Personal Development for Smart People Forums - View Single Post

Adam · 12-10-2006, 05:37 PM

NOTE: This was written for my blog, so when you see an idiosyncrasy, keep in mind that I wrote this with my blog's audience in mind... It should be safe to ignore the very last paragraph because of that.

I'm sharing it here, because I want other people to post their hacks for getting rid of spam.

For those who are hoping for some help with email spam, I’m sorry, but this article doesn’t apply. This is for bloggers who are tired of seeing spam in their comment moderation queue, especially for those who are using WordPress like I am.

For the impatient, you can just skip down to the bottom for instructions on how to stop the spam. It will start at a section heading labeled, appropriately, “Stop the Spam.”

For those who aren’t so impatient, though, I really recommend learning how a spam-bot works. For the curious, read on.

How the Spammers Work

Pretend for a moment that your job is to present unwanted, useless information to people in the hopes that they will buy something from you. Now, if you can resist the urge to quit or commit suicide, you’ll realize that the only effective way to get sales is to send that information to as many people as possible. Humans are very bad at sending out information in bulk, since we are very slow and can’t store thousands of addresses in our minds at one time.

That’s where the bots come in.

Bots are programs that pretend to be human. In a chat room, a bot might greet you, and if it is sufficiently sophisticated, it might even ban you for bad language, upgrade your account when you send it a password, or otherwise serve some (hopefully) useful function. Google and other search engine companies use bots to find pages that would be useful to people using their search engines. Illicit advertisers use bots to send email and stuff up the forms of bloggers in the hopes that their messages will be read.

With a bot, a spammer can spend one minute bringing up a program, then let the bot work for another minute and send out thousands of messages. Imagine sending out an advertisement to thousands of people with the investment of just two minutes… If you didn’t have a bot, then you would be able to send these advertisements to about one person every two minutes. Truly, a spammer who doesn’t use a bot doesn’t get fed.

The Problem with Bots

Besides being annoying, bots are also limited to the imagination of their programmers. If a programmer can’t think of a better way to get paid than by sending out spam, then he really doesn’t have any imagination at all. Bots are not flexible. They expect things to be a certain way, and do not know how to deal with any differences at all.

Bots that target WordPress blogs target one thing, the file wp-comments-post.php file. The reason why they target this file is because people do not feel comfortable with editing the default programs behind their blog, at most, they’ll edit the layout a little bit. (Obviously, I don’t worry much about the layout, but I have no fear of ruining something in the processing side, since I can always re-install.)

Almost every bot absolutely depends on certain things remaining default. This is the key to the method that I’m going to share in a little bit, so remember it.

Other Spam-Blocking Methods

Now, I’m not going to say that the other methods are flawed in any way. In fact, they work wonderfully well against spam bots that the spam blockers have seen before. With bots that people haven’t seen, though, there could be a problem. Spam blocking plugins and programs have two jobs to do; block the spammers and allow the normal humans to use the site normally. There are several ways to do this, each with their strengths and weaknesses.

One way is to watch the messages that are being sent to the server for key words, such as poker, viagra, etc. This works great against a small group of spammers who are selling that one product, but it also works against normal users who might happen to mention those items as well. Also, not every spammer is selling viagra or advertising gambling websites, so pretty soon, you get a large list of words to block, and a large number of legitimate users who are blocked as well, simply because they used a word that a spammer used before.

Another way is to block the IP address of the spammers… Sorry, folks, but the spammers are way ahead of you there. They use all different IP addresses, and many of the addresses are also used by people who have legitimate business.

There are also some advanced methods for looking at other information that a spammer has, such as their user agent, whether they can process Javascript or not, and a myriad of other clues, but these all also have the problem that legitimate users might not see your pages as well.

Stop the Spam

Here’s the method that I’m using to stop spammers. Remember that this is WordPress specific, but the principle should work with any blogging platform.

First, find the section of your layout that deals with the comment forms. Find the section that says “<form action=”<?php echo get_option(’siteurl’); ?>/wp-comments-post.php” method=”post” id=”commentform”>.” In that section, edit the wp-comments-post.php line to something slightly different, such as getting rid of a dash. Be certain to leave the “.php” alone. As soon as you have done that, find that file on your server and make the exact same changes to its name. Once you have done that, simply post a test comment, and if you see it, viola, you’ve just blocked almost all of the spammers who visit your site without affecting a single legitimate user.

Also, since this isn’t one of my larger posts (it was written in about an hour), I don’t have a conclusion to give, or a ‘brought to you by’ line either. You should have noticed that this was one of my smaller posts because I started on topic. Shame on you for expecting my regular humor.

