WordPress MU

I don't think I've seen this mentioned so I figured I would ask. I was getting numerous splogs a day for a few months. I moderated new signups so it wasn't ever an issue just a pita. Then they stopped for a couple months while I slowed down developing the site. I disabled the "moderate new blogs" a few days ago then today got busy making a few dozen new blogs I wanted. Halfway through creating them the splogs show up again. So what is it about creating the new blogs that the spammers picked up on? Where did they find it? I search a whole bunch and can't come up with anything from today on the goog from my new blogs that would point them to my install.

Anyway, thanks.

My understanding is via the text on your wp-signup.php page or the url of the page itself.

Rather surprised you didn;t find anything as this has been discussed many times over. Andrea's big on renaming the wp-signup.php file and changing all of the links to it.

For example:
http://mu.wordpress.org/forums/topic/14537
http://mu.wordpress.org/forums/topic/12344

The premium site has a paid solution if you;re interested:

http://premium.wpmudev.org/project/anti-splog

Hope this helps

How do they find your MU? It really depends.

They have software they use. There's a few different programs, and they signup in different ways. There's also the manual guys.

They look for your signup page, they look for default test in your install like "powered by wordpress mu", and yes, some of them share lists of installs they have found.

And by look, I mean "search google".

If you get slack and leave a couple splogs in your system, they will create more. they'll invite friends to the party. Oh, they have many ways of getting in, depending on what you have & haven't done

"I disabled the "moderate new blogs" a few days ago then today got busy making a few dozen new blogs I wanted. "

Were you creating them from the backend? Just wondering, as a moderation plugin shouldn't stop the admin from creating blogs that way.

Thanks for the links.
I was not creating blogs via the backend as I have an extra step that I have only implimented on the front end.

I had read up a bit about splogs and spammers but what got me was how immediate it was that they showed up. Not really a peep from them in weeks and as soon as I create some new blogs they are on top of it. I had googled quite a few of the key phrases that I thought they might be using like the one Andrea mentions but couldn't find anything about my site. So I was curious if it something else. However it is easy to find other wpmu intalls that google says were updated just minutes ago so perhaps that is how they found me but just with some search term I haven't yet figured out.

Thanks for your help.

If it;s been quiet for some time, I have a feeling that it was just a single spammer going after you and testing the waters. There are scripts out there designed to create splogs on wpmu installs that one can either use or install themselves. Chances are someone was doing this and may have been reported to their host. (I've gone after a few of them myself.)

May want to skip through the database's wp_blogs table looking for the ip address of the splogs in question just to see if they were all coming from the same IP address.

Was this on one of the mu sites that you mentioned in the "Your WordPress MU" section on the forums here?

If I was a splogger or wanted to find sites to hack, that would be the first place I'd check.

The sploggers mostly google a few choices phrases that are in default installs.

Also, they have lists they share between themselves that they all add to.

Also, they have lists they share between themselves that they all add to.

Having seen some of the lists, most of them are out of date installs where the site admin pays little attention to the site. A good reason to keep active and up to date on your site.

As to reporting them, find the IP address that was used to create the splog (I use these folks to look up IP addresses: http://whois.domaintools.com/) and send an email to their abuse address. You'll need to include the potion of your server logs that include when the IP address accessed your server.

You'll quickly learn that some hosts don't follow up on these types of complaints. (ev1/theplanet comes to mind. Many ISPs out of Germany as well.) We just get to the point that we block them at the routers and bitch and moan about their conduct on a number of system admin mailing lists we monitor. You can block those IP addresses via adding a deny in your .htaccess file.

Well over the last few weeks I've had great luck after totally removing the default language of my signup page as well as renaming it. Also installed wp hashcash. Thanks for the help. Hope it sticks.