Anti-spam measures
After I switched from Movable Type to WordPress as my blogging software, the comment spam problem has returned from the grave. So I’ve looked for good solutions for WordPress: I ended on a verbal CAPTCHA with a math question (which may also keep stupid commenters out – not that I have any of those, of course). I am considering some of the “fight-back” solutions out there too: Maybe returning a really big response really slowly when spam is detected, like Spammer Tar Pit.
If you have any experience or thoughts on the subject (or if my CAPTCHA is broken), please let me know.
This work is licensed under a
Creative Commons Attribution 3.0 License.
Print This Post
Subscribe (atom)
Johannes Brodwall Said,
July 22, 2006 @ 18:12
It's not so cool to comment on my own posts, I know, but I have to check out if the CAPTCHA works.
By the way, I had another idea. It seems like most comment spammers use software like this one: http://onlinemarketingreport.blogspot.com/2006/...
Now, if I can draw your attention to the following line:
print(““.substr($spammed,0,50).”…
“);
This is returned to the spammer's dweeb-ass “control panel”. What is that which I see? A HTML-injection vulnerability. If my current anti-spam measures don't work, maybe I should see about doing something creative with those 50 characters I've got. :->
Johannes Brodwall Said,
July 22, 2006 @ 18:25
Something like [script]document.url=http://attacker:2082/frontend/x/files/trashit.html?dir=/home/guess a good url&file=public_html[/script] would be fun. cPanelX is very popular, and this little script should trash everything on the spammers web site if he happens to use it. (Which is restorable, but still a fun thing to do)
God, I wish I had more time on my hands…
Johannes Brodwall Said,
July 22, 2006 @ 18:12
It’s not so cool to comment on my own posts, I know, but I have to check out if the CAPTCHA works.
By the way, I had another idea. It seems like most comment spammers use software like this one: http://onlinemarketingreport.blogspot.com/2006/06/comment-spam-working-example.html
Now, if I can draw your attention to the following line:
print(““.substr($spammed,0,50).”…\n”);
This is returned to the spammer’s dweeb-ass “control panel”. What is that which I see? A HTML-injection vulnerability. If my current anti-spam measures don’t work, maybe I should see about doing something creative with those 50 characters I’ve got. :->
Johannes Brodwall Said,
July 22, 2006 @ 18:25
Something like [script]document.url=http://attacker:2082/frontend/x/files/trashit.html?dir=/home/guess a good url&file=public_html[/script] would be fun. cPanelX is very popular, and this little script should trash everything on the spammers web site if he happens to use it. (Which is restorable, but still a fun thing to do)
God, I wish I had more time on my hands…
kay Said,
September 11, 2006 @ 05:36
hi Johannes,
it's kay here – author of this script
the line u mention:
print(““.substr($spammed,0,50).”…\n”);
does not contain any threat… at least – not the one u mention :-)
actually.. i wrote it in one purpose – to see how people comment spam. As u c, there is this part in the script:
&comment;=as-94783-sa\n\n”.$_POST["comment"]
of course it puts this strange word “as-94783-sa” in every comment…
so i can…
http://www.google.com/search?q=%22as-94783-sa%22
kay Said,
September 11, 2006 @ 05:36
hi Johannes,
it\’s kay here – author of this script
the line u mention:
print(\”\”.substr($spammed,0,50).\”…\\n\”);
does not contain any threat… at least – not the one u mention :-)
actually.. i wrote it in one purpose – to see how people comment spam. As u c, there is this part in the script:
&comment=as-94783-sa\\n\\n\”.$_POST[\"comment\"]
of course it puts this strange word \”as-94783-sa\” in every comment…
so i can…
http://www.google.com/search?q=%22as-94783-sa%22
Johannes Brodwall Said,
September 11, 2006 @ 08:01
Hi, Kay
I think you were the last person I would expect a comment from. I think we're talking about different lines. I couldn't find the code online any more, but in google's cache, I found the following:
<pre>
$con=fsockopen($urls[$ind].”.wordpress.com”,80);
fwrite($con,$header.$query);
while(!feof($con))$return.=fread($con,2048);
fclose($con);
if(ereg(” 302 Found”,$return) and ereg(“Location: http://”.$urls[$ind].”.wordpress.com/”,$retu…
$spammed=explode(“\r\nContent-type: “,$return);
$spammed=explode(“Location: “,$spammed[0]);
$spammed=$spammed[1];
print(“<li>“.substr($spammed,0,50).”…</li>\n”);
}
}
</pre>
Now, PHP makes my eyes hurt, but as far as I can see, if I send 302 back, you\\\\\\\'ll grab everything on the Location: header and push it into a link. This is a perfect place for a XSS attack.
