Textpattern CMS

#16 2005-12-22 16:20:45

Daragh

Member

From: Toronto Canada

Registered: 2004-05-26

Posts: 60

Website

Re: Textile formatted comment spam

I’ve been getting the same thing, every few hours in batches of 10 or so from different IPs. Would upgrading to 4.0.2 help at all?

#17 2005-12-23 00:16:50

goncourt

Member

From: Dortmund/Germany

Registered: 2005-03-27

Posts: 24

Website

Re: Textile formatted comment spam

I am at 4.0.2 and I’ve got the same problem (I posted it in the german forum ). In a period of more or less four hours I got over 200 spam comments, even 20 of them in two minutes — with different IPs

I made the following observation:
since I stopped the comment possibility, the attack is still going on. Strange enough the referrers don’t start from where the comments would start – from the articles. They neither start from the weblog’s root but from my site root (goncourt.net instead of goncourt.net/Blog). Or they use some javascript function to reset the history variables (I don’t know if that is possible) or they use url-manipulations to jump via the “goncourt.net/Blog”-link at the homepage (which is only the link to enter the main page of the blog) into deeper links.

for e.g.:

date	host	url	referrer
12/23 1:35 am	ip68-10-101-26.hr.hr.cox.net	Blog/article/820/nixon-you-dress-pretty-wild-dont-you	goncourt.net
12/23 1:35 am	12-208-204-210.client.insightBB.com	Blog/article/777/ein-sonntagskind-formerly-known-a… s-prinz	goncourt.net
12/23 1:35 am	ip70-177-33-3.br.br.cox.net	Blog/article/741/i-said-i-didnt-believe-in-nature	goncourt.net

(etc.)

Last edited by goncourt (2005-12-23 00:19:06)

#18 2005-12-23 07:47:20

davidm

Member

From: Paris, France

Registered: 2004-04-27

Posts: 719

Re: Textile formatted comment spam

It would seem someone has taken some time to circumvent the “preview” security feature in textpattern, too bad since it was a strong suit of textpattern compared to other systems, not having comment spam…

The spam I got was focused on one article only, I see yours was on multiple articles…

One thing comes to mind : maybe there is a plugin I missed, but the spam I get could easily be prevented with a word filter / censoring. Maybe we’ll need something like this in the near future :(

---

.: Retired :.

#19 2005-12-23 09:31:50

Sencer

Archived Developer

From: cgn, de

Registered: 2004-03-23

Posts: 1,803

Website

Re: Textile formatted comment spam

Well, I’ve mentioned it in another thread, but it may have gotten lost. We are aware of the problem and are taking steps to improve on the situation. And while it is possible to write/port spam plugins from other systems already, we are looking at ways to make writing anti-spam plugins easier as well.

#20 2005-12-23 10:30:05

RenJonsin

Member

From: Tarpon Springs, FL USA

Registered: 2005-02-06

Posts: 103

Website

Re: Textile formatted comment spam

I setup a friend’s blog to use textpattern and it is receiving tons of referrer spam from the host ns1.imagehop.com. It previously used Word Press to post the articles. My site, Frontstretch.com never gets any comment or referrer spam. Both sites are served from the same machine so that’s about the only difference.

Just thinking that maybe the problem is that they know the site was able to show spam prior and are still attempting to use that resource while not attacking areas that didn’t have the capability to accept spam in the past.

She doesn’t have anything new enough to accept comments so I went ahead and threw a PR report on their just now to see if anything would show up. Her site is www.cawsnjaws.com.

#21 2005-12-23 15:04:10

reid

Member

From: Atlanta, Ga.

Registered: 2004-04-04

Posts: 224

Website

Re: Textile formatted comment spam

I got more spam on my site yesterday than I have the entire calendar year. Looking over the logs, it seems clear someone has attempted to automate spam posting on Txp sites. The hits come fast and from multiple IP’s, give a false referrer of my home page on pages that are no longer linked from there, and keep hitting pages until it finds one where comments are still open.

