Tramadol Attack

Just had a spam attack, about 90 comments over the course of two hours I was away from the computer. Not a single one is visible because every one was caught by my filter. How to delete them all? Comments Mass edit mode → Search for IP → Check all → Delete checked. Basically less than five clicks to delete 90 comments. The search could have keyed on any part of the name, email, or comment. It took longer to write this sentence than it took to delete two hours of spammers work. This isn’t a new 1.3 feature, this has been in WordPress for months.

23 replies on “Tramadol Attack”

Yeah, I think I was getting hit by the same guy – it was kind of funny watching them come in for awhile. Every few minutes… like someone was sitting there, scratching their heads, wondering why the comment wasn’t showing up. Muwhahaha… then I got tired of deleting the comment notifications out of my inbox and just banned the IP from my site (I know that’s not typically recommended, but they were all from one of two of the same IPs). Spam moderation has been SO much easier since moving to WP! šŸ˜€

I got the same tramadol attack… well, not the same, because it was only about 20 comments instead of 90, and i didn’t have any filtering set up, and I just deleted them one at a time… hmm.. the only thing really in common was that it was about tramadol… what filter do you have set up that caught them all?

I just have the word “tramadol” in my moderation keys, which is why your comment took a minute or two to show up.

Jennifer, yeah I got bored of it too so I banned the IPs. If anyone else wants to do this put the following in your .htaccess:

Deny From 61.30.47.

Of course that’s blunt, easy to get around, and may be blocking a small chunk of China, but war is hell. šŸ˜‰

Celebrating your victories is a good thing. So is thinking about what comes next, what comes from the smart bot author. Two IPs? There’s no reason to expect they’ll ever be the same. Ninety comments linking to the same URL? How about 88 linking to a dozen redirectors, one to an unconnected site, and one to what appears to be a blog until you view-source? How many clicks, after you deleted those, to see all the comments that arrived since some time before the first you deleted? How many more to follow every link in them to a 200, and parse the links from those pages? How many more to port-scan all the source IPs, looking for open proxies? What would you do, if you wanted to place URLs on as many sites as possible, and have them stick?

But, welcome to my world. Good to have you here at last šŸ™‚

Phil, I know. That’s why we don’t emphasize IPs or domain names in our anti-spam efforts, they’re too ephemeral. This spambot was pretty dumb, however the source IPs or user agent wouldn’t have mattered because a simple keyword match on a spamword that has been on the list for months would have caught every single one. I’ll ping you with a few of my new ideas, if you sign on AIM. šŸ˜‰

Even so, we are still loosing. The spammers’ bots post, I imagine, thousands of comments per hours, and the google bot is bould to catch at least some of them published…
I’ve considered adding one of those “read the fuzzy picture” fields to my comments form but I’d have to either mutilate MT or embed it into a PHP layer, or worse.

Gotta wonder too: Spam in email makes sense, as even stupid morons can use email, so even if they get a bite rate of 0.00001%, they will make money.
But blogs are generally used and read by people with a little more technical savvy, and hopefully smart enough to not buy anything as a result of comment spam.
Anyone know of anyone that ever bought anything as a result of comment spam?

Morning after count: 48 that stuck around long enough (in feeds they know about) for Bloglines to see them (#1 top gainer and #2 top link for the day), of which 22 are still there. Of those, moderation for any comment on a post more than two weeks old, which hasn’t had a comment in more than two days, would have stopped 22.

Not only does it decrease your attack surface, it’s a neat solution to the “weeds in the garden” problem: an abandoned blog only has a couple of weeks after the last post to gather spam.

You must check out Kitten’s comment plugins for managing this stuff. Her Project Blog. I find them to add even more value to the WP comment moderation. My favourite one is the Comment Pay where a spammer is sent to a page to donate to PayPal in exchange for allowing the comment to be posted on the site. Great stuff, indeed.

I’ve taken the step of moderating all comments with any hyperlinks in them. i get nearly no comments as it is, so it will be no big deal to moderate…

I have to echo Phil’s comment.

I haven’t seen any improvement in the sophistication of the spambots in the past 8 months or more (targetting WordPress does not count as increased sophistication :-). But (at least some) spammers have gotten pretty sophisticated in making their spam comments not look like spam. Keyword-, and IP-based antispam measures are quite useless against the more sophisticated breed of spammers.

One thing I will say in favour of WordPress’s spam-handling: Trackback moderation.

Trackback spam is the new comment spam.

A day later, T.-man lost one of his 22, but picked up two more keepers (out of three that Bloglines spotted, and of course I’m only seeing the ones where someone subscribed to the comment feed there at some point). Worth it? Hard to say. He looks to be banned from Google, but he’s #4 for the very competitive t-word on alltheweb, where most of his links come from a previous spam run at MT. The marginal costs are all tiny: given a spambot, rewriting it to aim at WP is a few minutes work, and the cost to spam another thousand weblogs is almost nothing. I’d like to believe he’s banned from Google because of comment spamming, since that’s the one possible serious cost, but the site’s so obviously spammy (the <meta name=”generator” content=”the-t-word”> is priceless) that it really didn’t need any help in getting banned.

He looks to be banned from Google, but he’s #4 for the very competitive t-word on alltheweb …

Maybe he’s banned for some reason.

Or maybe it’s because Google is much more efficient in re-spidering sites (mine gets spidered daily). My last comment spam got indexed by Google (what can I say … I was on vacation). But it’s already gone from Google’s cache, and will probably be dropped from the index in due course. Other search engines, which don’t re-spider as frequently, will contain stale data (deleted spam comments) for a lot longer.

What this t-man incident helps illuminate for me is that the reason blog-spam had not, by and large, gotten much more sophisticated is that there’s plenty of low-hanging fruit for the spammers to go after. Yesterday MT, today WP … why bother getting more sophisticated when the old low-brow techniques continue to work?

WordPress: Kills Spammers Dead

Last night, a spammer tried to post comments to a variety of posts, from a variety of IP numbers. The spammer also tried to obfuscate his text by using HTML encoded entities for some of the text in the links (which were to a variety of sites for onli…