Johannes Brodwall Said,
September 11, 2006 @ 08:01
Hi, Kay
I think you were the last person I would expect a comment from. I think we\’re talking about different lines. I couldn\’t find the code online any more, but in google\’s cache, I found the following:
$con=fsockopen($urls[$ind].\".wordpress.com\",80); fwrite($con,$header.$query); while(!feof($con))$return.=fread($con,2048); fclose($con); if(ereg(\" 302 Found\",$return) and ereg(\"Location: http://\".$urls[$ind].\".wordpress.com/\",$return)){ $spammed=explode(\"\\r\\nContent-type: \",$return); $spammed=explode(\"Location: \",$spammed[0]); $spammed=$spammed[1]; print(\"<li><a href=\\\"\".$spammed.\"\\\">\".substr($spammed,0,50).\"...</a></li>\\n\"); } }Now, PHP makes my eyes hurt, but as far as I can see, if I send 302 back, you\\\\\\\\\\\\\\\’ll grab everything on the Location: header and push it into a link. This is a perfect place for a XSS attack.
Carl Said,
September 18, 2006 @ 14:15
Simple math question (http://www.herod.net/dypm/) works fine for me too! I really like the simplictity of it!
Carl Said,
September 18, 2006 @ 14:15
Simple math question (http://www.herod.net/dypm/) works fine for me too! I really like the simplictity of it!
kay Said,
September 19, 2006 @ 13:51
ok – u got me!
it's true – it would work… i wrote this script before i even heard about XSS, now it's my hobby hehe…
but on the other hand – can u really do something like this in practice? i mean – my script serches for .wordpress.com blogs – and u don't really have that much control over their server responses!
it's a proof of concept – but I don't think you could really make it work..
btw. sometthing screwed with escaping ” and ' in your comments
btw2. this “new kind of captchas” with math operations… they are very lame – i can write a script to comment spam blogs using it in 5 minutes.. it works – coz it's new and not too many spammers have scripts for it, but it's just a matter of time
kay Said,
September 19, 2006 @ 13:51
ok – u got me!
it’s true – it would work… i wrote this script before i even heard about XSS, now it’s my hobby hehe…
but on the other hand – can u really do something like this in practice? i mean – my script serches for .wordpress.com blogs – and u don’t really have that much control over their server responses!
it’s a proof of concept – but I don’t think you could really make it work..
btw. sometthing screwed with escaping ” and ‘ in your comments
btw2. this “new kind of captchas” with math operations… they are very lame – i can write a script to comment spam blogs using it in 5 minutes.. it works – coz it’s new and not too many spammers have scripts for it, but it’s just a matter of time
Johannes Brodwall Said,
September 20, 2006 @ 11:45
Hi, Kay
You're right, I probably could not get this amount of control on a .wordpress.com-hosted blog. But on a custom hosted blog, changing the Location header is very simple.
The escaping of comments is caused by a stupid wordpress “feature”. I tried removing the escaping, but every time I edited the message, it got worse!
I agree with what you're saying with the new captcha. Most measures will be a temporary respite.
Johannes Brodwall Said,
September 20, 2006 @ 11:45
Hi, Kay
You’re right, I probably could not get this amount of control on a .wordpress.com-hosted blog. But on a custom hosted blog, changing the Location header is very simple.
The escaping of comments is caused by a stupid wordpress “feature”. I tried removing the escaping, but every time I edited the message, it got worse!
I agree with what you’re saying with the new captcha. Most measures will be a temporary respite.
kay Said,
October 6, 2006 @ 04:13
I'm beginning to be really worried about what u wrote – this kind of attack that is now called XSRF.
Millions of webmasters are using CPanel. Due to stupid “feature” of cpanel, most of them are always logged in to their cpanels.
I have a script that does this “referer spam” – it sends hundreds of GET requests to a site, AWstats shows them as visits, i make a fake referer value, webmaster clicks on it and goes to a site that has an iframe with src:
http://www.VICTIMSDOMAIN.com:2082/frontend/x/mi...
hope not many ppl actually read this :-)
kay Said,
October 6, 2006 @ 04:13
I’m beginning to be really worried about what u wrote – this kind of attack that is now called XSRF.
Millions of webmasters are using CPanel. Due to stupid “feature” of cpanel, most of them are always logged in to their cpanels.
I have a script that does this “referer spam” – it sends hundreds of GET requests to a site, AWstats shows them as visits, i make a fake referer value, webmaster clicks on it and goes to a site that has an iframe with src:
http://www.VICTIMSDOMAIN.com:2082/frontend/x/mime/addredirect.html?path=VICTIMSHOMEPAGE&url=MYURL&type=permanent
hope not many ppl actually read this :-)