Recently, I’ve encountered some very aggressive WordPress spam bots. These bots post a new spam comment almost every minute for hours on end. Needless to say my spam queue is a mess. I wrote the following plugin to solve this problem.
What is Spam Log?
Spam Log is a simple WordPress plugin that logs a message every time a comment is marked as spam. Each log message includes the IP address of the poster and the comment’s ID. The log can easily be processed by fail2ban. fail2ban is a daemon that scans log files for misbehaving clients and bans them by IP address. Here is sample output generated by Spam Log:
2009-04-20 04:15:03 comment id=527 from host=83.233.30.32 marked as spam 2009-04-20 04:18:15 comment id=528 from host=83.233.30.32 marked as spam 2009-04-20 04:20:36 comment id=529 from host=83.233.30.32 marked as spam 2009-04-20 04:21:46 comment id=530 from host=83.233.30.32 marked as spam 2009-04-20 04:22:49 comment id=531 from host=83.233.30.32 marked as spam
Why use Spam Log and fail2ban if Akismet/wp-recaptcha/etc. is already catching all the spam?
- Many spammers post 50+ comments a day from a single IP address. Even if every comment is correctly marked as spam, the volume alone means that you can’t easily monitor the spam queue for false positives. Spam Log and fail2ban should considerably reduce the total amount of spam.
- Even if spam comments never appear on your blog, they still waste valuable resources on your server. Low-memory virtual servers need all available resources for serving legitimate users. Banning spammers at the firewall before they ever connect to your web server is very efficient.
Installation
Spam Log
- Upload the
spam-log
folder to thewp-content/plugins
directory. - Active the plugin through the WordPress Admin menu.
- Set the location of the spam log through Spam Log’s Options page in the WordPress Admin menu. By default, the location is set to
wp-content/spam.log
. The file or containing directory needs to be writeable by the user that the web server runs as. On Debian or Ubuntu systems, you can do the following:
$ sudo touch /path/to/spam.log
$ sudo chown www-data.www-data /path/to/spam.log
fail2ban Configuration
Create /etc/fail2ban/filter.d/spam-log.conf
with the following contents:
[Definition] failregex = ^\s*comment id=\d+ from host=<HOST> marked as spam$ ignoreregex =
Add the following lines to /etc/fail2ban/jail.local
:
[spam-log] enabled = true port = http,https filter = spam-log logpath = /path/to/spam.log maxretry = 5 findtime = 3600 bantime = 86400
Change logpath
to the path you set on Spam Log’s Options page. This configuration will ban an IP address for a day if it’s used to post 5 comments within an hour that are marked as spam. Warning: Some captcha plugins mark comments as spam when a user fails a captcha. Be careful decreasing maxretry
if you’re using such a plugin as there’s a risk that you will ban legitimate users.