This blog has been targeted the last two days by a comment spam bot, issuing about 120 spammy comments. Comments never got on air because they went into the moderation queue, as I had set up a moderation rule during a previous ‘benign’ attack of the same kind of bot and that rule catched them all. If you receive a similar flood of comments, look at them to find a common pattern and block that pattern at Options | Discussion. This particular bot can be blocked by adding a rule against “mail.com”. You can use too the tips from Google guy Matt Cutts to increase the security of your Wordpress install (they are good for other CMSs too).
This bot I was talking about wasn’t acting in a subtle way at all. For backlinks, getting one spam comment through is mostly enough, and one is more likely to go unnoticed that hundreds. The URLs were just random, so it could seem unskilled or pointless spam. Reading here and there, though, I’ve heard that the bot actually seems to “bomb” the anti-spam plugins so they aren’t able anymore to filter the bad comments. I don’t use spam killers since this isn’t a popular blog, I just changed some code to make it look and work different than a vanilla Wordpress install. A good idea if you don’t mind repeating it with each update is to hack comments.php and wp-comments-post.php so the form fields have different names, and also rename the later file to avoid it being hit directly; you can even leave a hidden fake comment form with default field names to chaff the simplest bots.
I’d suggest too to fill the moderated keywords box. I’m not posting here my whole list since some words would be the last thing I’d like to be indexed for, but to stop praiser-bots you shouldn’t forget to include “impressive”, “information”, “informative” or “webpage!” Readers use those words very rarely (or maybe it’s just my blog that isn’t very impressive at all).
These tips are very, very far from being a bullet-proof way to stop spam. Any human specifically willing to spam you is going to spam you. But bots are rarely designed to hit non-common installs, they get lesser returns for hitting pages that show signs of being fighting spam actively because anything that goes through is likely going to be manually deleted. A bot too clever could even annoy the real net gurues out there… I don’t think spammers would be very happy of discovering that a feral bot had got some net honchos get personal into tracking them.
If you wonder, I’m not into that kind of techy knowledge (my PHP is even clumsy), but I learned about bot strategies and code evolution with artificial life simulations. You can only wonder about how often natural diversity can beat intelligent design. If you make your CMS install unique in its own way, it’s very likely to be skipped by most regular bots.
