Posted on

Win a trip to Disneyland

I’ve got good news, and I’ve got great news! The good news is for spammers. The great news is for you.

The good news is that in 3 simple steps you too could win a trip to Disneyland:

  • Visit one of those sites that lists this blog as a dofollow blog (BTW – it doesn’t dofollow anymore)
  • Click on a link to my blog.
  • Have a great time in Disneyland!

The great news is that you can send those spammers to Disneyland too! Just take a look at the code in disney.txt and copy it into your wp-config.php (Put it right at the top of the file!) or into an auto_prepend file.

The $bad_referrers array is a simple list of offending sites that send you the most spammers. Add them in and when the spammer comes visiting they’ll be whisked off to Disneyland for a magical tour of the castle. (Hopefully they’ll meet an ogre who’ll take a fancy to them and lock them in the tower or something!)

I use my Comment Referrers WordPress plugin to tell me where comment authors come from but sometimes if they’ve browsed around my site (and the referrer is gone then), I search my logs for their IP address.

Yes, the above could be done with .htaccess mod_rewrite rules but this is more portable and I redirect to a Pretty Link shortcut so I can easily count the hits. No matter what I did I couldn’t get it to exclude the hit to the shortcut and it would redirect continuously.

Update! I added rewrite rules to send the spammers off. I’m sure these rules can be improved so leave a comment if you have any tips.

RewriteCond %{HTTP_REFERER} .*theseomizer.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*seomizeme.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*revolutioners.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*rishabhsood.net.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*011831068587400451950.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*backlinkmagic.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*www.online-utility.org/webmaster/backlink_domain_analyzer.jsp.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*forums.digitalpoint.com/showthread.php?t=1011238.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*courtneytuttle.com/blogs-that-follow/.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*forums.digitalpoint.com/showthread.php?t=1006727.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*forums.digitalpoint.com/showthread.php?t=1003675.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*rasimcoskun.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*smartpagerank.com.* [NC]
RewriteRule ^(.*) http://disney.com/ [R,L]

And in other news, Stephen Cronin created the comment warning plugin to warn visitors who come from predefined urls like the dofollow lists above. Nice!

Posted on

John, my personal spammer!

With apologies to anyone named John. Spammers are getting more clever at spreading their links. Now legitimate website owners are using software tools that allow them to enter keywords of their choice to a create a list of related blogs with comment forms. Many of these applications list blogs that pass Google Rank to the websites of visitors. That’s why I stopped doing the “dofollow” thing several months ago. Since then the number of spam comments has gone down slightly. Cookie for Comments stops the spam bots dead but the human spammer scum still get through.

Next time Akismet marks a legitimate looking comment as spam (or you get a comment from someone who was supposedly christened Austin Texas Photographer by his parents), check your logs. Look up the IP address of the visitor. You may find something like this. Note the lack of a referrer, an old Firefox user agent and then “bsalsa.com” is in the UA of the next request for a post. Bsalsa make a Windows toolkit that this software obviously uses. They’re fans of Borland Delphi apparently!

"GET /2006/11/04/cork-cinema-listings/ HTTP/1.0" 200 43366 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12"

"GET /feed/ HTTP/1.0" 302 84 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"

"GET /2006/11/04/cork-cinema-listings/ HTTP/1.1" 200 12089 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) (Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11); .NET CLR 2.0.50727)"

When my blogs were dofollowing, I’d get loads of spam comments every day. The tools used fire off a request to the blog to examine the links on that page. They highlight dofollow links so the user knows their spam comment will generate Google Juice for their site.

I was getting so sick and tired of them I contacted several spammers. Lindsay who commented on inphotos.org replied:

Hi Lindsay,

As a photographer, I’m always looking for other blogs to comment on but it’s hard to find interesting photoblogs that post anything other than photos. How did you find my blog? I didn’t see a Google search in my logs. Is it a special program?

Thanks,
Donncha

She was really helpful, even replying twice when I didn’t reply again:

I actually have a program called G-force fast blog finder. Basically, i put in some keywords and it searches ALL blogs with those keywords. THEN it tells me if those blogs do or do not have the “uComment iFollow” addon. Blogs that allow the “follow” tag are good for search engines if i post a comment with a link to my site.. SO basically, i get to look at photography blogs and comment on them while i help my website obtain some more links.

Basically, search engines rank your page based on a few things, one of them is link backs. Basically, a link from a site to my site is like a vote for my site saying it is good. So the more other websites link to my site, the better.. HOWEVER, some blogs and websites have the NOFOLLOW tag in them which does not let the search engines see it. Your site does allow the uComment iFollow.

