Comment spam

[ned]

My site is getting slammed with comment spam. I had emails turned on (now off) so I received roughly 200 spam messages, forwarded from my site. How can I prevent this from occuring? Thanks

[ned]

I just received 145 more emails from the comments form like this:

Please check out some helpful info dedicated to phentermine http://phentermine.waylandenterprises.co.uk/ phentermine diet pills http://diet-pills.honeymoon-destination-a.us/ diet pills casino http://casino.blackjack-123.com/ casino blackjack http://www.blackjack-123.com/ blackjack - Tons of interesdting stuff!!!

How do I turn off comments? Are there any security options to prevent this or at least slow it down, like REQUIRING all the fields to be filled out?

[daFool]

We also got spammed with comments and twice the server went down under the load.

After increasing swap we have been surviving for a while but a more permanent solution is required.

You can clean the comments from the entries by deleting them directly. We use

Code: Select all

delete from serendipity_comments where author='online casino';
delete from serendipity_comments where author='order phentermine';
delete from serendipity_comments where author='diet pills';
delete from serendipity_comments where author='phentermine';
delete from serendipity_comments where author='dietpills';
delete from serendipity_comments where author='casino';

This does not update the serendipity_entries table, so it is not perfect. (The count of comments under entry is not updated) I'll work on it and post another sql-snippet if there is an order for it.

You can choose not to allow comments on a entry when you post it or you can do some sql afterwards. If I guess right you could say:

Code: Select all

update serendipity_comments set allow_comment=false;

To deny commenting to existing entries.

After asking related resource limitation question on Fedora list I got a proposal from mandreiana at dslink.ro :

Improve your PHP scripts:

* Use POST method for html forms, not GET

* perform a check:
$referrer = parse_url( $_SERVER[ "HTTP_REFERER" ] );
if ( $referrer[ "host" ] != $_SERVER["HTTP_HOST"] ) {
echo "Don't post from another server!";
exit();
}

* set register_globals=off

and so on

I have not looked in comment.php, if any of this valid.

[daFool]

Oops, what I meant to propose was

Code: Select all

update serendipity_entries set allow_comments=false

Not serendipity_comments.

[ned]

Thanks for the reply. I have implemented a quick and dirty solution just by changing permissions for the comment.php file, making it impossible for anyone to access. I have hired a programmer to work on some securiity features.

If I get a good fix, I'll post it. This situation is definitely intolerable.

[garvinhicking]

Hi Ned!

You may want to look at the new comment moderation feature (since 0.6.8 or so) and/or at the serendipity_event_spamblock plugin (since 0.6.12) for some hooks to insert code.

You could easily include some blacklist/IP/wordlist filterung into the plugin mentioned above...

Regards,
Garvin.

[boone]

I got hit by this today too, nearly 20 comments posted already!

http://boonedocks.net/mike/index.php?/a ... iracy.html

Right now I'm blocking IPs in Apache, but they keep inventing new ones.

[pixeldown]

I've experienced the same problem, also. Using phpmyadmin I removed the offending comments - but the problem came back an hour later. Also - there was a new top referrer that appeared, too.

I've experienced up to 3 comments per entry! Same pill pushing casino junkie.

[daFool]

I've experienced the same problem, also. Using phpmyadmin I removed the offending comments - but the problem came back an hour later. Also - there was a new top referrer that appeared, too.

I've experienced up to 3 comments per entry! Same pill pushing casino junkie.

Casino junkie is easy, as it always uses same authors. You just delete them and be done with him. Today I got hit with spammer that invented a new author for every comment, about 145 of them. It would have been easy as it had same origin ip-address, unfortunately the serendipity_comments ip-field was null in every case. This ip-address is of course now blocked at .htaccess level.

I would gladly upgrade serendipity if I just knew which version would work. I have tried several snapshots. A few of them won't install and some install but are broken in creative ways, either they spew postgres-errors or just plainly throw error pages at you. The best installation after 0.6pl3 I have had installed ok but did not upgrade ok and using rss-feed to pull entries from the 0.6pl3 installation broke "ä" and "ö".

I am very eagerly waiting for an official release.

[tomsommer]

I've experienced the same problem, also. Using phpmyadmin I removed the offending comments - but the problem came back an hour later. Also - there was a new top referrer that appeared, too.

I've experienced up to 3 comments per entry! Same pill pushing casino junkie.

Casino junkie is easy, as it always uses same authors. You just delete them and be done with him. Today I got hit with spammer that invented a new author for every comment, about 145 of them. It would have been easy as it had same origin ip-address, unfortunately the serendipity_comments ip-field was null in every case. This ip-address is of course now blocked at .htaccess level.

I would gladly upgrade serendipity if I just knew which version would work. I have tried several snapshots. A few of them won't install and some install but are broken in creative ways, either they spew postgres-errors or just plainly throw error pages at you. The best installation after 0.6pl3 I have had installed ok but did not upgrade ok and using rss-feed to pull entries from the 0.6pl3 installation broke "ä" and "ö".

I am very eagerly waiting for an official release.

Latest CVS works and has improved spam protection (as a plugin and in form of comment moderation), aswell as IP logging. It can prevent spamfloods, make it easier to clean up after one and even lock down your blog if it is under attack.

I encourage you to upgrade to the very lastest snapshot from http://s9y.org/12.html as it is currently the most stable. Of course a database and file backup never hurts. If you have any problems, you can post them on the forum and we will look into them.

