Spam attack and blocking

conran · December 2, 2020, 10:18am

It’s strange. We’ve been operating one blog for more than a decade with no problems, now all of a sudden it’s being spammed with hundreds of the same comment every day.

Muchas gracias. ?Como puedo iniciar sesion?

We have no idea why this ridiculous spambot has chosen us but it’s apparently been out there for years, regularly appearing to harass random sites.

I know there are methods to automatically remove these comments but at the frequency they’re arriving this is obviously impacting our resources and it would be preferable to simply prevent this bot from accessing the site entirely.

Wordpress really needs a direct match blocking mechanism built in and it’s amazing to me that they haven’t done this yet, especially with how bloated and complex it’s becoming in the back end with other stuff no one really asks for out of the box.

We’ve just blocked Russia on the server side, perhaps that will help.
We’ll likely go in and block China in the next few days if it doesn’t stop, possibly followed by Ukraine.
These three are generally the worst culprits for spam and malicious attacks for us.

Anyone have any other useful tips to prevent them from getting to the site to begin with?

GayDemon · December 2, 2020, 12:58pm

Do you need to have comments? Do you get a lot of real comments if not then just stop everyone from making comments.

Jay · December 2, 2020, 5:10pm

Personally I’d ban the IP addresses involved for a month. You probably have a firewall on your server. Ask your host to let you write out a file that gets ingested for block rules. Then just query MySQL to get the IPs.

conran · December 4, 2020, 9:53am

Yes, it’s the only blog we have with an active community of return visitors and we often get as many as 50 genuine comments a day. We’ve turned off comments on most of our other blogs but for this one it’s a necessity.

conran · December 4, 2020, 9:58am

I usually block the IPs of the worst offenders when it’s the usual spam of 5 or 10 a day, but in those instances it’s often just a repeat offender on the same IP. This bot uses a new IP for every comment and it’s hundreds a day.

Jay · December 4, 2020, 1:15pm

It’s a pretty simple SQL query to get all the IPs being used…

SELECT `comment_author_ip`
FROM `wp_comments`
WHERE `comment_content` LIKE "%Muchas gracias. ?Como puedo iniciar sesion?%"
AND `comment_date` > DATE_SUB(CURDATE(), INTERVAL 14 DAY)

The table name (wp_comments) might be slightly different depending on your setup. You can then block them from your site completely using your firewall (best option since they’re up to no good) or you can just automatically mark them as spam in WordPress with something like this…

UPDATE `wp_comments` 
SET `comment_approved` = "spam" 
WHERE `comment_content` LIKE "%Muchas gracias. ?Como puedo iniciar sesion?%"
AND `comment_approved` NOT LIKE "spam"