A number of folk have been starting to see some more spam comments appearing in their logged out comments section, posted by bots.

I’ve already written an Akismet plugin, which has helped with some of it, and Known core has also been extended with some countermeasures. However, I have wanted to see if I could do some more.

When I was wearing one of my other hats the other day, I had the opportunity to play with the new Recaptcha 3 code, and I thought I’d bring it to Known.

Recaptcha 3 takes a new approach to detecting bots. Rather than getting a popup and getting you to click on pictures (which is very very annoying, and hard for those with accessibility issues), Recaptcha 3 does some arcane magicks behind the scenes to determine who’s bot or not, and then gives you a score indicating the likelihood that you’re dealing with a human. 1.0 for high likelihood of a meat sack, 0.0 for a bot, and then any value in between.

Much like with spam detectors like Spam Assassin, you can then set your own threshold values and do this on a page by page basis.

Crucially, you’re never going to get a popup. Thank the Gods.

Anyway, I’ve built this out as a plugin. Out of the box, you’ll get protection for login, registration, and public comments, but you can extend it to protect your own custom forms without too much trouble.

Have a play!

» Visit the project on Github...

The other week The Register wrote an article, which talked about the Indieweb, and Webmentions in particular.

The article covered a bunch of things, but highlighted the potential spam issue with webmention, which I’ve been meaning to do something about in Known for a while. Since Known was mentioned right at the end of the article, I figured I should probably pull my finger out.

So, while the community build a better way of handling spammy comments and webmentions (e.g. Vouch, or similar graph based filter), I put together a very quick Akismet plugin. Obviously this is centralisation / single point of failure, but it’s a quick fix that’ll hopefully stop the worst of the problems while we build something better.

Usage

Install in the normal way, and activate with your wordpress API key.

Now, all new annotations (including comments and webmentions) will be passed through akismet before being posted. Note, the entire thing requires you to be running a version of Known with the annotation/save event hook added by this pull request.

Enjoy.

» Visit the project on Github...

Spam comes in may forms.

I had been noticing some odd traffic appearing in my referrer logs from “buttons-for-website.com”, and a few other places. Odd, I thought, but I wasn’t too concerned.

A client recently asked me about it, since similar traffic was starting to appear in their analytics for a brand new site. I did a little bit of research, and it turns out that this is actually a spam attack.

Basically, the spammer hits your site and sets a referrer header containing a url and their spam message (keywords + another url, usually). Since a small percentage of sites make their referrer logs public (either deliberately or through misconfiguration), when these are indexed, they can be used to game the search engine of the site they’re trying to boost.

Stopping the spam with mod_security

I don’t like spammers, and it was starting to make my logs (and those of my client’s) a little noisy. So, I decided to do something about it. So, using mod_security, I added a couple of simple rules, which would drop the traffic where the referrer contained certain keywords.

Simple, but effective:

SecRule REQUEST_HEADERS:Referer "^https?://(www\.)?buttons\-for\-website\.com/?" \
        "phase:1,log,deny,status:503,msg:'Referer spam'"

SecRule REQUEST_HEADERS:Referer "^https?://(www\.)?simple\-share\-buttons\.com/?" \
        "phase:1,log,deny,status:503,msg:'Referer spam'"


... etc... 

This seemed to put an end to the worst of it.

I also noticed that a few spammers were posting with obvious spam keywords in the referrer header, so I added a similar rule to block those for good measure:

SecRule REQUEST_HEADERS:Referer "(viagra|phentermine|cialis)" \
        "phase:1,log,deny,status:503,msg:'Referer spam'"

SecRule REQUEST_HEADERS:Referer "(poker|casino|holdem)" \
        "phase:1,log,deny,status:503,msg:'Referer spam'"

Testing

To test your rules, you can use curl to hit your site and send a triggering referrer, e.g.

 curl --referer https://button-for-website.com/

Or

curl --referer https://example.com/poker

Hope that helps!