My Present Comment Spam Toolkit
Well, the battle testing went okay, but I ended up wanting to add back my other methods for battling comment spam in addition to SpamKarma. The cornucopia of methods I was using before was a bit better at controlling TrackBack spam, and I don’t want to block TrackBacks altogether as John has done. [As I commented, you don't have to do what John did to block TB and PB pings.]
So, my present comment spam-fighting arsenal is this:
- John Sinteur’s Open Proxy Checker, which checks SURBL and DSBL.
- Kitten’s Spam Words, which does a really good job of updating your defenses as you clean up comment spam attacks.
- Spam Karma
- Dougal’s TarPit, which is designed to shunt IPs that have already spammed you into a tar pit that slows them down for N seconds before disallowing their request.
- Good old fashioned vigilance.
I really wish that Spam Karma and Spam Words talked to each other; you can set an option in SK to say, “Hey, take a look at the stuff in the Options–>Discussion moderation keys queue, too, while you’re processing incoming comments,” but that’s not quite the level of integration that I’d like. Of course, I’m also too lazy to see if I could hack the two plugins to make them talk to each other. As it is now, when I delete a bunch of stuff with SW, before I commit changes to the mod_keys queue, I push those IPs into my SK banlist. It helps, I think.
Now I need to spend time this weekend synching up everything. :sigh:
Have you tried renaming your wp-comments-post.php file?
I did that, and I’m spam free. (At least from the mass-spam-barf-bots)
I’ve not gotten any Trackback spam, as of yet. But I’ll keep your testing in mind.
January 7th, 2005 at 15:03I haven’t tried that, and I know that it works, but that leaves me with upgrade issues. Since I’ve got 60-ish installs to worry about, it’s not an small consideration.
I’m sure that 1) it works for others who have different problem sets than I do and 2) that, eventually, this won’t foil the spammers, as they’ll be able to figure out a way around it.
January 7th, 2005 at 15:38Renaming wp-comments-post.php really works. 18.5 percent of *all* hits to jowilson.org (where my blog used to be) are grabbing my zero length wp-comments-post.php file. (That’s 547 hits just in the first week of the month.) My wp-c-p file is still stuck in some spammers tool. What I should do is set up a tar pit for it, but I’m just lazy.
Now, nobody hits wp-comments-post on crazybutable.com. I’m guessing that spammers just use google queries to find wp-comments-post files.
January 7th, 2005 at 16:35If a person is to rename the wp-comments-post.php file, where else does the code need to be changed so using the newly renamed comment page still works?
January 7th, 2005 at 18:43Oh, one more thing. Viligance is overrated. I’m sick of people telling me I have to be “viligant” about software that I run. Software that I write, okay, yeah, but that’s the point: software should be written well enough in the first place so that the user can just use it.
I don’t have to be “viligant” about my car. Regular maintence, yes, watch how I drive, okay, but I don’t have to check under the hood for bombs before I drive to work every day.
Sigh. Don’t mind me, I’m just ranting.
January 7th, 2005 at 19:17I hear you about the upgrade changes. I keep a personal change log to see what I need to change again after I upgrade.
I also implemented a hidden keyword on my Comments form, which is required to post through the “neo” wp-comments-post.php file.
(To address the question of what accesses the wp-comments-post.php page, the only two I care about are the wp-comments.php, and the wp-comments-popup.php template. (I don’t even use the popup one)
Each references the wp-comments-post.php script, and just change the name to what you changed your local file to.
And as John Wilson did. Make a NEW wp-comments-post.php so the spammers don’t realize what you did by getting a 404-not-found message.
January 7th, 2005 at 21:11Oh, John, I hear you about vigilance. The software should do the vigilance for me; it’s just not there yet.
January 7th, 2005 at 23:35well done http://www.google.com
March 27th, 2006 at 08:43