WordPress User Registration Spam

I’ve had quite a few search enquiries and hits for komatoz.net on my sites recently so there are obviously a lot of people suffering out there with spamming and registration problems that I’ve “currently” ;-) got under control. (We all know that this is a continuous battle against spammers as their approaches and techniques change though!).

This post is really a revisit and clarification of an earlier one here and shows some of the things I do to keep the spammy bastards at bay as there is no “one fix for everything” solution.

You could call them my Top Three!

Use of SABRE

What I’ve found, when using the excellent Sabre WordPress plugin, is that there are a heap of “usual suspects” that circle round and round a few IP addresses. Usually I’ll get supposedly real e-mail addresses from places like:

komatoz.net
gawab.com
yandex.ru
mail.ru
inbox.ru

…and previously I had them locked out by name – but that doesn’t work as they’re spoofed.
Sabre is useful as it allows you to spot repeat hits from certain IP addresses after they’ve been blocked by the use of an .htaccess file.

Use of the .htaccess File

I’ve also made use of the .htaccess file in the website roots to block these names and a wodge of IP addresses. It’s become obvious that the differences between the SABRE logs of each website were due to differences between the .htaccess settings (I’d missed off a couple of IP’s between files) so now the blocked list is as follows:

#BEGIN_ADDS
Options -Indexes

order allow,deny

deny from 24.1.39.117
deny from 38.99.101.151
deny from 58.65.237.113
deny from 58.65.239.146
deny from 61.152.95.162
deny from 64.233.179.101
deny from 64.86.69.6
deny from 64.94.4.196

deny from 66.235.180.189
deny from 72.249.100.188
deny from 75.126.3.177
deny from 78.110.160.130
deny from 85.225.117.179
deny from 87.118.112.50
deny from 88.255.69.10
deny from 89.149.227.193
deny from 89.149.241.229
deny from 89.207.216.211

deny from 160.114.38.82
deny from 190.2.0.2
deny from 192.116.79.226

deny from 195.2.114.31
deny from 195.2.114.32
deny from 195.245.119.76
deny from 195.225.178.15

deny from 203.162.2.137
deny from 205.158.160.76
deny from 208.187.80.135

deny from 210.14.128.112
deny from 210.14.128.172
deny from 210.22.158.132
deny from 212.175.13.169

deny from 216.240.152.9
deny from 217.20.115.118
deny from 218.61.16.8

allow from all

#END_ADDS

This has been applied to all my sites so there should be some consistency between the residual IP addresses getting past the file.

If you don’t know how to do this, ask me or look it up on the net like I did. I’ve also left some links at the bottom. If you are using WordPress, they advise you to set one up to manage the permalink structure. All you need to do is open .htaccess and paste the list after the WordPress additions. The # hash is a line comment (remming it out).

The .htaccess file is an immensely powerful tool. It’s a huge Apache thing. What I’m doing above is to block the need for an “index” file which stops unwanted folder trawling if a folder doesn’t have an index file; and then I block any enquiries from the list of IP addresses. This is empirically derived so if you know people with Russian email addresses you’ll have to modify the list, which is set up for my blockings only!

The Apache server always does three swipes through the file hence the specific terms:
order allow,deny

First it allows all sites and second it denies any IP’s on the list. The third sweep does nothing in this file.

The use of .htaccess in this way takes the load away from WordPress so that it never even gets to do any filtering!
I also use .htaccess to allow only pictures (say) into an images folder and block active script files explicitly. So it’s a file type filter as well… As I said, it’s very powerful.

Make sure that you block write access to the file afterwards! Same goes for your robots.txt file and various folders….

Use of Akismet

As well as this lot, I also use Akismet, which most folk use anyway as it’s part of the default WordPress install. Anything that consistely gets through can be added to the .htaccess file along with the odd spurious SABRE detections.
I do a few more things as well, mostly for normal comments and trackbacks, but in truth, the three-pronged approach I’ve detailed here traps most bad guys.

I started all this when I was hacked (or more correctly cracked – I hate the way the usage has been hi-jacked on this..) by some Turkish activists. I learnt the hard way! :-( See my earlier post here.

