WordPress MU

Just a quick observation on splog registrations (that is, fake spam blog signups for MU Wordpress).

A few months ago, I put up a demo multi-user blog for a client.

It went live and, of course, was immediately hammered by fake spam blog signups.

Sorry, but if I compare this to my experience with other software, MU Wordpress stock provision really, really is embarrassingly abysmal.

Looking at the logs though, I can see that the filth is targeting all the old domains that existed in the demo site 6 months ago but that I deleted, e.g.

Referrer: http://example.com/wp-signup.php?new=example_blog
Referrer: http://example.com/wp-signup.php?new=example_blog_2
Referrer: http://example.com/wp-signup.php?new=example_blog_3

The They obviously grabbed a copy of them all, or DNS records of Wordpress installs, and saved them somewhere. They do not exist on my server.

I just flag it up in case it helps someone more intelligent than I work out how these guys work.

Could simple steps during the installation, such as forced renaming of wp-signup.php, and changing table names from wp_ during the installation process not help in such case?

It took me several days of cleaning out and experimenting before I could work out basic protection to stop them. Thank you for the open source product ... but I cannot believe the software is sent out as is.

Changing tables won't help. The readme.txt has a paragraph with info on splog protection. Given it's a known issues, plenty of preventative steps are included.

If they used names from six months ago, likely something crawled the site way back when (like Google) and the spammers used a search engine cache.

And one of the drawbacks of it being open source is that the spammers can see the code too - so they can figure out how to get around it.

I can only suspect that they were logged once and then are being passed around by spammers/splogers on disk/digital file as per spam email lists.

Has anyone manage to identify the splogging ring masters and methodology, as per the professional email spammers?

Are they working from networks of zombified PCs? (i.e. does IP blocking work and is it worth investing time is building up?)

Yes, I understand changing tables won't help in this case but I do think it helps in other cases and could be customised as a matter of form, surely?

Thanks.

I can only suspect that they were logged once and then are being passed around by spammers/splogers on disk/digital file as per spam email lists.

Actually the text within that page and the url pattern is the same. You can find quite a few of them via a simple Google search. Many of us change the wording of the wp-signup.php page to prevent that.

Has anyone manage to identify the splogging ring masters and methodology, as per the professional email spammers?

We always check the IP address in the registration log database table. We've noticed that 80% of the splogs created come from a small number of IP addresses. A simple htaccess block will stop these folks until they notice they aren't getting anywhere and move on to their next server. We also post popular IP addresses in our own support forums (We host over a hundred mu installs.) and keep a running list.

Have you searched the forums for 'splogs' by the way? I mean no disrespect and I'm sorry you've spent days dealing with your concern but this topic has been beat to death many times which is one of the reasons why those links were added to the readme file. Tricks like renaming the wp-signup.php file, checking for the IP address, rewriting the wp-signup.php text, blocking the wp-signup.php url with robots.txt and others have all been discussed before.

edit: Have to admit I don;t see why changing the database table prefix would have any effect on preventing splogs as they're not visible to the endusers or visitors. You're not thinking the 'wp-' in the file names are related to the 'wp_' found in the database, are you?

"Has anyone manage to identify the splogging ring masters and methodology, as per the professional email spammers? "

Yes. They have an automated program that bypasses visiting the signup page and auto-fills out the web forms.

That's why renaming the signup page works. They don't need to share username/passwords, when they can just use a bot to signup hundreds of splogs at once, or over a span of time.

> Have you searched the forums for 'splogs' by the way?

Hi, thanks, yes. I should have said, "hours over a period of days".

Working from a virgin install, I checked, tried out plugins, went back, cleaned out registration logs, made lists of IPs and email domains, wrote htaccess files, tried more stuff, until eventually it all came together, e.g. Banned Email Domains just doesn't work in 2.8.4, and RewriteRuled them to fbi.gov. Hmmn.

I think it would help to have a default of registering of all user by IP address and I would suggest "change signup.php to ..." is a mandatory choice during the install procedure.

The readme.txt lists:

http://ocaoimh.ie/cookies-for-comments/
http://wordpress-plugins.feifei.us/hashcash/
http://www.darcynorman.net/2009/05/20/stopping-spamblog-registration-in-wordpress-multiuser/

I have been playing around mainly with Monty Spam, Anti-Captcha, Bad Behavior
and ImHuman to work out the least level of defence possible.

