How spammers spams your blog comments
Posted by Jean-Baptiste Jung on Sep 9, 2008 in Web development • 31 commentsAs a blogger, everyday I’m receiving hundreds of spam comments. I was very curious about how spammers can sends so many automated comments to thousands of blogs. Here’s an exemple which demonstrate how to spam blogs using PHP and Curl.
This article is for educationnal purposes only. It was written to help bloggers knowing one of the technics used by spammers to spam their blog, not to encourage spam of any sort.
Blog spamming is useless, anyways: Most blogs have the Akismet antispam and manually moderate comments.
Part 1: getting info
The first thing the spammer will have to know, is how your comments form works. Most Wordpress comment forms works exactly the same manner, and this is probably why spammers can spam so many blogs easily.
Here's a "basic" Wordpress comment form:
<form action="wp-comments-post.php" method="post" id="commentform">
<p>
<input type="text" name="author" id="author" value="" size="30" tabindex="1" />
<label>Name <span class="required">
(required) </span> </label>
</p>
<p>
<input type="text" name="email" id="email" value="" size="30" tabindex="2" />
<label>Email <span class="required">
(required) </span></label>
</p>
<p>
<input type="text" name="url" id="url" value="" size="30" tabindex="3" />
<label>Website</label>
</p>
<p>
<textarea name="comment" id="comment" cols="100%" rows="10"></textarea>
</p>
<p>
<input type="image" src=submit.png"/>
<input type="hidden" name="comment_post_ID" value="524" />
<input type="hidden" id="_wp_unfiltered_html_comment" name="_wp_unfiltered_html_comment" value="0d870b294b" />
</p>
</form>
To submit a comment throught that form, we must fill the following fields:
- Name (author)
- Email (email)
- Website (url)
- Comment (comment)
There's also 2 hidden fields:
- comment_post_ID
- _wp_unfiltered_html_comment
Part 2: Creating the script
Now that we have the required info, we can start to code our spam-script, using PHP and Curl. We are going to define an array ($postfields) containing the info that we'd like to pass to the page.
<?php $postfields = array(); $postfields["action"] = "submit"; $postfields["author"] = "Spammer"; $postfields["email"] = "spammer@spam.com"; $postfields["url"] = "http://www.iamaspammer.com/"; $postfields["comment"] = "I am a stupid spammer."; $postfields["comment_post_ID"] = "123"; $postfields["_wp_unfiltered_html_comment"] = "0d870b294b"; //Url of the form submission $url = "http://www.ablogthatdoesntexist.com/blog/suggerer_site.php?action=meta_pass&id_cat=0"; $useragent = "Mozilla/5.0"; $referer = $url; //Initialize CURL session $ch = curl_init($url); //CURL options curl_setopt($ch, CURLOPT_POST, 1); //We post $postfields data curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields); //We define an useragent (Mozilla/5.0) curl_setopt($ch, CURLOPT_USERAGENT, $useragent); //We define a refferer ($url) curl_setopt($ch, CURLOPT_REFERER, $referer); //We get the result page in a string curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); //We exits CURL $result = curl_exec($ch); curl_close($ch); //Finally, we display the result echo $result; ?>
All right. Now the spammer just have to call the script, and it will automatically post the message.
Of course, a real spammer will not manually type the blog post url in his script, but loop throught a csv file, or even google results, but I'm not going to say much about that since this code is only an exemple, and definitely not a functionnal spam bot.
This tutorial was inspired from this excellent article from French website www.seoblackout.com.
That is really interesting. I get hundreds of pieces of spam every day and it is driving me crazy. Is there anyway in which you can easily stop spam from ever reaching your filter?
Captcha stops spam efficiently, but I hate solving captchas so I’m not going to do that on my own blogs. Personally, I use Akismet (Which works great) and manual moderation.
I heard about a hack to stop 90 percent of spam without a captcha, I should talk about it in a future article!
Great post! I never new how it was done (not that i want to do it myself but it’s interesting non the less.. )
Akismet is great, but one that I’m using on my Wordpress MU installation is Monty Spam which is proving to be fantastic. It’s only for MU at the moment but i believe it’s going to be coming to the single install of WP
Thank you Jamie. Indeed, spamming is not a good thing and no-one can have real benefits from it.
