcha and I don’t think it’s very effective anyway.
I realize spamming blogs is all fun and games for some webmasters. It would be nice though if they just left our web properties alone and played with their own spaces.
45n5:
September 28th, 2006 at 4:07 pm
Just some random ideas:
Maybe take the copy “wordpress” out of your code. Bots troll for wordpress blogs.
Maybe change “Leave a comment” to “Give your opinion” or something, bots troll serps for “Leave a comment”.
Use a comment form with a mandatory “preview first” button, this is not the usual behaviour of a bot and most will leave after the first “submit”.
Terry:
September 29th, 2006 at 2:37 am
45n5:
September 29th, 2006 at 7:36 am
Shoemoney had another great idea today “The default for wordpress is wp-comments-post.php by simply renaming this file to say… wpc.php then changing your theme to reflect the different location for the comment file you will ward off a TON of spammers. This will kill 100% of the automated spam bots.”
As for the preview thing, I thought you might program it yourself if you had free time
(but who has free time?)
So doing a search of google will lead you to a handful of already made solutions.
I’d probably try shoemoney’s first suggestion first though.
Also, here’s a secret, on the blogs I programmed myself (and use a forced preview), I’ve never gotten an automated spam comment yet (and only one or two manual idiot submissions).
I’m not sure if it’s because of the “forced preview” which was a tip from a friend or because I’m not using a spam magnet “wordpress”.
Good luck.
Terry:
September 29th, 2006 at 11:15 am
I did try once-upon-a-time to remove all wp- and wordpress stuff from the core files and found it to be a disaster with one of the recent upgrades. Gave up on messing around with core files, but it’s definitely an option for those.