We also created a link exchange program on our website. if you’re interested, it helps you too also have links for your site on other people’s site. If you go to my site here:
http://__________.com/catalog/links.php
You can submit your link and even a small picture to be displayed.
Let me know if you have any other questions

Lindsay

Yea. I Down loaded a program called fast blogger. They have a free trial and basically you add in search term and it searches all blogs for that term. It gives you lists of links to them and tells you if they are no follow or Ufollow IConment blogs. Basically, by findig blogs related to my webstie and blog and posting comments, it helps my website with the search engines when I post a link. It’s a win win situation. You get blog views and comments and the post gets a link back to third site.

If you are interested, I also have a blog. It’s at http://_____________.com/blog

Feel free to comment away and leave a link back to your blog.

We also have a link exchange. Basically you go to Http://____________.com/catalog/links.php

Click submit link and then we will add another link to our website. All we ask is you link back to us in return.

It’s basically everyone helping each other in order to get good page ranking for thief keywords

If you have any questions , Id be happy to answer.

Lindsay

Very helpful wasn’t she? Unfortunately it was the final straw. All links in comments are nofollowed again. Bloody spammers.

The spam comments continue but recently I’ve taken to changing the name of the person to “John”, removing their email and url and then allowing through the comment.

john the spammer

john the spammer

Thanks John!

Posted on

More ways to stop spammers and unwanted traffic

Comment spammers, trackback spam, stupid bots and AVG linkscanner eating into your bandwidth and server resources? Here’s how to put a dent in their activities with a few mod_rewrite rules.

I hate those blogs that send me fake trackbacks and pingbacks. Unfortunately it’s impossible to stop but this morning I figured out a way of stopping some of them.

Look through the log files of your web server for the string ‘ “-” “-“‘. Lots of requests there aren’t there? I found 914 requests yesterday. Those are requests without a USER_AGENT or HTTP_REFERER and almost all of them are suspicious because they weren’t followed by requests for images, stylesheets. or Javascript files. Unfortunately the WordPress cron server also falls into this category so you need to filter out requests from your own server’s IP address.

This morning I checked up on a spam trackback that came in. This one came from 85.177.33.196:

URL: /xmlrpc.php
HTTP_RAW_POST_DATA: <?xml version=”1.0″?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://7wins. eu/cbprod/detail_10347/cure+your+tight+foreskin.html</string></value>
</param>
<param>
<value><string>http://ocaoimh.ie/2005/03/01/i-am-bored-sites-for-when-youre-bored/all-comments/</string></value>
</param>
</params>
</methodCall>

I looked through my log files for that IP address and discovered the following:

85.177.33.196 – – [03/Jul/2008:06:40:01 +0000] “GET /2005/02/18/10-more-ways-to-make-money-with-your-digital-cameras/ HTTP/1.0” 200 36151 “-” “-”
85.177.33.196 – – [03/Jul/2008:07:04:18 +0000] “GET /2007/06/07/im-not-the-only-one-to-love-the-alfa-147/ HTTP/1.0” 200 44967 “-” “-”
85.177.33.196 – – [03/Jul/2008:08:09:40 +0000] “GET /2005/03/01/i-am-bored-sites-for-when-youre-bored/all-comments/ HTTP/1.0” 200 410423 “-” “-”
85.177.33.196 – – [03/Jul/2008:08:09:44 +0000] “POST /xmlrpc.php HTTP/1.0” 200 249 “-” “XML-RPC for PHP 2.2.1”
85.177.33.196 – – [03/Jul/2008:09:00:09 +0000] “GET /2007/10/28/what-time-is-it-wordpress/ HTTP/1.0” 200 63332 “-” “-“

So, the spammer grabs “/2005/03/01/i-am-bored-sites-for-when-youre-bored/all-comments/” at 8:09am and 4 seconds later sends a trackback spam to the same blog post. Annoying isn’t it?

The following mod_rewrite rules will kill those fake GET requests dead.

