I was doing three blogs. (I’m not going to say which ones, because the work was done under a non-disclosure contract.) The tide of spam started almost immediately. There were literally endless repeat spams from some selling Chanel bags, Louis Vuitton and others.
The comments section gave me a lot of information about the sources, but of course that information is somewhat redundant. False names, the same people with multiple IPs, all pretty typical botnet stuff.
Hardly any of the comments were related to the subject of the blogs. Some were illiterate, some were actually so far off topic they were funny. I think out of the hundreds of comments I got about two actual comments.
One of them cracked me up. The subject was something like pretzels, and the comment said, “Great writing, keep up the good work”…
from a carpet cleaning company somewhere in LA which was also a serial offender in terms of spam. What literate carpets they must have in Los Angeles.
One was funny in another way. This is the one that was too thoughtful:
“Great blog. What sort of anti-spam plug ins do you use against hackers?”
Meaning "Tell me what you’re using so I can get around it." This is called “social engineering”, simply asking for security or ID-related information. It usually works, too, about 7 times out of 10.
Meanwhile, the spam piled up.
WordPress spam basics
This stuff is dangerous. Every single one of them came with a link. Even opening these things can be risky, never mind hitting the link.
1. The usual format is “Hi……… (compliment) I’ll tell all my friends about your blog….(link)
2. The other basic format is “…….(text that’s nothing to do with anything)… (link)”
3. The occasional written comment, again with a link.
Literacy varies. The ones that can spell are probably more dangerous, but they’re basically the same thing.
From the various worms and viruses my security caught, you can also assume that the malware is pretty much up to the minute. If you’ve got a blog, get good security with a full library of malware.
What you can do about it
The process of spam prevention is pretty easy, but there’s a bit of work involved:
1. Require registration for comments. That stops the botnets. You can use Captcha or not, the spam botnets don’t usually bother trying.
2. Don’t approve anything at all until you’ve checked it out. If you’re wrong, your blog users will get the malware too.
3. Consider all links suspicious. That includes misspelt/odd looking links for legitimate known sites, etc.
4. Some spam reacts to keywords. I got quite a few of those, obviously spam, but they were related to tags on the blogs. Be very suspicious of anything looks like it’s directly related to the subject tags.
5. If you get malware, open in Safe mode and scan. Delete restore points to get rid of Trojan generics, which hide in the restore points and breed like rabbits.
6. Get rid of backups from the time of the infection. These things can hide there.
7. Bulk delete anything suspected of being spam. 99% of them will be obvious, but a few won’t.
8. Trust nothing.
9. Check your computer’s firewall. If it keeps turning off, hit “restore defaults”, because the default setting is on.
10. Block emails from your blog and manage the comments on the comments board instead. This prevents the malware getting in to your email system. It also prevents your email getting buried in spam comment emails.
The bottom line here is that if you want your WordPress blogs to be anything other than a massive security liability, learn how to keep them secure. You may delete one or two legitimate comments, but most people will/should understand.
I got slightly under 1000 of these things in a week. The fun of it was I was working 18 hour days while all this was happening. That made deleting things a lot more fun, but it was more work, as well.
I hope that helps those battling the tides of spam.