WordPress Comment Spam Methods

      No Comments on WordPress Comment Spam Methods

Hate, we do, all comment spam. They post, we delete, but I actively ban. Still, they come back for more. It must be economically worthwhile for these people to continually do this, because there seems to be no end in sight as to when they will stop. Comment spam is here to stay. Innovations are bound to happen, so I’ve logged what I have learned.

You will need to utilize your raw access log to see these techniques in action.

Your typical comment spam

Typically this starts with a GET followed by the POST. There is an IP address used in both the GET and POST and this IP address is the same for both. The spammer reads the page, then posts to the same page, then receives confirmation. To rid yourself of this simply ban their IP address, with the 0/24 for the fourth IP octet.

46.246.34.17 [26/Oct/2016:05:24:52 GET /prettybuttoner/2010/04/pokemon/ HTTP/1.1 200 33122 http://dontai.com/prettybuttoner/2010/04/pokemon/ Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
46.246.34.17 [26/Oct/2016:05:24:53 POST /prettybuttoner/wp-comments-post.php HTTP/1.1 302 – http://dontai.com/prettybuttoner/2010/04/pokemon/ Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
46.246.34.17 [26/Oct/2016:05:24:54 GET /prettybuttoner/2010/04/pokemon/comment-page-1/ HTTP/1.1 200 33204 http://dontai.com/prettybuttoner/2010/04/pokemon/comment-page-1/#comment-7687

Dual IP Comment Spammer

The dual IP method uses different IP addresses for the GET and POST. Therefore if you ban the POST IP address you’ve banned the wrong one, as the spammer will come back again with the GET IP and spam you again. You need to ban the GET Ip address to be effective.

24.240.119.116 [13/Oct/2016:03:24:59 GET /wp/2009/10/10/ruby-chinese-restaurant-the-good-and-the-bad/ HTTP/1.1 200 36594 http://dontai.com Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50
216.151.184.120 [13/Oct/2016:03:25:02 POST /wp/wp-comments-post.php HTTP/1.1 302 – http://dontai.com Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50173.199.65.64 [13/Oct/2016:03:25:03 GET /wp/2009/10/10/ruby-chinese-restaurant-the-good-and-the-bad/comment-page-1/ HTTP/1.1 403 636 http://dontai.com Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50

Just a POST without the GET

Interestingly, a spammer from Pakistan, Pakistan Tel, has started comment spamming me with just the POST. He must have scraped my site previously and stored the URL address, then came back at a later date and POSTed.

Note that there is no UA. The IP is also not used to GET any info from my site that day, nor is the POSTed URL used by anyone else. I do note that the URL is a trackback, whereas the other comment spam is not.

In these two cases I have banned the one and only IP, but it is too early to tell if this is effective.

Here are other examples:

39.41.93.143 [25/Oct/2016:14:29:35 POST /wp/2009/11/24/independent-ttc-ticket-resellers-refuse-to-sell-adult-tickets/trackback/ HTTP/1.1 200 78 http://dontai.com/wp/2009/11/24/independent-ttc-ticket-resellers-refuse-to-sell-adult-tickets/ –

39.41.202.183 [28/Oct/2016:12:05:56 POST /prettybuttoner/2010/09/dc-logo/trackback/ HTTP/1.1 200 78 http://dontai.com/prettybuttoner/2010/09/dc-logo/ –

45.61.46.26 [04/Nov/2016:14:37:20 POST /wp/2016/10/28/boulevard-repaving-in-toronto-canada/trackback/ HTTP/1.1 200 78 http://dontai.com/wp/2016/10/28/boulevard-repaving-in-toronto-canada/trackback/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

Again, this trackback method has returned but with a different IP, from OVH. Different UAs for all 3 requests.

188.165.89.96 [06/Jan/2017:18:11:21 POST /wp/2011/09/14/imperial-sewing-machine-model-535-user-manual/trackback HTTP/1.1 200 78 http://dontai.com/wp/2011/09/14/imperial-sewing-machine-model-535-user-manual/ Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)
188.165.89.96 [06/Jan/2017:21:43:50 GET /wp/2011/09/14/imperial-sewing-machine-model-535-user-manual/ HTTP/1.1 404 – – Mozilla/4.0 (compatible; ICS)
188.165.89.96 [07/Jan/2017:07:41:27 POST /wp/2011/09/14/imperial-sewing-machine-model-535-user-manual/trackback HTTP/1.1 200 78 http://dontai.com/wp/2011/09/14/imperial-sewing-machine-model-535-user-manual/ Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

No related posts.

Leave a Reply

Your email address will not be published. Required fields are marked *