Blocking Wordpress comment spammers by User-Agent
I have been plagued with automated comment spam lately, it is still at a level where its managable manually but..... I am lazy.
The comment message itself is nearly always along the lines of:
Excellent! I enjoyed reading your material. think that will make relief: http://www.av.com ,
<a href="http://www.adobe.com" rel="nofollow">substances that cure you</a> ,
<a href="http://www.apple.com" rel="nofollow">my parents didnt told me about it</a>
It would appear to be more of a test message, blogs that accept the comment will probably be hammered with real spam at a later date.
I use ModSecurity on my server and wondered if there was an easy way to filter out these requests before they even reach Wordpress. I dug out my access_logs looking for the offending requests. The programs being used to post the comment spam appear to be quiet simplistic, posting directly to "wp-comments-post.php"
blog.lobstertechnology.com 209.200.xxx.xxx - - [16/Oct/2005:04:36:20 +0100]
"POST /wp-comments-post.php HTTP/1.1" 302 5
"http://blog.lobstertechnology.com/wp-comments-post.php"
"Jakarta Commons-HttpClient/3.0-rc3"
blog.lobstertechnology.com 207.195.xxx.xxx - - [12/Nov/2005:09:57:15 +0000]
"POST /wp-comments-post.php HTTP/1.1" 302 5
"-"
"Mozilla/4.78 (TuringOS; Turing Machine; 0.0)"
Others are a little more sophisitcated and at least bother to change the default User-Agent:
blog.lobstertechnology.com 209.200.xxx.xxx - - [09/Nov/2005:12:24:23 +0000]
"POST /wp-comments-post.php HTTP/1.1" 302 5
"http://blog.lobstertechnology.com/wp-comments-post.php"
"Mozilla/4.0"
I crafted a very simple ModSecurity filter to catch these, although it is a little crude, it will only trigger when the listed User-Agents send a request to "/wp-comments-post.php". Adjust as required:
<ifmodule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
...
# proof of concept Wordpress User-Agent filter
<location /wp-comments-post.php>
SecFilterSelective HTTP_USER_AGENT "HttpClient"
SecFilterSelective HTTP_USER_AGENT "Java"
SecFilterSelective HTTP_USER_AGENT "TuringOS"
</location>
</ifmodule>
Related Links
ModSecurity - http://www.modsecurity.org/
About this entry
You’re currently reading “Blocking Wordpress comment spammers by User-Agent,” an entry on Weblog of Michael Cutler
- Published:
- 15th November 2005 / 12:11am
Related Entries
- More thoughts on Comment Spam
22nd November 2005 - Analysis of Spamming Zombie Botnets
2nd March 2006 - Wordpress 2.0.2 ‘Security Release’
10th March 2006 - WP Plugin » SpamKit Plugin 0.0 - Time-Based-Tokens to Fight Spam
6th December 2005 - ‘NASA Search 1.0′ ??? Something Google should worry about ???
6th December 2005
1 Comment
Jump to comment form | comments rss [?] | trackback uri [?]