[ned]

Can anyone enlighten me as to SQL syntax for deleting multiple records by range of ID #s. I only know how to do it one at a time and I have hundreds of spam records to delete. Thanks.

[tomsommer]

DELETE FROM serendipity_comments WHERE id > [minID] AND id < [maxID], remember to backup first

[ned]

Thanks, it worked like a charm.

(Remove brackets when inserting ID #s)

[ned]

To all,

I have added security features to the 'comments' portion of my site at http://JeffBlogworthy.com . I know that some will not appreciate the political nature of my blog, so be forewarned. Don't beat up on me too badly

I hired a programmer to do this because I do not know php. It was prepared for my site, but can probably be finished as a fully compatible plugin by someone who knows what they are doing. I am happy to provide any files to anyone who may wish to pursue finishing it up. It is not a 'foolproof' system but it should certainly be able to slow down most spammers.

The security features consist of 2 parts:

1) A randomly generated security code image which must be entered into a text field before the form will be accepted.

2) A limitation of 3 comments per hour from the same IP address. This post/time ratio was randomly chosen by me.

Here is the documentation that I have from the author if anyone wants to tackle a final implementation. Suggestions for finishing are at the end of the file.

------------------------------------------------------------------------------------
Module specifications:
- module is separated on two parts, image and per hour IP blocking
- Image work from two parts, one is separate script:

http://www.jeffblogworthy.com/spam_bloc ... _image.php

This script shows random image (letters and numbers). Image with code
in it is created direct from TrueType files located in:

/spam_blocker_fonts/*.ttf

Each new image is created by choosing random TTF file, so You can
add new files, but be careful if it is not True Type file system will hang'
when that file is choused for draw string. You can delete all files and
leave one if You want. PHP site that uses this plug-in need to have
installed GD and FreeType library (--with-gd --with-freetype)

PHP script above also when it is called saves visitor IP to:

http://www.jeffblogworthy.com/spam_bloc ... og.csv.txt

This files contains unique IPs, same IP is replaced instead adding new row,
with IP is saved string code written on image. This file should be
hidden, one of ways is to rename it to some unused extension and restrict
browsers to view this file. Possible hack is [deleted].
Any way if this hack success attacker will be stopped at second filter (3 comments
per hour).

Second filter is comments limit to 3 per hour. It have same log file format:

http://www.jeffblogworthy.com/spam_bloc ... og.csv.txt

with IP, log time and log time human readable (for test). System first check is
comment valid, than checks how many comments are submitted in last
hour and stop if there is > 3. if comment is valid it add to this file new IP row with
current time. before saving file all times that are older than one hour are
deleted, so this file contains only comments in last hour.

Both filters can be separate allowed or disallowed from administration. Because
old Serendipity have event when comment for is submitted process of
adding image security code is automated, problem is that old Serendipity
does not have event for "when form is submitted" check. So I have used
an code addition to existing Serendipity "comment.php". This means if
You upgrade system again You will loose this two filters
check runtimes. Code I have added can be easy found in comment.php:

Code: Select all

 //
    // Start of SPAM BLOCKER INSERTION CODE
    //
    $imageSecurityCodeIsNotOk = false;
    if (class_exists("serendipity_event_spam_blocker") &&
      isset($serendipity_event_spam_blocker_ClassInstance) &&
      $serendipity_event_spam_blocker_ClassInstance != null){
     $tempClass = $serendipity_event_spam_blocker_ClassInstance;
     $SUBMIT_FORM_VARS = array_merge($HTTP_POST_VARS,$HTTP_GET_VARS);
     // IMAGE CODE SECURITY CHECK
     $tempClass->checkAfterFormSubmitImageSecurityCode($html_header,$SUBMIT_FORM_VARS);
     // MAX COMMENTS PER HOUR IP CHECK
     $tempClass->checkAfterFormSubmitMaxCommentsPerHourReached($html_header,$SUBMIT_FORM_VARS);
     // submit will be ok, register as success comment
     if (!empty($comment['comment'])){
      if ($tempClass->isAllowedmaxCommentsPerHourCheck()){
       $ipBlockerClass = new IpBlocker();
       $ipBlockerClass->addCommentIp(getenv("REMOTE_ADDR"));
      }
     }
    }
    //
    // End of SPAM BLOCKER INSERTION CODE
    //

I have found on Your site that new Serendipity has support for
"on comment submit" event. It is still untested.

Project files are:

[./]
Serendipity file --> comment.php
spam_blocker_security_comments_per_hour.log.csv.txt
spam_blocker_security_image.log.csv.txt
spam_blocker_show_security_image.php

[./plugins/serendipity_event_spam_blocker/]
serendipity_event_spam_blocker.php

[./spam_blocker_fonts/]
arial.ttf
comic.ttf
gothic.ttf
tahoma.ttf
times.ttf
trebuc.ttf
verdana.ttf

So current system works, but If You want to share it with another blog site
I need to make additional tasks (max 4 hours/$20 hr.):

- adding English, German language support strings
- test for new events and implement them
- add administration option (combo 1..n comments per hour)
- add admin defined log file names
- add "send me mail" when comment max per hour is reached
- make README and INSTALL documentation
- prepare complete ZIP with plug-in
- fix founded bugs, if any

[pixeldown]

Quick question: Can I just put comments.php out side the publicly accessible public_html directory?

How much work would that involve?

Just a thought/wondering....

Thanks!