12-10-2006, 05:37 PM	#1 (permalink)
Adam Senior Member Join Date: Nov 2006 Location: Logan, UT Posts: 357	Stop WordPress Spam NOTE: This was written for my blog, so when you see an idiosyncrasy, keep in mind that I wrote this with my blog's audience in mind... It should be safe to ignore the very last paragraph because of that. I'm sharing it here, because I want other people to post their hacks for getting rid of spam. For those who are hoping for some help with email spam, I’m sorry, but this article doesn’t apply. This is for bloggers who are tired of seeing spam in their comment moderation queue, especially for those who are using WordPress like I am. For the impatient, you can just skip down to the bottom for instructions on how to stop the spam. It will start at a section heading labeled, appropriately, “Stop the Spam.” For those who aren’t so impatient, though, I really recommend learning how a spam-bot works. For the curious, read on. How the Spammers Work Pretend for a moment that your job is to present unwanted, useless information to people in the hopes that they will buy something from you. Now, if you can resist the urge to quit or commit suicide, you’ll realize that the only effective way to get sales is to send that information to as many people as possible. Humans are very bad at sending out information in bulk, since we are very slow and can’t store thousands of addresses in our minds at one time. That’s where the bots come in. Bots are programs that pretend to be human. In a chat room, a bot might greet you, and if it is sufficiently sophisticated, it might even ban you for bad language, upgrade your account when you send it a password, or otherwise serve some (hopefully) useful function. Google and other search engine companies use bots to find pages that would be useful to people using their search engines. Illicit advertisers use bots to send email and stuff up the forms of bloggers in the hopes that their messages will be read. With a bot, a spammer can spend one minute bringing up a program, then let the bot work for another minute and send out thousands of messages. Imagine sending out an advertisement to thousands of people with the investment of just two minutes… If you didn’t have a bot, then you would be able to send these advertisements to about one person every two minutes. Truly, a spammer who doesn’t use a bot doesn’t get fed. The Problem with Bots Besides being annoying, bots are also limited to the imagination of their programmers. If a programmer can’t think of a better way to get paid than by sending out spam, then he really doesn’t have any imagination at all. Bots are not flexible. They expect things to be a certain way, and do not know how to deal with any differences at all. Bots that target WordPress blogs target one thing, the file wp-comments-post.php file. The reason why they target this file is because people do not feel comfortable with editing the default programs behind their blog, at most, they’ll edit the layout a little bit. (Obviously, I don’t worry much about the layout, but I have no fear of ruining something in the processing side, since I can always re-install.) Almost every bot absolutely depends on certain things remaining default. This is the key to the method that I’m going to share in a little bit, so remember it. Other Spam-Blocking Methods Now, I’m not going to say that the other methods are flawed in any way. In fact, they work wonderfully well against spam bots that the spam blockers have seen before. With bots that people haven’t seen, though, there could be a problem. Spam blocking plugins and programs have two jobs to do; block the spammers and allow the normal humans to use the site normally. There are several ways to do this, each with their strengths and weaknesses. One way is to watch the messages that are being sent to the server for key words, such as poker, viagra, etc. This works great against a small group of spammers who are selling that one product, but it also works against normal users who might happen to mention those items as well. Also, not every spammer is selling viagra or advertising gambling websites, so pretty soon, you get a large list of words to block, and a large number of legitimate users who are blocked as well, simply because they used a word that a spammer used before. Another way is to block the IP address of the spammers… Sorry, folks, but the spammers are way ahead of you there. They use all different IP addresses, and many of the addresses are also used by people who have legitimate business. There are also some advanced methods for looking at other information that a spammer has, such as their user agent, whether they can process Javascript or not, and a myriad of other clues, but these all also have the problem that legitimate users might not see your pages as well. Stop the Spam Here’s the method that I’m using to stop spammers. Remember that this is WordPress specific, but the principle should work with any blogging platform. First, find the section of your layout that deals with the comment forms. Find the section that says “<form action=”<?php echo get_option(’siteurl’); ?>/wp-comments-post.php” method=”post” id=”commentform”>.” In that section, edit the wp-comments-post.php line to something slightly different, such as getting rid of a dash. Be certain to leave the “.php” alone. As soon as you have done that, find that file on your server and make the exact same changes to its name. Once you have done that, simply post a test comment, and if you see it, viola, you’ve just blocked almost all of the spammers who visit your site without affecting a single legitimate user. Also, since this isn’t one of my larger posts (it was written in about an hour), I don’t have a conclusion to give, or a ‘brought to you by’ line either. You should have noticed that this was one of my smaller posts because I started on topic. Shame on you for expecting my regular humor.