WordPress MU

I am getting massive comment spam the past 24 hours from IP: 81.95.146.227, I've noticed this same person is hitting my regular wordpress blogs too, so I tried to do an htaccess block on his IP to keep him from accessing the site, but maybe it is not set up properly?

I modded the htaccess to look like this:
----------------------------------
RewriteEngine On
RewriteBase /

# Rewrite http://www.domain.com to domain.com
RewriteCond %{HTTP_HOST} ^www\.(.*)
RewriteRule ^(.*) http://%1/$1 [R,L]

#uploaded files
RewriteRule ^(.*)?/?files/(.*) wp-content/blogs.php?file=$2 [L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule . - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-.*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]

order allow,deny
deny from 81.95.146.227
allow from all
----------------------

Is this the wrong way?
Any help would be appreciated!

Have you enabled the overides in your apache config for the blog directory:

AllowOverride Limit

SteveAtty you are talking a bit over my head. I have a dedicated server, but this sounds like something I would have to write my host support about. Would this code go into .htaccess?

The AllowOveride goes into the server configuration file and it controls what overides the user is able to use in the .htaccess file.

If Limit is not specified in the configuration directive for the directory then you cannot limit it.

If you have no access to the main apache server configuration file then you will need to talk to your host provider.

We're talking about this guy on wp.com as well.

If the spam comments are for t e e n p 0 r n (don't want the SEs picling up on the phrase here) I'm getting hit hard as well on my regular blogs. I even use wp on a couple non-blogs as a cms and have comment forms & trackbacks disabled and am still getting the notifications.

167 comments on one of these sites in a couple hours. I banned the IP plus deleted the comment forms and wp-trackback.php

I know it's not a very elegant option, deleting or renaming files, but some of these spammers are so persistent sometimes there's no other way.

Paul

I've been meaning to start dumping all of the ip address that hit me into a single table so I can keep track of who's getting hit. Some may have noted the spam count on my front page. That's as far as I've gotten on the coding.

I <3 APF. :D

Mmmmm mmmm b**ch!
-- Dave Chappelle

Doc/all, check this site out. it seems to be a site which collects and lists spam by IP. i found like 10 of my splogs on this list. i combined this with the Wordpress Ban WPMU Edition

its got an odd visualization feature, too. i was devastated to find so many of my bloggers on this list. then when i went thru their archives, i saw it was true. they were all gmail registered users too. as per my norm, i'll use it for a week and get back to ya'll.

be careful not to ban your proper users, though!

be careful not to ban your proper users, though

That's why you can't use those lists. :)

demonicume: That's my list :) to defend the IP-banning practice a little, generally spam attacks come from <i>servers</i> rather than individuals. Since there's not much reason for a server to be accessing the blog (other than trackbacks, which are far too abused to leave enabled anymore) I figure the chance of banning someone legitimate is acceptably small. Banned IP's get presented with a form they can use to plead their case, but generally that gets spammed too.

Gotta admit that that's the one case I wouldn't mind seeing a captcha form on. They're already under assumption of being a spammer for a reason. They're already guilty IMO.

I have disabled comments and pings on the posts associated with this constant spam. And yet even after disallowing comments and pings, and mass deleting all spam in the moderation que, I still get more comments being added to the moderation que with spam comments on the posts that I just selected to not have comments or trackbacks.. this is wierd. I guess I need to see if I am running a current MU.

Is this from that IP address or have you blocked it?

Why not just see about firewalling the class c to say the heck with them?

djsteve, Gadgetizer: why aren't you guys using Spam Karma2? I use it together with Bad Behavior and since I turned them on months ago, my blog hasn't displayed a spam comment/trackback/pingback since.

SK2 has caught thousands of spams which I can look at in case of false-positives but otherwise I let the plugin delete them automatically after 7 days.

Bad Behavior makes SK2's life easier by blocking bots even earlier. They're not perfect, but right now my biggest problem are site scrapers which I've been banning via htaccess after their first pass even though I know there must be a plugin that can do better. I'm going to give WPMU-Ban a shot

Site scrapers suck.

That for tips folks, I emaialed my server peeps and they said that the overides is turned on. Not sure if they just turned it on or if it had been, but the spam from that guy has stopped. Not sure if it is being blocked or if the spammer just put it on pause since there were a couple of other ips that were hitting that one blog hard, and those have stopped (or paused) for now.

I really want to add the things that lunabyte is using and some of the other spam blockers mentioned here to make it less work. Luna can we make a step by step tutorial on your mods for the spam blocking? Any chance of seeing those options in the next Mu release?

Dr mike is the htaccess method the way you are talking about firewalling?

thanks again for the support folks I was freaking out!

Um, what exactly about my set-up are you referring to?

Inside MU, I have spam protection layered. Some call it overkill, but I think it's fine.

I have Bad Behavior as my first level of "protection", then I use a custom captcha combined with SK2.

For sign-ups, BB is active, and my captcha, but since it's not a comment SK2 isn't activated.

On the box level, I use Brute Force and APF.

APF being a firewall, which I've had great success with, and Brute Force keeps tabs on incoming connections. In a nutshell, if a connection hits the box like that particular spammer was with you, then it feeds the ip into APF to set a block/ban.

Where is this bad behavior thing? I check wpmudev and did not see it there.

Luna thank you for posting your layers, more to consider! I was actually referring to the other things you added regarding the "no pinging" and such.

I just got on one of my mu blogs with 1194 comments, and they appear to be from various ip addresses, so I guess the APF wouldn't have helped with that, but I may look into that anyhow.

The comments were so many that it crashed the browser when I went into mass edit mode. Of course none of them are approved so the spammer is just pissing me off and not really getting anywhere with this.

Is there a plugin that will allow for deleting ALL comments in the que without loading them into the browser first? Or a plugin that will go through all the Mu blogs and remove all comments that have a URL that we could put in?

Google Bad Behavior plugin, and you'll find it.

My ping solutons and such are for outgoing, not incoming, to combat splogs.

For incoming, BB cleans out a good chunk and then SK2 cleans up the left overs.

The captcha on my comment forms is mainly just to assist in keeping comments from being posted directly.

To be honest, I have more problems with aholes lifting and putting my feed on their damn google ad sites more than anything.

Even with a copyright disclaimer at the top, that usually is enough to fill an excerpt, they still try. The funny ones though... are the idiots that forget to turn pings/trackbacks off, and so they basically rat themselves out.

Granted, I probably spend 8 hours a month on the phone with other hosts getting these bastards shut down. :(

I'm thinking about that "delete the akismet queue site wide" as well. Simply because of the size of our database.

I think I might prefer to roll with Akismet, but to be honest I'm still too nervous about my key being shut off.

For SK2, I have it purging every 6 hours, which it keeping it pretty light.

Could just go ahead and ask. Worse they will do is just say no.

We modded sk2 a bit and added some of our own backend bells n' whistles to kep it light.

Yeah, I know Doc. Fear of rejection I guess. lol