SpindleyQ's picture

So about an hour ago a spambot replaced the contents of my MIKE TYSON'S JUNGLE BEAT blog post with some garbage text and links. This naturally made me freak out, because I was pretty sure that random users couldn't just go around editing other users' blog posts.

After doing some research, I discovered that the reason that the spambot was able to do that was because I had made my blog post into a wiki page, so that I could link to it nicely, I guess. This is the first time that a spambot has edited our wiki.

We get a fair amount of comment spam right now that is caught by the automated spam filter, but that's happening much too late for my tastes. We must have hundreds of spambots who signed up and haven't posted anything (defeated by my email that doesn't contain a login link, perhaps), and whose accounts remain active.

Here's some stuff I'd like to do in the near future:

  1. Set up a captcha for the user registration form.
  2. Set up Project Honeypot -- I googled the IP address of this particular spammer and discovered that Project Honeypot already knew about him.
  3. Regular database backups! I'm ashamed this isn't already happening.
  4. Our wiki does not currently have a proper edit history; I have never managed to make it work. Make that work! If spammers start editing our wiki, I don't want to have to resort to the Google cache to fix it.
  5. Investigate how difficult an upgrade to the latest version of Drupal 5 would be, so that I can keep up with the latest security updates. If it had been an SQL injection attack, I'd have been more or less helpless to stop it without simply taking the whole site down.

GoreCore's picture

I've seen this doughhead,

I've seen this doughhead, testbot2 was his name?

SpindleyQ's picture

Nah, the testbots are all my

Nah, the testbots are all my personal accounts, to test how the site looks to non-administrators. In this case I was trying to see what happened when I tried to edit the page as some random user.

SpindleyQ's picture

OK, I've implemented all of

OK, I've implemented all of these things except the Drupal upgrade, which I'm going to do soon. Please please please let me know via email if you encounter any trouble, like suddenly finding yourself blacklisted from posting comments or something. My email is jeremy at rhinoceros catastrophes dot com. (I'm kidding to fool spambots, it's glorioustrainwrecks of course, but actually that would be a fucking great domain name.)

Danni's picture

So Apache now IP bans all

So Apache now IP bans all spammers known to Project Honeypot? If so, then that's pretty gnarly.

SpindleyQ's picture

It's actually a Drupal

It's actually a Drupal plugin, but yeah. It's kind of hard to test, though. If Project Honeypot has some doubts as to your spamminess, it's supposed to give you a link to apply for whitelisting.

SpindleyQ's picture

I'm pretty much ready to

I'm pretty much ready to throw in the towel on using Project Honeypot as a basis for disallowing comments. Since I installed the plugin, it has blocked no spammers (and two spammers have been allowed to post), while GoreCore has had five comments blocked and jan_strach one. This might be OK, if whitelisting worked in a reasonable way, but it doesn't -- the default comment filtering does not supply the user with a link to add themselves to the whitelist, and when I added one in, it didn't appear to work. As well, the plugin whitelists by IP, rather than user, and none of the whitelisting functionality is exposed to administrators -- so there's no button I can push to say, no, it's cool, GoreCore isn't going to spam me, please stop eating his posts.

These problems are with the plugin, rather than Project Honeypot, but unfortunately I don't have the time or inclination right now to fix it up. I've disabled the IP filtering part of the plugin, but kept on the bit that adds an invisible link to every page for email address harvesters to wander into and get stuck harvesting fake addresses.

Think I might try Akismet next. Anyone had any experience with that service?

My user signup CAPTCHA, on the other hand, seems to be doing a decent job at keeping the site from having to send user registration emails to stupid bots. So that's encouraging.