One of my photos

WordPress Spam

July 13th, 2006 · Posted by Skuds in Technology · 2 Comments · Technology

Tygernet was moaning about this the other day. Actually moaning is not the right word: he was quite belligerent about it really.

Anyway, I have been wondering about this for a while, because I really am not very expert in the inner workings of MySQL/php. I know the reason why a spammer would want to have a useless comment attached to a blog post – because it would contain a link to his piece of crap website selling timeshares or porn or pharmaceuticals or online gambling or whatever, and the more links the better page ranking he would get on Google whenever someone searched for timeshares or porn or pharmaceuticals or online gambling or whatever.

What I don’t understand is how they actually do it. Its not an automated script which calls up a page and then adds a comment because surely that would show up as a hit – and some days my filters catch more spam comments than the total hits for the day. The way WordPress works is that each post, page and comment is an entry in a database (I think) so what the spammers are doing in creating records in my database, bypassing the normal entry method (the comment form).

Even when they are trapped by a filter, as most are, they are still occupying space in my database until I moderate or clear out the Akismet stuff. It just seems so much more intrusive than the spam I used to get on Blogger. In theory, if enough spam arrived quickly enough it could use up all my diskspace, although its unlikely.

I would be reallt interested to know how the bastards do it. To my simple mind it seems that blocking that method of inserting comments would be more effective than the current one which analyse the content.

Also I would interested to know why they still persist. Are there enough blogs out there with no sort of moderation or filter that the spammers still manage to achieve their objectives?

Tags: ··

2 Comments so far ↓

  • Andrew

    I *think* that the spammers directly talk to the wp-comments-post.php script, which is called whenever a comment is submitted. They formulate the request so it looks like it comes from a real page, but doesn’t show up as a hit on the site. That’s based on something I vaguely remember reading, though, so could be completely wrong.

  • Skuds

    That sounds about right. Its bloody annoying though. I would have thought that trying to prevent that script being called by anything other than a proper page would be the way to tackle it – but you just know that the spammers would then find some new way round it.

    Not that they are that clever – I’m sure they are just script-kiddies using someone else’s code, but the ones who write that code are always up for a challenge.