This is a follow-up to the post I made a couple days ago about upgrading to WordPress 3.0 and looking for a new spam protection plugin that asked to solve a math problem. The one I chose was Block-Spam-By-Math because it seemed to work out of the box. Well, since then, I’ve learned that the plugin, as is, is not all it’s cracked up to be. I was still receiving numerous spam comments (which Akismet did catch). Due to the content of the comments, I could tell that these were automated or done by bots most likely and not humans. I, of course, understand that no plugin like this is going to stop an actual human hired to or set upon spamming blogs and galleries.
After examining how this plugin worked, it became rather obvious that it was pretty much useless. The plugin always performs addition and the two numbers to be added are there in the form with very recognizable field names and, well, it does have “X + Y” within the form text. A bot that knows how this plugin works and the field names it uses could easily parse the form’s contents to get the two numbers, add them together, and then supply the answer using an obviously known POST variable name. In fact, because the plugin adds the numbers that are submitted to it by the form, the bots can simply supply their own arguments for the plugin to use. All it has to do is use the correct POST field names. Since this is an established plugin on the WordPress site, I’m sure the blog spammers have learned to expect this plugin to be in use on WordPress blogs and have written their code to effectively get around it.
The solution that I wanted to use, which I do with my guest book on my main website, is to store the answer and/or the arguments on the server, such as in a session variable because these values are only known to the scripts running on the server; however, the way the plugin is written (or WordPress itself), the function that sets up the form is some how executed more than once when viewing a post thereby causing the values to change from what is presented on the form itself. Maybe it’s related to this theme’s possibility of having nested comments. This may explain why they perform the math on the values sent in by the form itself. So, what I did was to simply change the field names that it used to some random things I thought of to throw the bot’s parsing or string searching and posting functions off.
This has appeared to do the trick as I can now see spam attacks in my latest visitors log at my webhost resulting in 403 errors that this plugin generates on a failed response. This also proves that these attacks are coming from bots and not humans putting in the answers.
To make this change yourself, edit the /wp-content/plugins/block-spam-by-math/block-spam-by-math.php file and look for function add_hidden_fields() and function check_hidden_fields() and simply change the corresponding name and $_POST[] variables it uses:
$mathvalue0 = rand(2, 15);
$mathvalue1 = rand(2, 15);
echo '<div><b>IMPORTANT!</b> To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-) ';
echo "What is $mathvalue0 + $mathvalue1 ?";
echo '<input type="text" name="changeme2" value="" />';
echo '</div>';
echo '<div style="display:none">Please leave these two fields as-is: ';
echo "<input type='text' name='changeme0' value='$mathvalue0' />";
echo "<input type='text' name='changeme1' value='$mathvalue1' />";
echo '</div>';
}
// Check for hidden fields and wp_die() in case of error
function check_hidden_fields() {
// Get values from POST data
$val0 = '';
$val1 = '';
$val2 = '';
if ( isset( $_POST['changeme0'] ) ) {
$val0 = $_POST['changeme0'];
}
if ( isset( $_POST['changeme1'] ) ) {
$val1 = $_POST['changeme1'];
}
if ( isset( $_POST['changeme2'] ) ) {
$val2 = $_POST['changeme2'];
}
// Check values
if ( ( $val0 == '' ) || ( $val1 == '' ) || ( intval($val2) != (intval($val0) + ntval($val1)) ) ) {
// Die and return error 403 Forbidden
wp_die( 'Bye Bye, SPAMBOT!', '403 Forbidden', array( 'response' => 403 ) );
}
}
In the code above you want to change the changemeX items. The original code and my new code has something other than what is shown here. To be even sneakier you could change them once a week or however often and there’s no need for them to be the same thing with 0, 1, and 2 after them. They just have to match each other in the functions. As I’m sitting here typing this, I just had another idea to try. 😉 Anyway, hopefully this well help cut down some of the automated comment spam attacks.