# stop requests with no UA or referrer
RewriteCond %{HTTP_REFERER} ^$
Rewritecond %{HTTP_USER_AGENT} ^$
RewriteCond %{REMOTE_ADDR} !^64\.22\.71\.36$
RewriteRule ^(.*) – [F]

Replace “64\.22\.71\.36” with the IP address of your own server. If you don’t know what it is, look through your logs for requests for wp-cron.php, run ifconfig from the command line, or check with your hosting company.
Here are a few of the requests already stopped this morning:

72.21.40.122 – – [03/Jul/2008:09:59:59 +0000] “GET /2005/04/02/photo-matt-a-response-to-the-noise/ HTTP/1.1” 403 248 “-” “-”
216.32.81.66 – – [03/Jul/2008:10:00:11 +0000] “GET /2006/12/14/bupa-to-leave-irish-market/ HTTP/1.1” 403 240 “-” “-”
66.228.208.166 – – [03/Jul/2008:10:03:18 +0000] “GET /2008/05/23/youre-looking-so-silly-wii-fit HTTP/1.1” 403 212 “-” “-”
216.32.81.74 – – [03/Jul/2008:10:04:52 +0000] “GET /1998/03/22/for-the-next-month-o/ HTTP/1.1” 403 234 “-” “-”
69.46.20.87 – – [03/Jul/2008:10:06:06 +0000] “GET /2006/10/01/killing-off-php/ HTTP/1.1” 403 229 “-” “-”
72.21.58.74 – – [03/Jul/2008:10:07:54 +0000] “GET /2005/08/12/thunderbird-feeds-and-messages-duplicates/ HTTP/1.1” 403 255 “-” “-“

Some spam bots are stupid. They don’t know where your wp-comments-post.php is. That’s the file your comment form feeds when a comment is made. If your blog is installed in the root, “/”, of your domain you can add this one line to stop the 404 requests generated:

RewriteRule ^(.*)/wp-comments-post.php – [F,L]

Trackbacks and pingbacks almost always come from sane looking user agents. They usually have the blog or forum software name to identify them. Look for “/trackback/” POSTs in your logs. Notice how 99% of them have browser names in them? Here’s how to stop them, and this has been documented for a long time:

RewriteCond %{HTTP_USER_AGENT} ^.*(Opera|Mozilla|MSIE).*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteCond %{REQUEST_METHOD} ^POST$
RewriteRule ^(.*)/trackback/ – [F,L]

I’ve been using that chunk of code for ages. It works exceptionally well. This was prompted by a deluge of 40,000 spam trackbacks this site received in one day a few months ago.

If you use my Cookies for Comments plugin. Check your browser for the cookie it leaves and use the following code to block almost all of your comment spam:

RewriteCond %{HTTP_COOKIE} !^.*put_cookie_value_here.*$
RewriteRule ^wp-comments-post.php – [F,L]

That will block the spammers even before they hit any PHP script. Your server will breeze through the worst spam attempts. It blocked 2308 comment spam attempts yesterday. Unfortunately it also stops the occasional human visitor leaving a comment but I think it’s worth it.

Do something different. That’s what you have to do. Place a hurdle before the spammers and they’ll fall. On that note, I shouldn’t really be blogging all this, but almost all these ideas can be found elsewhere already and the spammers still haven’t adapted.

Unwanted traffic? What’s that? Surely all visitors are good? Nope, unfortunately not. Robert alerted me to the fact that AVG anti-virus now includes an AJAX powered browser plugin called “Linkscanner” that scans all the links on search engine result pages for viruses and malicious code. Unfortunately that generates a huge number of requests for pages that are never even seen by the visitor. I counted over 7,000 hits yesterday.

Thankfully Padraig Brady has a solution. I hope he doesn’t mind if I reprint his mod_rewrite rules here (unfortunately WordPress changes the ” character so you’ll have to change them back, or grab the code from Padraig’s page.)

#Here we assume certain MSIE 6.0 agents are from linkscanner
#redirect these requests back to avg in the hope they’ll see their silliness
Rewritecond %{HTTP_USER_AGENT} “.*MSIE 6.0; Windows NT 5.1; SV1.$” [OR]
Rewritecond %{HTTP_USER_AGENT} “.*MSIE 6.0; Windows NT 5.1;1813.$”
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP:Accept-Encoding} ^$
RewriteRule ^.* http://www.avg.com/?LinkScannerSucks [R=307,L]

Posted on

Slow down trackback spam with Simple Trackback Validation

I used the Simple Trackback Validation plugin for a while until I noticed these errors showing up in php_errors.

PHP Fatal error: Cannot instantiate non-existent class: snoopy in /home/www/wp-content/plugins/simple-trackback-validation/simple-trackback-validation.php on line 158

This morning I decided to fix it as the spammers have been going crazy. I spotted dozens of POST requests to trackbacks as I tailed my log files.

How to fix the plugin:

  1. Open simple-trackback-validation.php in a text editor and go to line 158. It should be this line:

    $stbvSnoopy = new Snoopy;

  2. Above that line, add the folloing line:

    include_once( ABSPATH . 'wp-includes/class-snoopy.php' );

  3. Save the file and upload to your host again.

It’s no substitute for Akismet but along with Cookies for comments it should help keep your blog spam free!

