WordPress spam
December 20, 2012 4:44 AM Subscribe
How do WordPress spammers work?
I get loads of spam on my WordPress blog. This is not an issue because Akismet picks them up and I just have to click on the Empty Spam button and they are gone. My question is how do they do it? With email, obviously, they harvest email addresses, write their silly message and send out the message with numerous cc or bcc addresses. But can the blog spammers automate and, if so, how? How do they do to link to a specific post of mine (which they seem to do), unless they do it manually?
I have been tracking both my email and WordPress spam recently and they are radically different, so it would seem that the email spammers and the WordPress spammers are not the same people. The WP spammers seem to write poor English (e.g. this internet site is my intake , rattling wonderful design and style and perfect subject material) and rely on embedded links to sell their snowsuits and luxury goods.
Related to this, how did they find me? I have my own url, not a WP one, and not all that many readers beyond the many, many spammers.
I get loads of spam on my WordPress blog. This is not an issue because Akismet picks them up and I just have to click on the Empty Spam button and they are gone. My question is how do they do it? With email, obviously, they harvest email addresses, write their silly message and send out the message with numerous cc or bcc addresses. But can the blog spammers automate and, if so, how? How do they do to link to a specific post of mine (which they seem to do), unless they do it manually?
I have been tracking both my email and WordPress spam recently and they are radically different, so it would seem that the email spammers and the WordPress spammers are not the same people. The WP spammers seem to write poor English (e.g. this internet site is my intake , rattling wonderful design and style and perfect subject material) and rely on embedded links to sell their snowsuits and luxury goods.
Related to this, how did they find me? I have my own url, not a WP one, and not all that many readers beyond the many, many spammers.
ooh I love this question. I think about it often, on my WP and also Drupal sites. I think it's both automated and human powered. I've done some (well, a little) research on my own and found it almost always starts from a google search result of some kind. That's probably automated. They search for "powered by wordpress" or other common things found on WordPress (or Drupal sites) to find targets. Some comments are clearly just bots, and I can see the same IP hitting a bunch of sites (I have a web hosting biz with a bunch of WP sites) at the same time, or in sequence.
BUT, there are also clearly people writing spam comments as well. I've gone so far as to modifiy the comments they leave with a note like "Blake has edited this comment rather than deleting it, if you're the person doing this can you contact me? I have questions about how you work" I've never got a reply, but I'm still hoping. I'm assuming there are people paid a penny (or something) for every comment they leave.
They clearly don't care if you have 1 reader or 1,000,000 readers, they're either bots or people just trying to make a penny.
posted by Blake at 7:42 AM on December 20, 2012 [1 favorite]
BUT, there are also clearly people writing spam comments as well. I've gone so far as to modifiy the comments they leave with a note like "Blake has edited this comment rather than deleting it, if you're the person doing this can you contact me? I have questions about how you work" I've never got a reply, but I'm still hoping. I'm assuming there are people paid a penny (or something) for every comment they leave.
They clearly don't care if you have 1 reader or 1,000,000 readers, they're either bots or people just trying to make a penny.
posted by Blake at 7:42 AM on December 20, 2012 [1 favorite]
They also use the comments as backdoor SEO. I've seen comments where there were no discernible links - but there was an ellipsis in the comment where each dot was a link. Or the period at the end of each sentence was a link.
posted by Benny Andajetz at 8:47 AM on December 20, 2012 [1 favorite]
posted by Benny Andajetz at 8:47 AM on December 20, 2012 [1 favorite]
Response by poster: So is there any (easy) way to get rid of that "Powered by Wordpress" thing at the bottom?
posted by TheRaven at 10:31 AM on December 20, 2012
posted by TheRaven at 10:31 AM on December 20, 2012
Response by poster: Answered my own question. Whacked it in the footer.php.
posted by TheRaven at 10:43 AM on December 20, 2012
posted by TheRaven at 10:43 AM on December 20, 2012
You don't need to fill in a form in a browser to actually post comments. Its easy to write a script to post fake comments on a website if there is no captcha. All you need is the name of the fields and the destination to post the information to. Spidering your site to harvest links is easy.
posted by missmagenta at 10:50 AM on December 20, 2012
posted by missmagenta at 10:50 AM on December 20, 2012
While removing the "powered by Wordpress" might cut down a bit on spam, I kind of doubt it. There are a lot of things that are unique about a Wordpress site that make it easily detectable. Examples are: Existence of a a"/wp-feed.php" file or a"/wp-admin/" or "/wp-content/" folder. (Google gives 2 billion+ results for that last one.)
They start by collecting target web addresses by doing searches for simple keywords, not necessarily Wordpress installs. They have a script that goes through these pages and looks for forms to fill out. They don't have to be comment forms, pretty much anything that lets you enter text. If it finds one it runs another script which generates semi-random names and content, fills it in, hits "submit" and goes off in search of another target. Once given some basic starting information, mostly about what kind of information to spread, it can run all day and all night on as many computers as you can find. A human just needs to tell it to start, any maybe contribute some sample content for it to work with.
Advanced spam programs don't even let a CAPTCHA get in the way. They'll take the confused text, show it to a human somewhere (either a person solving these things for $0.05 an hour, or on a fake porn site where they promise the sucker that they'll get free porn if they enter the CAPTCHA.
When I was rolling my own blog, the best way I found of defeating spam was to have a form field called "username". This was hidden on the page so human users wouldn't see it or put anything in it. Scripts would see it since they look at the source code, not the rendered page, and put a name in it. So if there was a name in it I knew the comment was spam.
posted by Ookseer at 3:07 PM on December 20, 2012 [1 favorite]
They start by collecting target web addresses by doing searches for simple keywords, not necessarily Wordpress installs. They have a script that goes through these pages and looks for forms to fill out. They don't have to be comment forms, pretty much anything that lets you enter text. If it finds one it runs another script which generates semi-random names and content, fills it in, hits "submit" and goes off in search of another target. Once given some basic starting information, mostly about what kind of information to spread, it can run all day and all night on as many computers as you can find. A human just needs to tell it to start, any maybe contribute some sample content for it to work with.
Advanced spam programs don't even let a CAPTCHA get in the way. They'll take the confused text, show it to a human somewhere (either a person solving these things for $0.05 an hour, or on a fake porn site where they promise the sucker that they'll get free porn if they enter the CAPTCHA.
When I was rolling my own blog, the best way I found of defeating spam was to have a form field called "username". This was hidden on the page so human users wouldn't see it or put anything in it. Scripts would see it since they look at the source code, not the rendered page, and put a name in it. So if there was a name in it I knew the comment was spam.
posted by Ookseer at 3:07 PM on December 20, 2012 [1 favorite]
If Akismet is the only anti-spam plugin that's installed on your site, I recommend also installing Bad Behavior (here's its plugin page at wordpress.org). Akismet is good for analyzing comments and trackbacks after they're submitted, but Bad Behavior takes a different route: it screens the http requests and blocks spambots / potential spambots from accessing the site at all.
So yeah, keep Akismet installed, but if you don't have Bad Behavior installed already, definitely give it a try and add it to the mix...it should cut down the spam you see on your comments admin page.
posted by rangefinder 1.4 at 11:28 PM on December 20, 2012 [1 favorite]
So yeah, keep Akismet installed, but if you don't have Bad Behavior installed already, definitely give it a try and add it to the mix...it should cut down the spam you see on your comments admin page.
posted by rangefinder 1.4 at 11:28 PM on December 20, 2012 [1 favorite]
This thread is closed to new comments.
posted by EndsOfInvention at 4:55 AM on December 20, 2012