Once it posts successfully (even if you immediately delete it), it comes back to that URL once an hour, every hour, and tries to post another one.

Somehow, the drug terms in this spam were skipping by server level protection at TextDrive, but can be blocked in my local .htaccess. Between that and going to comment moderation, I’ve at least been able to keep it off my site since late yesterday afternoon.

Looking forward to version 4.0.3…

---

TextPattern user since 04/04/04

#22 2005-12-23 15:52:21

kriskhaira

Member

From: Malaysia

Registered: 2005-02-22

Posts: 16

Website

Re: Textile formatted comment spam

I’ve been having the same problem at http://kriskhaira.com/blog/. I’m on 4.0.2. Over 30 comment spams today!

Looking forward to a better security feature. :)

#23 2005-12-23 16:00:40

sewm

New Member

From: Toronto, Canada

Registered: 2004-05-08

Posts: 9

Website

Re: Textile formatted comment spam

You guys seem to be on top of things so I won’t post my logs just yet. I seem to get multiple comments at the same time from different IPs. I would ban them except they don’t seem to use the same one twice so there doesn’t seem to be much point.

None of the comment spam that I have received yet have Textile formatted text, just BBCode or plain URIs.

#24 2005-12-23 16:13:27

Sencer

Archived Developer

From: cgn, de

Registered: 2004-03-23

Posts: 1,803

Website

Re: Textile formatted comment spam

As I said one of the interesting things will be an API for people to write spam-plugins.

If there are developers that want to write and/or port over (from other publishing software) anti-spam-plugins, please subscribe to the txp-dev or txp-plugins list:
http://lists.textpattern.com/mailman/listinfo

#25 2005-12-23 16:16:59

studiozoe

New Member

From: Göteborg, Sweden

Registered: 2004-11-14

Posts: 8

Re: Textile formatted comment spam

I’ve already deleted the spam, but I’ll post the logs just in case it helps someone determine a fix or whatever…

Date banned ip Name used Banned for

2005-12-23 adsl-68-248-197-42.dsl.milwwi.ameritech.net virtual casino 1977
2005-12-23 d150-124-81.home.cgocable.net nextel ringtones 1978
2005-12-23 pcp08334418pcs.puntag01.fl.comcast.net flexeril 1975
2005-12-23 49.86.171.66.subscriber.vzavenue.net VasaMom 1972
2005-12-23 ool-182d6ea7.dyn.optonline.net lipitor 1973
2005-12-23 adsl-70-233-182-4.dsl.okcyok.sbcglobal.net lotto 1974

#26 2005-12-23 18:28:20

Sencer

Archived Developer

From: cgn, de

Registered: 2004-03-23

Posts: 1,803

Website

Re: Textile formatted comment spam

Here’s a preliminary plugin that should help for a while. Install and activate.

