I have been plagued with automated comment spam lately, it is still at a level where its managable manually but..... I am lazy.
The comment message itself is nearly always along the lines of:
-
Excellent! I enjoyed reading your material. think that will make relief: http://www.av.com ,
-
<a href="http://www.adobe.com" rel="nofollow">substances that cure you</a> ,
-
<a href="http://www.apple.com" rel="nofollow">my parents didnt told me about it</a>
It would appear to be more of a test message, blogs that accept the comment will probably be hammered with real spam at a later date.
I use ModSecurity on my server and wondered if there was an easy way to filter out these requests before they even reach Wordpress. I dug out my access_logs looking for the offending requests. The programs being used to post the comment spam appear to be quiet simplistic, posting directly to "wp-comments-post.php"
-
blog.lobstertechnology.com 209.200.xxx.xxx - - [16/Oct/2005:04:36:20 +0100]
-
"POST /wp-comments-post.php HTTP/1.1" 302 5
-
"http://blog.lobstertechnology.com/wp-comments-post.php"
-
"Jakarta Commons-HttpClient/3.0-rc3"
-
-
blog.lobstertechnology.com 207.195.xxx.xxx - - [12/Nov/2005:09:57:15 +0000]
-
"POST /wp-comments-post.php HTTP/1.1" 302 5
-
"-"
-
"Mozilla/4.78 (TuringOS; Turing Machine; 0.0)"
Others are a little more sophisitcated and at least bother to change the default User-Agent:
-
blog.lobstertechnology.com 209.200.xxx.xxx - - [09/Nov/2005:12:24:23 +0000]
-
"POST /wp-comments-post.php HTTP/1.1" 302 5
-
"http://blog.lobstertechnology.com/wp-comments-post.php"
-
"Mozilla/4.0"
I crafted a very simple ModSecurity filter to catch these, although it is a little crude, it will only trigger when the listed User-Agents send a request to "/wp-comments-post.php". Adjust as required:
-
<ifmodule mod_security.c>
-
-
# Turn the filtering engine On or Off
-
SecFilterEngine On
-
-
...
-
-
# proof of concept Wordpress User-Agent filter
-
<location /wp-comments-post.php>
-
SecFilterSelective HTTP_USER_AGENT "HttpClient"
-
SecFilterSelective HTTP_USER_AGENT "Java"
-
SecFilterSelective HTTP_USER_AGENT "TuringOS"
-
</location>
-
-
</ifmodule>
Related Links
ModSecurity - http://www.modsecurity.org/
