Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

Block Random String Comment Spam

Recently WordPress sites have been getting hammered with random-string comment spam. The attackers are clever, using random text strings for every vector except the payload, which usually is the URL used for the comment’s Name link. But for these weird comment spams, the apparent payload is the email address. It’s the only part of the comment that’s not made up of random gibberish.

Block the aggressive random-string spammer with a few clicks.

Contents

What’s happening..

High volume of these random character spams hitting my sites. Fairly relentless spam attacks happening in periodic bursts. I needed a solid, lightweight solution ASAP. I’m sure any strong anti-spam plugin would block these annoying random comments no problem. But I try to avoid installing extra plugins whenever possible, so not using any anti-spam plugins to stop comment spam.

So I went to work. As shown in the example spams below, every aspect of the comments are randomized in these attacks. The comment name, comment URL/link, and the comment itself all consist of randomized strings of characters. The comment email address is the only actual non-random text included with the spams. But even those are all random addresses like:

badlands3@live.com
MEX750@HOTMAIL.COM
barbara.matzuzi@virgilio.it
SAMUELSCHULTZ@ME.COM
pennyzieg@aol.com
connerwillert33@gmail.com
.
.

With everything randomized, there isn’t much to key on in order to block the requests. Except for the IP address. Which is ideal because IP addresses are specific and trivial to block. So I monitored and recorded every IP address and made a list :)

Going in, I had no idea how many different IP addresses would be involved. Fortunately, this particular attack is coming from a network of bots (botnet) and/or VPN that’s relatively limited in size. Some botnets comprise hundreds or thousands of addresses. So far, this one is limited to around 100. Let’s look at some examples..

Update: After drafting this post, I continued mapping any IP addresses that were sending random comment spam. At first, I didn’t realize the large size of the network. After further study, turns out this network is considerable in size, comprising many hundreds of IP addresses. Subsequent WHOIS lookups shows all addresses located in the Russian Federation [RU], literally all of them.

Example spams

Here are some examples of the annoying random-string comment spams:

Comment:    yqRqUSzuhkzLKwY6DMqs6ha4vZJlI5CO5B3PP254u
Name:       RFvRDRMGh2TaBQ
URL:        CGuzv5wt.com
Email:      6107639292@txt.att.net
IP Address: 46.8.15.18

Comment:    qxXA0F1ZAjsGzAVPXUTUTBMoHN1M4xvIy8CfvXzRBjo7N8oFXG4bqMdhU23s1FTeQeP1FtsW2FU
Name:       YPWxIeLyak
URL:        bPq09X.com
Email:      aishan90@hotmail.com
IP Address: 193.58.168.91

Comment:    Gmr6i7fPLH86YF4K66LeUsEamoTLGSMNEuvJR0St8i0fd0gQziIQPTVveRRC1CLKyWDN73CdpENX1kPwI8ZEGK79iM1wLHK7dcZYmsm
Name:       g75pe7NMJYooaZipU
URL:        SJPPLOu8iBP43EA.com
Email:      lodhiya15@gmail.com
IP Address: 109.248.143.79

Comment:    Pj3hYYl36svwZ87dNEplastXYHQBYAPiQVUneR4c8NrFpKa0yPz4D1hD3r0slwJf
Name:       phPMyF98LHCaXv0n
URL:        ccs0xK4xuNJ.com
Email:      dblrwendy@gmail.com
IP Address: 109.248.205.123

Comment:    tv7v46XY2DC8rZDZok8iWsIxLdxUrbUAwvirzZFPhxagmn8VjMR2ksP
Name:       9IDy7l4PvvCg4
URL:        OXpxF1.com
Email:      KELLY90008@YAHOO.COM
IP Address: 109.248.54.218

I have a complete record of these spam requests, if anyone is interested let me know.

Note: These comment spams seem to be directed primarily at WordPress sites, but the same randomized technique could be used to spam just about anything.

How to block ’em

Here are three ways to block the botnet that’s spamming everyone with their cheesy random-string spams. As explained, the key here is to block each of the offending IP addresses. To make things easier, we take advantage of pattern-matching to optimize blocking with minimal false positives.

Important: As explained previously, blocking based on IP address works best as a temporary solution for dealing with specific and/or ongoing threats. IP-based blocking should be removed after the threat is gone.

Block via WordPress Discussion settings

Fortunately, WordPress makes it super easy to block unwanted comments. To implement, follow these simple steps:

  1. Download IP address listVersion 1.0 ( 1.99 KB TXT )
  2. Copy the list of IP addresses
  3. Visit WordPress Discussion settings
  4. Add the list to “Disallowed Comment Keys” (aka “Comment Blacklist”)
  5. Save changes and done.

After following the above steps, the random-string comment spam should stop immediately. Unless they hit you from an IP address that’s not yet on the list. So if any fresh random-string spams make it through, simply add its IP address to your Discussion settings, and/or feel free to report it here as well.

Note: Each of the (partial) IP addresses in the list represents a block of IPs. For example, 46.8.15. will match (and block) any/all 255 IP addresses located in the block. It’s a bit complicated, check out this guide for all the gory details.

Block via Apache/.htaccess

A better, faster way of blocking the random string spammers is to block them at the server level using Apache/.htaccess. To do it, add the following slice of .htaccess to your site’s root/public .htaccess file (or add via server config).

I’ve been using this list on my own sites and now enjoy nearly zero random spams.

Note: Adding the above Apache/.htaccess rules will block all access from the spamming IP addresses. If you would like to allow access to everything except post comments, it would be possible to reconfigure the .htaccess using a conditional POST technique. Alternately you can just go the WP settings route as explained above.

Block via WordPress plugin

As mentioned, I don’t use any anti-spam type plugins for comments. But there are some great ones like Antispam Bee that should have no problems detecting and blocking the random-string comment spam.

It’s also possible to block IP addresses using a firewall plugin such as BBQ Pro. The free version also can do it but requires more work. I’m sure other security plugins enable wildcard IP-address matching, but BBQ is my baby and I can vouch for its effectiveness. BBQ is 100% focused firewall with no frills or bloat. Just super lightweight and fast, with minimal impact on server resources.

Bottom line: use whatever plugin or technique you prefer to stop the random-string comment spam from wasting your site’s bandwidth and resources.

Outro + Updates

As mentioned, I’ve been using this technique on my sites for a week now and the number of shady random comment spam is near zero. So far, blocking their entire network seems very effective lol.

I am keeping a close eye on this. If they add more IP addresses to their network, I will add them to the list and make a note of the update here in this section. Check back for the latest or grab the feed :)

About the Author
Jeff Starr = Web Developer. Book Author. Secretly Important.
SAC Pro: Unlimited chats.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
GA Pro: Add Google Analytics to WordPress like a pro.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.