—

YTo5OntzOjc6InZlcnNpb24iO3M6MzoiMC4xIjtzOjY6ImF1dGhvciI7czoxNjoiU2VuY2Vy
IFl1cmRhZ8O8bCI7czoxMDoiYXV0aG9yX3VyaSI7czoyMDoiaHR0cDovL3d3dy5zZW5jZXIu
ZGUiO3M6MTE6ImRlc2NyaXB0aW9uIjtzOjYzOiJUZW1wb3JhcnkgcGx1Z2luIHRvIHN0b3Ag
dGhhdCBmaXJzdCBzcGFtYm90IHRoYXQncyBnb2luZyBhcm91bmQiO3M6NDoidHlwZSI7aTow
O3M6NDoibmFtZSI7czoxMjoiYXN5X3N0b3BkdWRlIjtzOjQ6ImhlbHAiO3M6MzU6IgoJPHA+
Tm90IG11Y2ggaGVyZSwgc29ycnkuPC9wPgoKCgogIjtzOjQ6ImNvZGUiO3M6Mzk2OiIKaWYg
KGdwcygncGFyZW50aWQnKQoJJiYgZ3BzKCdzdWJtaXQnKQoJJiYgc3Ryc3RyKHNlcnZlclNl
dCgnUkVRVUVTVF9VUkknKSwgJyNjJykgKQp7CglnbG9iYWwgJHByZXRleHQsICRwcmVmczsK
CSRwcmV0ZXh0WydyZXF1ZXN0X3VyaSddID0gJy8jc3RvcGR1ZGUtYmxvY2tlZC1jb21tZW50
LW9uLScuaW50dmFsKGdwcygncGFyZW50aWQnKSk7CgkkcHJldGV4dFsnc2l0ZW5hbWUnXSA9
ICRwcmVmc1snc2l0ZW5hbWUnXTsKCWxvZ2l0KCk7Cgl0eHBfZGllKCdVbmFibGUgdG8gcmVj
b3JkIHRoZSBjb21tZW50LiBQbGVhc2UgY29udGFjdCB0aGUgcHVibGlzaGVyIG9mIHRoaXMg
c2l0ZSwgaWYgdGhpcyBwcm9ibGVtIHBlcnNpc3RzLicKCQkJLCc0MTIgUHJlY29uZGl0aW9u
IGZhaWxlZCcpOwp9CgoiO3M6MzoibWQ1IjtzOjMyOiJkNzhjYWEzYTNmZjczMDY5NGYzMDU4
YmEwZmFkN2JlOCI7fQ==

—

Last edited by wet (2008-07-28 08:40:41)

#27 2005-12-24 03:19:32

zem

Developer Emeritus

From: Melbourne, Australia

Registered: 2004-04-08

Posts: 2,579

Re: Textile formatted comment spam

Can someone who’s being hit by spam please test a current copy from http://svn.textpattern.com/development/4.0/, and see if it stops the bot (without using Sencer’s plugin).

---

Alex

#28 2005-12-24 03:49:34

dubh

Member

From: Wellington, New Zealand

Registered: 2004-02-27

Posts: 20

Website

Re: Textile formatted comment spam

> Sencer wrote:
> Here’s a preliminary plugin that should help for a while. Install and activate.

Cool! So far so good.

thanks

Alan

---

Alan Macdougall — http://halfpie.net/

#29 2005-12-24 09:25:54

Astarte

Member

Registered: 2005-04-04

Posts: 11

Website

Re: Textile formatted comment spam

Okay, I have the SVN version up, and I’ve turned off the blacklist. I was hit hard yesterday and today. What was the change?

#30 2005-12-24 20:36:18

michaelkpate

Moderator

From: Avon Park, FL

Registered: 2004-02-24

Posts: 1,379

Website GitHub Mastodon

Re: Textile formatted comment spam

I installed the plugin and turned logging back on:

12/24 8:44 am ool-4352e7ef.dyn.optonline.net generic/205/scriptaculous#comment
12/24 8:44 am 24-183-41-57.dhcp.mdsn.wi.charter.com #stopdude-blocked-comment-on-205
12/24 8:44 am ool-182ed855.dyn.optonline.net generic/205/scriptaculous#comment#cpreview
12/24 8:44 am 12-221-121-109.client.insightBB.com generic/205/scriptaculous#comment

12/24 12:57 pm 68-65-74-141.lmdaca.adelphia.net generic/205/scriptaculous#comment
12/24 12:57 pm ip68-3-170-229.ph.ph.cox.net #stopdude-blocked-comment-on-205
12/24 12:57 pm cpe-68-173-27-170.nyc.res.rr.com generic/205/scriptaculous#comment#cpreview
12/24 12:56 pm spc1-burn2-3-0-cust130.bagu.broadband.nt…
l.com generic/205/scriptaculous#comment

It definitely appears to be working.

---

Michael K. Pate | Third Superpower