Pain in the butt, no doubt, is this spammer. He’s been spamming my blog for the last 6 months and whatever I did in my ban manager, it would not ban. I got mad enough to track him down, figure out how he does it, and hopefully ban him. Take a look at the audit trail he left me in my WordPress Akismet anti-spam filter. I am very thankful that Akismet stopped him from wrecking my blog, and I’ll be more careful and vigilant from now on.
Of course I tried to ban the sites and IP addresses, but this did not work and spam keeps coming. The ip addresses constantly change. The email addresses are fake. I used my raw access log and correlated it with the Akismet spam listing. For some reason the log time in Akismet is one hour ahead of my raw access log.
Here is what the guy does. he does a GET with one IP address, then he uses a different IP address, displayed in the Akismet spam log, to post. Therefore if you ban the second IP address, which changes frequently, spam will still go through. Here’s what he is doing with my site. He uses 220.127.116.11 to GET, then uses a couple of other IPs to post. The solution I’m trying is to ban his GET ip address.
Block the complete last IP range 195.154.250. or 18.104.22.168/24. IP range owned by Iliad Entreprises, Paris 22.214.171.124 – 126.96.36.199
If you are browsing your raw access log, search for “POST /wp/wp-comments-post.php”. This will be the spam entry into your blog. Look a couple of columns to the right to see the corresponding web page for this post. Search just earlier for the corresponding GET for this post. A successful write will yield a server code of 302, the column just to the right. This is the ip address you need to ban. With this method you should be able to track down the spammers using double ip addresses.
These spammers are getting smarter. Try looking more closely at your raw access log and correlating your spam input with your log. Find the GET and POST ip addresses. If they are the same, ban the ip address. If they are different, then ban the GET ip address. Tell me if this works.