WordPress MU

Hi, I've got a major spam problem on my MU blog but it's not your typical form of spam, this sort doesn't have usual address (mysite.com/theirspamblog), this spam links to external sites, but looks like a normal blog title.

http://www.rinf.com/blogs/ to see for yourself, you will have to scroll a bit, but hover over the "buy abilify cheap buy acetaminophen cheap buy aciphex cheap buy acomplia cheap buy actonel cheap buy actos" bit and you'll see it links to some place else.

How do I remove this? Because the spam doesn't link to any blogs I'm hosting, I cannot find a way to remove it.

Many thanks for your help,

Have a close look at the source for your page.

normally blog title link looks like:
<br><a href='http://rinf.com/blogs/malambukasivarasa'>malambukasivarasa title</a> <br>
If you look at the spammer it looks like:
<br><a href='http://rinf.com/blogs/hehenomy'></a><a href='http://spammersurls/abilify/'>...

So they have created a blog (hehenomy) and its title is the huge long run of HTML which starts with a closing tag

Which is odd as I would have thought WMPU wouldn't allow href tags in titles

Great stuff, that's brilliant help, thank you very much

These spammers are getting pretty clever

I'm having this problem, too. Is there any way to prevent it?

Best bet would be for someone to open up a trac ticket and raise the issue with Donncha.

Really shouldn't have to write that folks.

I see the trac ticket is opened. Maybe we can assist in handing over some code.
I know from experience that my logical skills are better than my coding ones, so maybe somebody else can translate the following into PHP?

I think it is very little use to just strip out the HTML tags, you still have a splog and an account that can spam anytime they want. So maybe the following will help fight this new title spam:

- When signing up, check for "<a href" in title and description. If found, then signup program dies without sending activation emails and without creating the actual blog. And actually without notifying them as well that they are stupid spammers, so it might be nice to let them actually think it worked.
I am pretty sure that 0% of real sign-ups would think of using HTML in the title.

Is this possible and does anybody have an idea how to add this in wp-signup.php?

Cheers, Bike

Actually there's a filter already built into wpmu called 'strip_tags' that should work.

Let me go look....

Maybe add the following to the wp-includes/default-filters.php file:

add_filters('signup_another_blog_init', 'strip_tags');
add_filters('signup_blog_init', 'strip_tags');

That looks like it should do it. I have no way of testing though.

That should remove the html tags although it will just remove them but it will not tell the visitor that there was a problem. Guess it wouldn't matter if only spammers are going to do that.

Yes, I noticed the filters, but what I would prefer is some kind of IF statement that simply stops the registration process behind the scenes, the moment HTML is discovered.

So that when the title is examined and HTML is found, no blog is being created at all, and no emails are being sent and spamboy has been sent to a deadend road off a cliff..

Actually I just realized that we're also goign to need those filters in place when an enduser also changes the title of their blog after the blog has been created.

edit: Also Subtitle (tag title, whatever) as well.

reedit: I updated the ticket.

Do you reckon it would be more reliable to filter it with KSES?

add_filter('signup_another_blog_init', 'wp_filter_nohtml_kses');
add_filter('signup_blog_init', 'wp_filter_nohtml_kses');

I fixed this in http://trac.mu.wordpress.org/changeset/ 1045 using the sanitize* functions.

Never mind the above. Grab this one instead: http://trac.mu.wordpress.org/browser/trunk/wp-includes/wpmu-functions.php?rev=1053 and read about it here: http://ocaoimh.ie/2007/09/10/wordpress-mu-125/

i'm having the same problem of spammers attaching html in the blog titles.. which then ended up flooding my "Last updated blogs" with hundreds of links.

used the changeset 1045 from donncha, but no success: blogtitle still can be changed to include HTML tags, and multiple HTML links set in the blogtitle will appear as multiple blogs on latest_updated blogs.

adding the filters rendered the blog to show blank page (%$#*)

here is the code i used for last updated blogs

<!-- begin updated_blogs -->
<div>

<?php

$blogs = get_last_updated();
if( is_array( $blogs ) ) {
	?>
	<h3>RECENTLY UPDATED BLOGS</h3>
	<ul>
	<?php foreach( $blogs as $details ) {
		?><li><a href="http://<?php echo $details[ 'domain' ] . $details[ 'path' ] ?>"><?php echo get_blog_option( $details[ 'blog_id' ], 'blogname' ) ?></a></li><?php
	}
	?>
	</ul>
	<?php
}
?>
</div>

<!-- end updated_blogs -->

Donncha, what about when an end user updated their blog's title after blog creation? The check should probably be there as well.

Ah, I had a filter on "the_title" but it disappeared somewhow. I've added that one back in 1047.

today i have got 4 such blogs...
user-agent: yahoo slurp!
IP is from YAHOO, see here http://whois.domaintools.com/74.6.23.22

YAHOO is spammer?

Host: 74.6.23.22

/\\'http://www.casfs.org/public_html/?lincocin/\\'
Http Code: 302 Date: Sep 10 15:17:27 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

/wp-signup.php?new=\\\\\\'http%3A
Http Code: 200 Date: Sep 10 15:17:28 Http Version: HTTP/1.0 Size in Bytes: 9903
Referer: -
Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

The "the_title" check I had in messed with post_titles, not blog titles. It's since been removed, but if you're printing a list of blogs, pass the blog title through strip_tags().

@Donncha, if thats directed to me, no, I mean when a Blog Admin goes Dashboard -> options -> General and changes the title of the blog there.

I haven't tried it though so it may already be covered. Too late in the day to roll out an update.

this is what i did, strip_tags and limit to 35 chars.

$blog_title = strip_tags($blog_title);
  $blog_title = substr($blog_title, 0,35);

this, however does not stop user from editing the title and changing them to HTML

drmike - good idea. next time around. It was after 11pm here and we'd been up since 6am with the baby. Head was a little fried! :)

so is there is any way to kill this spam

Um, Dashboard -> Site Admin -> Blogs -> Delete?

Donncha's worked it out so that it won't occur any more. That I believe is the point of this thread. :)

I added the fix from the trac above (changeset 1045) and it's adding dashes between the words in the title.

For example, I created a blog called "our test blog". It renamed it our-test-blog. I was able to go in afterwards and edit the title correctly.

redbox - ignore that one, I changed those sanitize commands in 1047 because of that problem. It's fixed in 1.2.5a but you should use strip_tags() if displaying lists of blog titles.

I think the only way that html got into the blog title was through the signup form. I tried several times to insert a html link in the blog title and tagline using options-general.php and each time the html got stripped out.

How can I avoid the registration of those kind of splogs ??
Even with 1.2.5a, they can successfully register... :(
It should be blocked at registration

Try this - it works a treat :)

http://wpmudevorg.wordpress.com/project/Signup-Security-Question

Hey Farms, is there a way to make that work together with the Captcha from bloggles.info? When trying, no fields are generated and registration is practically blocked, as there is no place to give the right answer :)

Also, it might be nice to have an admin function, where you can change the question/answer.

Cheers, Bike

Easiest, quickest way:

at the top of wp-signup.php:

if ( !empty($_POST['blog_title']) ) {
     $_POST['blog_title'] = strip_tags($_POST['blog_title']);
}

It's a temporary fix, but thus far has worked.

Farms im sorry to say that my spammers goes past the signup security question.

gona try lunabytes fix

Cheers!