.htaccess usage links

Comprehensive guide to .htaccess

.htaccess

Apache HTTP Server Version 1.3

Hope this helps someone! Let me know if it has.

7 responses .

  1. Strangely says:

    Since this post I’ve been twiddling with htaccess again using stuff mainly from Josiah Cole which is very useful.
    As a test, I’ve also removed all the deny IP addresses just to see which ones are actually hitting me now….

    Watch this space :-)

  2. Strangely says:

    Following on from the above, I’ve only got 11 IP addresses blocked now and this has blocked all user registration spam for SABRE for the past week or so. I think the bad guys move about a bit!
    One thing new has started and I’ve alluded to it elsewhere… I’m getting weird hits from a Latvian outfit that seems to be a hosting company, eclub.lv See …permalink-structure-change

    So they’ve been completely blocked with htaccess because they’re mucking up my stats. Sod them.

  3. Strangely says:

    I removed all blocked IP addresses from the .htaccess file about a month ago. Since then, I’ve not been troubled.
    I think the newer incarnation, plus Akismet, plus Tan Tan Noodles mops up everything and I still allow people to freely comment!
    This is my current recommendation to block the various spam types from my WordPress blogs.

  4. blog4booty says:

    Just wondering… You have the list as allow,deny and then list the IP addresses to ban. Everything looks good but then you give the allow from all directive AFTER listing the banned IPs… Shouldn't you have

    order allow,deny

    allow from all

    deny from 24.1.39.117

    deny from 38.99.101.151 and so on…

    You quoted that the Apache server does 3 swipes at the file but that seems inefficient… I figured allow,deny would tell it to allow all but deny the following, or reversed it would see order block and deny everybody but then allow the specifically mentioned… In the case you've shown I would have assumed that since allow from all is listed after the deny list, you would be inadvertently allowing all of those in which you previously denied…

    • Strangely says:

      @blog4booty
      I hardly use this aspect of .htaccess anymore. I only use it when someone is persistently pinging! I’ll block them for a few weeks and then take the entries out to keep the file size down. The 3 swipes thing is from the manual.

      For the order, the only thing that matters is the “order allow,deny” – how they appear in the list is irrelevant.

      What happens is that it sees “order”, then sees “allow”.
      Then it scootles down the file and will allow everything it sees on a line beginning with “allow from …”
      When it reaches the bottom, it flies back to the top and THEN does each line as it scootles down that starts with “deny from…”, denying each IP/domain you’ve included.

      The order that the various IP addresses or domains is, is not important. JUST the way the “order allow,deny” is at the top. For instance, this is valid:

      order allow,deny
      deny from bad1.com
      allow from good1.com
      deny from bad2.com

      This will only allow good1.com Everything else is redundant. This is why you use “from all” to ensure that you get access other wise you’ve blocked yourself!
      So:

      order allow,deny
      deny from bad1.com
      allow from all
      deny from bad2.com

      ..is better. First it enacts all the “allows” – which is “from all”. Then it does all the “deny”‘s. It blocks two domains.
      Now compare to the one below….

      order deny,allow
      deny from bad1.com
      allow from all
      deny from bad2.com

      First it “deny”‘s the two bad domains and then it undoes these two deny actions by “allow”-ing “from all”!!! This means that the floodgates are now open!

      The only reason to separate the “deny from..” and “allow from..” entries is for ease of reading!

      The normal usage of this part of .htaccess for a webmaster is to block dodgy sites. It can be used to just allow a few IP addresses through – say if you have an almost completely locked down intranet and you want to allow a few homeworkers access. In this case, you “deny from all” THEN “allow from..” the various IP addresses external to your network.

      The Apache help file is extensive, but IMHO, extremely hard to wade through. Most of my info is pulled straight from other websites that just examine a few aspects of the usage of .htaccess. Links are in the posting.

      Hope this helps!

  5. John says:

    Cartpauj Register Captcha has worked well for me: http://wordpress.org/extend/plugins/cartpauj-register-captcha/

    • Strangely says:

      Thanks John.
      I’m currently happy with my current set of spam and bot blockers, but I’ll bear it in mind if things change in future. It’s a world of always moving goalposts, isn’t it…

Add Comment Register



Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

© 2007-2014 Strangely Perfect All Rights Reserved