Blocking Wordpress comment spammers by User-Agent

posted by Michael Cutler on November 15, 2005 @ 00:39

Categories: Spam, Wordpress

I have been plagued with automated comment spam lately, it is still at a level where its managable manually but..... I am lazy.

The comment message itself is nearly always along the lines of:

PLAIN TEXT
XML:
  1. Excellent! I enjoyed reading your material. think that will make relief: http://www.av.com ,
  2. <a href="http://www.adobe.com" rel="nofollow">substances that cure you</a> ,
  3. <a href="http://www.apple.com" rel="nofollow">my parents didnt told me about it</a>

It would appear to be more of a test message, blogs that accept the comment will probably be hammered with real spam at a later date.

I use ModSecurity on my server and wondered if there was an easy way to filter out these requests before they even reach Wordpress. I dug out my access_logs looking for the offending requests. The programs being used to post the comment spam appear to be quiet simplistic, posting directly to "wp-comments-post.php"

PLAIN TEXT
CODE:
  1. blog.lobstertechnology.com 209.200.xxx.xxx - - [16/Oct/2005:04:36:20 +0100]
  2.    "POST /wp-comments-post.php HTTP/1.1" 302 5
  3.    "http://blog.lobstertechnology.com/wp-comments-post.php"
  4.    "Jakarta Commons-HttpClient/3.0-rc3"
  5.  
  6. blog.lobstertechnology.com 207.195.xxx.xxx - - [12/Nov/2005:09:57:15 +0000]
  7.    "POST /wp-comments-post.php HTTP/1.1" 302 5
  8.    "-"
  9.    "Mozilla/4.78 (TuringOS; Turing Machine; 0.0)"

Others are a little more sophisitcated and at least bother to change the default User-Agent:

PLAIN TEXT
CODE:
  1. blog.lobstertechnology.com 209.200.xxx.xxx - - [09/Nov/2005:12:24:23 +0000]
  2.    "POST /wp-comments-post.php HTTP/1.1" 302 5
  3.    "http://blog.lobstertechnology.com/wp-comments-post.php"
  4.    "Mozilla/4.0"

I crafted a very simple ModSecurity filter to catch these, although it is a little crude, it will only trigger when the listed User-Agents send a request to "/wp-comments-post.php". Adjust as required:

PLAIN TEXT
XML:
  1. <ifmodule mod_security.c>
  2.  
  3.    # Turn the filtering engine On or Off
  4.    SecFilterEngine On
  5.  
  6.    ...
  7.  
  8.    # proof of concept Wordpress User-Agent filter
  9.    <location /wp-comments-post.php>
  10.       SecFilterSelective HTTP_USER_AGENT "HttpClient"
  11.       SecFilterSelective HTTP_USER_AGENT "Java"
  12.       SecFilterSelective HTTP_USER_AGENT "TuringOS"
  13.    </location>
  14.  
  15. </ifmodule>

Related Links
ModSecurity - http://www.modsecurity.org/

| 1 Comment | Post A Comment

1 Comment so far
Leave a comment

More thoughts on Comment Spam

After my previous post on the subject of comment spam, I decided to use the might of Google to see how many sites have fallen prey to comment spamming bots.
Given that the phrases “my parents didnt told me about it” and “think that will make re…

By lobstertechnology.com on 11.22.05 04:22

RSS feed for comments on this post. TrackBack URI


Leave a comment
Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

(required)

(required, but not displayed publically)