Three Strikes TarPit
I was hit by a wave of spam today. On Raena’s recommendation, I had Kitten’s Spam Words running, so the spam wasn’t visible on the blog, but I still had to log in and delete it all from the moderation queue.
Pain in the arse.
So I went looking for other solutions, and two struck me as good ideas. Three Strikes because it’s a smart way to detect spam comments, and Spammer TarPit, because it’s a nice way of slowing down the spammers. But you can’t run both simultaneously, so I decided to mash the two plugins together.
I’m using Three Strikes to detect spam, TarPit to slow spammers down, and I’ve added an explanation for legitimate commenters who are blocked.
-
Download the plugin file: threestrikestarpit.txt (phps)
-
Open it in your text editor, and change the options if you like:
-
A lower
$SpamThresholdwill block comments more aggressively. -
$tarpitdetermines how many seconds the commenter should have to wait (I keep it fairly low as a courtesy to any false positives). -
Set
$send_emailto false if you don’t want a notification when comments are blocked.
-
-
Change the file extension. It should be
threestrikestarpit.php. -
Upload it to your
wp-content/plugins/folder. -
Activate it from within your Wordpress plugin control panel.
It should be that simple. Works for me (which is surprising, since I have no idea how PHP works…).
Update: Raena’s got some great ideas which are forcing me hard against the learning curve… so this plugin is likely to change over the next couple of days.
Update: Actually, the more I think about it the more I think what’s posted here is a complete waste of time. Hmm.
how weird .. david’s been getting spam too for the last couple of weeks. I hope it doesn’t move over to me.
Does this mean we can’t use the word “socialist” anymore? Another blog of my acquaintance has a spam filter that blocks that word, because it happens to contain the name of an anti-impotence drug (the six letters starting from C).
Hee, great minds. I was screwing about with tarpit goodness on the Three Strikes plugin just this evening. It works sort of the same, but it redirects to a genuine page.
One other thing that may help is renaming your
wp-comments-post.phpfile to something else. If you do that, you’ll need to change the reference to the file inwp-comments.php, at the beginning of the form.And finally, I’ve been trading spam words with others and have a fairly sizable list. Let me know on the quiet if you want some more spam ammo. :)
Raena, decorating the rejected page was next on my list. I’m trying to teach myself PHP and this seems like as good a way as any to do it. And renaming the comments page is a good idea, too. I did that on one of my old MT blogs, I don’t know why I didn’t think of it for WP!
And this is a test: socialist.
Bah. I’m taking that word off my naughty list. Not enough to trigger the tarpit, but enough to sit in the moderation queue.
Raena, the only problem I’ve got with redirecting to another page, like you’ve done, is that there’s no way to give people a chance to copy their comment so they can modify it and have another go.
Socialist.
There, it works now.
I tell ya, this blog spam thing is obviously a right-wing plot to prevent people discussing socialism.
Ahh, that explains a few things.
Well, a nicely decorated page is as easy as retaining the code from the original threestrikes plugin and using it to direct to a page on your own server. The tarpit is just a
sleep()function anyway, and that can go at the end of the original three strikes code just beforedie().I also edited my version to generate a SpamAssassin-type report on which items triggered which spam traps. Fun!
Robert I downloaded an excellent plugin for Wordpress called Blacklist that will delete comments with known URL, e-mail, words, or IP addresses that you can enter. There’s no bothering with moderating comments for deletion, it’ll just remove all new and old comments. It also links to a database that contains the most frequent spam out there. It works incrediably well on my site, after some playing around, and I was going to suggest it last night. Give it a shot, might be what you’re after.
http://weblogtoolscollection.com/archives/2004/10/05/wpblacklist-25-released/
Hmm, trying again… I’d have thought hitting the back button would be enough.
Dave, that’s a Wordpress version of the anti-spam tool I used on Movable Type. I don’t want to use it, for a couple of reasons:
1. I’m trying to learn PHP, and hacking around like this is a fun way of learning.
2. The Three Strikes model gives less false positives than Blacklist. For example, as Vaara pointed out, the common spam term “cialis” blocks words that people are quite likely to use on this blog, like “socialist”. Blacklist would never even let me see those comments. The built-in moderation system is a convenient fall-back in those circumstances.
3. I can chuck most of the Blacklist terms into Wordpress (minus the regex terms) anyway.
But thanks all the same!
The three strikes plugin already uses the Tarpit code, so addition of it is unnecessary.
Mark, I know it uses the IP address code as one of the strikes, but it’s actually the
sleep()and the error message in the Tarpit that I liked. I didn’t notice them in the Three Strikes plugin.Just use the verification code. It stops spammers cold.
I don’t like the verification code because apart from breaching accessibility standards, it discourages participation. I reckon for every four comments I consider leaving on your blog, I only follow through with one. It’s a pain in the arse.