Nice info about Monty Spam, i’ll forward to it!
“There’s also 3 hidden fields:” Umm…didn’t you mean ‘There’s also 2 hidden fields’. From looking at the html that’s what I found. Also, it seems that only the ‘Name’ and the ‘Email’ fields are required from looking at the html.
@Ton: You’re right about hidden fields, there’s only two. Thanks for correcting my mistake.
Yes, only name and email are required, but in case of spamming, you have to provide an url.
Based on this post, here are some ideas. These are specific to Wordpress but could be adapted to work with other blogging engines.
1 - Rename wp-comments-post.php to something that is specific to the site. This would force potential spammers to do more work to figure out the name of the program to invoke.
2 - Similar to #1, rename some of the input fields in the form.
3 - Emit a random “magic cookie” value inside of a hidden form field. Then refuse to post the comment unless this value is present.
@Jeff Barr:
Good ideas here. Another antispam that I created for another blog was to create a new hidden field, and then, verify if this fields is empty.
As robots tends to fill all fields they can find, if the field is filled, you can say it’s spam.
That worked quite well on a small blog, but some spams managed to bypass it.
On my blog the name of the form fields are randomised, stored in a session variable, and regenerated within a specific timeframe, so grabbing the form and using the form variables only works if you are accessing it within the same session and within a set period of time.
@Andrew: Really nice idea. You should develop a WP plugin, I’m pretty sure many people will enjoy it!
Funny you should mention that: http://www.wp-fun.co.uk/fun-with-random-comment-forms/
Andrew : great idea! i’m going to give your plugin a shot
I’m relatively new to blogging (WP) and already the target of too much spam, some of which I’ve been able to combat with IP blocking (but I know that’s a losing battle).
I like the sound of adding an additional hidden field and verifying it’s empty. Would anyone care to share how it’s implemented?
@Web designer: The idea of adding a hidden field sounds great, but to apply it you have to modify WordPress core, which isn’t recommended. Why not trying Andrew’s plugin first? It sounds very promising!
Good point jbj - checking out Andrew’s plug now. Thanks.
It would be nice if you could turn things around on spammers. I get so annoyed but Akismet catches and stops about 98% of the spam I get, maybe more. I do have one site that I get two spam comments that get through every day. Which is better than having the hundreds that get stopped from coming trhough.
I “had” a blog that at some point received so much spam, no matther the filter I was using that I went crazy and deleted it. What was even worse is that I would receive the exact same comment from the exct same person hundreds of times per day!!! You know those moments when you do idiot things.
Anyway, it si good to know how they do it
I dont have a blog right now, dont have time with all the work I have at this website but eventually I will start a new one.
http://www.chico-chihuahua.com
i wish a curse for spammers they really polute blogosphere and kill the reputation of some real commenters and its really good to know how they start spamming and nuke a website.
Aha! so that’s how they do it, those little rats.
i really hate automatic comment spam, that was very great idea.
I used to always wonder how they should waste time and effort on spam…now I know better. They have automated the whole thing…No wonder they are so persistent and irritating.
I get so many of these always about jewellery, and I’ve always wondered how they can do this, and how many other sites they do it to.
interesting. i keep on hearing about automated spam posts, but i never really had an idea of how they go about it.
Yeah, we get spammed every day, all day. A pox on their house I say!
Man there are just so many ways and forms to spam. I’m starting to get text spams on my cell too.
I use primarily TypePad for blogging — they handle most of the spam for me, but I still need to manually delete the odd comment
@ Andrew (#11)
Thanks for mentioning that plugin. It’s pretty much EXACTLY what I’ve been looking for
And, of course, thanks to jbj for the original post
Thanks, now Im gonna go out and spam the world! Nah I really don’t like spammers so much. I was wondering how in the world they did manage to do that, so thanks for the insight. And thank god for Akismet!
There are also automated programs that blog spam such as Blog Slammer
BlogSlammer does not spam blogs… I am the owner of this and want to reiterate it does not spam other people’s blogs.
It just allows you to post content accross multiple blogs and automates this process. The blogs it posts to are blogs the user owns.