Recently WordPress sites have been getting hammered with random-string comment spam. The attackers are clever, using random text strings for every vector except the payload, which usually is the URL used for the comment’s Name link. But for these weird comment spams, the apparent payload is the email address. It’s the only part of the comment that’s not made up of random gibberish.
Block the aggressive random-string spammer with a few clicks.
- What’s happening..
- How to block ’em:
- Outro + Updates
High volume of these random character spams hitting my sites. Fairly relentless spam attacks happening in periodic bursts. I needed a solid, lightweight solution ASAP. I’m sure any strong anti-spam plugin would block these annoying random comments no problem. But I try to avoid installing extra plugins whenever possible, so not using any anti-spam plugins to stop comment spam.
So I went to work. As shown in the example spams below, every aspect of the comments are randomized in these attacks. The comment name, comment URL/link, and the comment itself all consist of randomized strings of characters. The comment email address is the only actual non-random text included with the spams. But even those are all random addresses like:
With everything randomized, there isn’t much to key on in order to block the requests. Except for the IP address. Which is ideal because IP addresses are specific and trivial to block. So I monitored and recorded every IP address and made a list :)
Going in, I had no idea how many different IP addresses would be involved. Fortunately, this particular attack is coming from a network of bots (botnet) and/or VPN that’s relatively limited in size. Some botnets comprise hundreds or thousands of addresses. So far, this one is limited to around 100. Let’s look at some examples..
Update: After drafting this post, I continued mapping any IP addresses that were sending random comment spam. At first, I didn’t realize the large size of the network. After further study, turns out this network is considerable in size, comprising many hundreds of IP addresses. Subsequent WHOIS lookups shows all addresses located in the Russian Federation [RU], literally all of them.
Here are some examples of the annoying random-string comment spams:
IP Address: 18.104.22.168
IP Address: 22.214.171.124
IP Address: 126.96.36.199
IP Address: 188.8.131.52
IP Address: 184.108.40.206
I have a complete record of these spam requests, if anyone is interested let me know.
How to block ’em
Here are three ways to block the botnet that’s spamming everyone with their cheesy random-string spams. As explained, the key here is to block each of the offending IP addresses. To make things easier, we take advantage of pattern-matching to optimize blocking with minimal false positives.
Block via WordPress Discussion settings
Fortunately, WordPress makes it super easy to block unwanted comments. To implement, follow these simple steps:
- Download IP address listVersion 1.0 ( 1.99 KB TXT )
- Copy the list of IP addresses
- Visit WordPress Discussion settings
- Add the list to “Disallowed Comment Keys” (aka “Comment Blacklist”)
- Save changes and done.
After following the above steps, the random-string comment spam should stop immediately. Unless they hit you from an IP address that’s not yet on the list. So if any fresh random-string spams make it through, simply add its IP address to your Discussion settings, and/or feel free to report it here as well.
46.8.15. will match (and block) any/all 255 IP addresses located in the block. It’s a bit complicated, check out this guide for all the gory details.
Block via Apache/.htaccess
A better, faster way of blocking the random string spammers is to block them at the server level using Apache/.htaccess. To do it, add the following slice of .htaccess to your site’s root/public .htaccess file (or add via server config).
I’ve been using this list on my own sites and now enjoy nearly zero random spams.
Note: Adding the above Apache/.htaccess rules will block all access from the spamming IP addresses. If you would like to allow access to everything except post comments, it would be possible to reconfigure the .htaccess using a conditional POST technique. Alternately you can just go the WP settings route as explained above.
Block via WordPress plugin
As mentioned, I don’t use any anti-spam type plugins for comments. But there are some great ones like Antispam Bee that should have no problems detecting and blocking the random-string comment spam.
It’s also possible to block IP addresses using a firewall plugin such as BBQ Pro. The free version also can do it but requires more work. I’m sure other security plugins enable wildcard IP-address matching, but BBQ is my baby and I can vouch for its effectiveness. BBQ is 100% focused firewall with no frills or bloat. Just super lightweight and fast, with minimal impact on server resources.
Bottom line: use whatever plugin or technique you prefer to stop the random-string comment spam from wasting your site’s bandwidth and resources.
Outro + Updates
As mentioned, I’ve been using this technique on my sites for a week now and the number of shady random comment spam is near zero. So far, blocking their entire network seems very effective lol.
I am keeping a close eye on this. If they add more IP addresses to their network, I will add them to the list and make a note of the update here in this section. Check back for the latest or grab the feed :)