To change the name of wp-signup, I make it around 13 occurrences in 9 files (depending on your theme).

Should only be one file (wp-signup.php) and around 4-6 occurances.

If you have them in your theme, are you using buddypress? (one assumes you'll be switching from the default theme included in MU - most themes do not have a link to wp-signup)

And if you're using buddypress, that creates it sown registration, so you need slightly different tactics.

"The readme.txt lists:"

Did you try them?

RewriteRuled them to fbi.gov.

That's usually not a good idea:

Reference:

http://serverfault.com/questions/51743/reroute-ddos-to-fbi-illegal

http://www.wickedfire.com/shooting-shit/25354-eli-working-white-house.html#post270612 (NSFW - Language)

There's case law as well but damn if I can't find it this morning. Rather strange that the wording of a DDoS attack is nearly the same as kiss ass and "We hired someone new" press releases from the FBI.

Point taken, thanks ... let me remind myself not to believe or following everything I read, on the internet!

Re: wp-signup.php, I make it;

footer.php
sidebar.php
home.php
wpmu-functions.php
wp-login.php
wp-signup.php
wpmu-settings.php

I suppose you want to block folks from being to read those files in order to find out what you have called it then?

If this post is revealing too much, then please delete or as me to edit it off.

I am watching the logs on Bad Behavior right now and signed up to the Honeypot BL ... it is not pretty. I may be wearing two condoms at once but I am also trying out Montyspam. Splog registrations have stop although the bots are still looking for the old sub-domains.

This matter seriously needs more attention written into the core of WP, please, and updated regularly as per the wonderful Akismet.

"although the bots are still looking for the old sub-domains."

I used to use MovableType and had spam issues. So, I switched. 3 years later, bots were still looking for my MT files.

Dumb bots. :P

I would like to find a solution to this also. I tried Montespam and as it does not prohibit the sign ups I ended up with tons of splogs sitting and waiting for a post that would trigger it - so it is gone. I am using Buddypress so I deleted wp-signup and the register for bbpress. I have 40+ IPs in the deny from list (which is increasing daily) and I have no idea how to stop these guys (my batch are mostly IPs from Houston).

I have spent a lot of hours on this and still can not get them to stop. I am even considering moving away from Wordpress MU as this is burning up valuable time. It must be the same for everyone so with a combined effort an answer must be out there.

I had enabled reCAPTCHA on my blogs in the registration process and the spam blogs are no more getting registered.

And neither are the users for which reCaptcha doesn't work for them, is blocked, or they for whatever reason are unable to bypass.

I am using SI CAPTCHA since reCAPTCHA has not been upgraded to support the new Buddypress. But it apparently does not help with automated splogs. All the "users" registering have the same <name>DDDD naming convention such as joesmith1988. I am not sure how they are getting in or if it is an issue with buddypress. All I know id it is 1/2 hour a day I certainly could be using for other purposes.

A dozen spogs today and my deny from list is near 70. I need to get this resolved or move to something else. I am wondering what other people are doing about this issue since I can not seam to find a way to stop it.

The registration process is different for buddypress. You'll need some different techniques.

Have you asked over on the BP forums?

Yes I am trying to followup there also. But they can not be using the mu register page as it is disabled, they also registered on a IP that was in my Deny from list in htaccess, which is perplexing but that might have been too soon after I set it in htaccess.

This is very distressing

I've been having much the same problem with spammers signing up, most of them with some fake usernameXXXX (X = a number). I asked over at the BuddyPress forums and in the chat room. It appears that several people have been having this trouble of late.

When I asked about it, we were told to come ask over here, ha, so maybe there's a bit of ping pong going on in the answers.

Just the same, I've implemented some of the advice in the readme.txt file, and we'll see how it goes. I'm starting to become convinced, however, that the spam prevention front for wordpress/mu/buddypress is very weak, and I haven't seen any really solid solutions yet.

Of course, I'm a lot of talk and no code, but I would like to see better solutions implemented. The prevailing sensibility seems to be there aren't effective solutions, but I'd like to believe different.