WordPress 2.1

One of my complaints against Movable Type was that SixApart didn’t update the software very often, especially now that they’re pursuing the “Enterprise” space. Since switching to WordPress six weeks ago, there have been three updates. I don’t know if I should be happy it’s so actively developed, or worried that it’s still got enough security issues that they have to release interim patches. However, one down side of switching is I have to revist the issue of spamments (bogus site referrals or PPP comments), something I had tamed two years ago.

A common pattern to these spamments shows up in my site logs as follows:

smtpgw.umcsd.um.edu.my - - [21/Jan/2007:22:24:27 -0800]
"POST /w/wp-comments-post.php HTTP/1.1" 404 84
"http://www.jimcarson.com/a/2004/07/where_does_all_1.shtml"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Although they purport to be referred from my site, I know they’re faking it because the page they refer “from” no longer exists. This is confirmed by scanning back in the logs for accesses from that address. What’s disturbing is how many similar access I’ll see from different hosts. For this particular page, I see these “visitors:”

1 125.90.64.72
1 131.107.64.93
2 200.88.223.98
2 205-200-65-121.static.mts.net
1 220.72.196.68
1 59.11.146.64
1 60.217.227.140
2 60.217.227.141
1 61.240.111.196
1 61.55.135.167
1 67.128.2.9
1 dns1.tcn.ed.jp
1 host57.201-252-42.telecom.net.ar
1 proxy02-hcm.vnn.vn

When I see patterns, such as the case with the 60.217.227.* machines, I’ll block the entire subnet using .htaccess.

deny from 60.217.227.
deny from .info

This is works for spammy concentrations of sites (especially the 80.* hierarchy), and to a lesser extent, but a quick scan of the list above shows how distributed the problem is, limiting the method’s effectiveness. Most of these machines have been bot-fested.

Removing the original wp-comments-post.php script resulted in a sharp decline in the number of spamments who are just blindly trolling for the blind link. There are still bots that parse through the html, finding references to my “diespammers.php” comment script. The next time I change the script name, I’ll also edit the form identifier to remove the obvious place the bots can scrape. Doing this on Movable Type reduced the spamments to a trickle.

I set up a “preview” mode for comments. This uses the filosofomio plug-in, which has a CAPTCHA option. I know some people hate CAPTCHAs, but at some point it may become necessary. Since I’m an offramp on a tertiary road of the information superhighway, I don’t need the nineteen digits in multi-coloring, wavy fonts and lots of speckles (like Blogspot). As an end user, I find these are a real pain in the ass because I inevitably get the letters wrong. On one of the forae I maintain, I had to implement a CAPTCHA to thwart the spam-bots that sign up for accounts. I tried to make them extremely easy, and hopefully funny, to a human. For example:

Do you see a giant, pink Energizer bunny in the photo? (Hint: the answer will be immediately obvious.)

Hard-filtering on keywords hawking the same, uh, product has had limited effectiveness. Currently, if someone posts any comment containing the name or web site of a discretionary pharmaceutical product, below-the-belt engorgement aid, or pay per view variants of adult recreational activities, that comment immediately gets tossed into the spam bin.

I have had less success with various anti-spam plugins. In particular, any of the canned CAPTCHA-based schemes I’ve tried don’t work with some browser (*cough* Internet Explorer). This is likely some obscure style sheet issue that will take a month to track down. Even the venerable Akismet plugin worked well … until I upgraded WordPress.