Or, as I’ve just done because this blog is being inundated with trackback spam right now (over 17,000 in the last 9 hours), I blocked off access completely with this rewrite rule. Any WordPress blog will send a pingback anyway and MT even supports pingback now!

RewriteRule ^(.*)/trackback/ - [F]

Posted on

How to successfully spam blogs (and how to fight back)

What you’re about to learn isn’t anything new. It’s not particularly earth shattering either, but a lot of people don’t know it.

NOFOLLOW DOES NOT WORK (properly)

You may have noticed legitimate looking comments on your blog from people with suspect names. Usually the name will be a brand name, service or literally anything that sells. The commenter’s website is obviously related to that business. Why do they bother using special keywords when Google is supposed to not follow those links? Do they know something you don’t? Yup. They know that keywords, even on nofollowed links, matter. I’d provide reference links to SEO blogs explaining this but then they’d know I’m reading and they might shut up.

So, how do you go about spamming blogs? (And how do you defend against those spammers?) Here are two examples:

How to spam a niche blog

George, who runs 858graphics obviously makes signs in San Diego. I’m sorry that his store was egged last year, but he’s obviously trying to manipulate Google. Unfortunately, he succeeded. He is #2 in Google for “San Diego Signs”. Strangely enough there are no links to his website.

How to spam a niche blog

This second guy isn’t quite so successful, and to think he’s spamming my poor Shih Tzu, Oscar. The spammer’s domain is near the bottom of the first page of a Google search for Shih Tzu Checks. That’s still pretty good considering he doesn’t have any links to that page either.

How did these guys find my blog? The first guy searched for WordPress blog posts with comments. The second looked for a page saying, “leave a reply”, an open invitation to spam if ever there was one!

Out of curiosity I followed the Google search a recent spammer used. On the blogs surrounding my blog in that search I found traces of him everywhere. He left legit looking comments but the link was always full of keywords for his business.

Stuffing keywords in nofollowed links certainly helps rank for keywords.

So, you want to know how to fight back? It’s very simple if you’re using WordPress:

  1. Install my Comment Referrers plugin. That will add a line at the end of the moderation emails with the referrer of the visitor. Some referrers should ring alarm bells!
  2. Install Delink Comment Author. This plugin removes the link the comment author left as their URL. I modified my install so it removes the email too as I moderate comments from new users.
  3. I was planning on coding this next plugin, but I found Lucia’s Link Love first and that saved me the trouble. I modified mine so it doesn’t hyper link the name of a comment author who has left less than a certain number of comments. See this comment as an example. That “Landscape Artist” never came back to my blog again so his “name” isn’t linked to his site.

So, chances are a few more people are going to try this technique now that I’ve blogged about it. I bet many more blog owners will be more vigilant of it now though. It’s your blog. If you don’t want to be pawn to a spammer then fight back!

Edit: Here is my version of Lucia’s Linky Love. Just rename this file to .php and drop into your plugins folder. If you’re not logged in or have a comment cookie in your browser you should see some comment author’s names won’t be linked.

Posted on

Idiot spammers

This comment was posted automatically using Blog Comment Poster. Check out its site to learn more and start building backlinks to your websites today.

This post was written manually using Donncha’s fingers. Check out the Akismet anti comment-spam plugin to stop the idiot spammer at 75.126.132.23 using “Blog Comment Poster”.

Posted on

Caching WordPress with WP-Cache in a spam filled world

WP-Cache and spam. Who’d have thought they were related? Unfortunately they are because when your blog is spammed WP-Cache doesn’t check if the comment is legitimate or not and deletes cached files related to the spammed post.

I noticed this happened a lot on In Photos.org after I added thumbnails to the top of the page. The thumbnails change when the page is regenerated but I noticed that they would change much more frequently than expected. After some debugging I realised that comment spam was invalidating the WP-Cache cache.

How do you fix this? Here’s a small patch that can be applied to wp-cache-phase2.php, version 2.0.19 (and probably lower) that checks if the submitted comment was moderated or not. You’ll also find wp-cache-phase2.txt below. Just rename that to .php and copy it into your plugins/wp-cache/ folder for it to work.

Remember to update WP-Cache too. Despite last year’s date on the above post, it was updated as recently as last month!

Download

  1. wp-cache-phase2.diff
  2. wp-cache-phase2.txt

Patch will be on it’s way to gallir in a few moments but if you’re using WP-Cache this could be a big help to your site. (and if you use Ultimate Tag Warrior I hope you’re using my patch?)