Welcome, visitor! Log in
 

KB Plugins blog

The best Wordpress plugins are free

WP SpamFree: A nice idea, but it won’t last

Recently, Scott Allen released WP SpamFree , claiming that it “virtually eliminates automated comment spam from bots.” It does so by using JavaScript to send a cookie to the commenter’s browser. Since most bots ignore javascript, Scott reasons, then this should eliminate automated comment spam.

There’s only one problem: The plugin is way, way, waaay too easy to defeat.

Now, I’m no spammer. But I do know how to program bots. I use them to do routine maintenance on my wiki . When I saw these claims, I thought to myself, “Lots of people are going to download this bot thinking they’re safe from spam, but it won’t last long.”

The first half of that prediction was right: Over 2000 people have downloaded the plugin since it was released a month and a half ago.

I expect the second half of my prediction to be right soon. Here’s why: All that a spammer needs to do to defeat this plugin is add one line of code to their bots. Here comes the technical explanation:

Proof of Concept

When you criticize code, it’s standard to give a proof of concept. Well, here’s mine. I spent a few minutes this morning seeing whether I could post an automated comment to my test blog that was running Scott’s plugin. An experienced spammer would be able to defeat the plugin in only a few minutes.

I program my wiki’s bots in PHP using the Snoopy class to send and receive cookies and form variables. So the code starts with including the snoopy class. Then, I use snoopy to fetch a blog post’s contents. A regular expression finds the comment posting URL, and another finds the post ID that I want to comment on. I define an array of variables that I want to post. Now, if the blog didn’t run WP Spam Free, I’d be done at this point. But to defeat the plugin, all I do is add the one line near the bottom. Take a look:

<?php

// use snoopy
$snoopy = new Snoopy;

// the WP post we want to comment on automatically.
$url = 'http://blog.example.com/2008/01/some-blog-post/';

// scrape the URL
$snoopy->fetch( $url );

// find the URL we need to post to
preg_match( '~ (redacted) ~Usi', $snoopy->results, $matches );
$submitUri = $matches[1];

// Define an array of vars we want to post. Start with the standard WP post vars:
$post = array();
$post['author'] = 'Proof of Concept';
$post['email'] = 'proof_of_concept@example.com';
$post['url'] = '';
$post['submit'] = 'Add Your Comment';

// Now find the post's ID
preg_match( '~ (redacted) ~i', $snoopy->results, $matches );
$post['comment_post_ID'] = $matches[1];

// write your comment
$post['comment'] = "This is the comment that I will post automatically.";

// everything up until now is what I would need if I were automatically posting on an unprotected blog.
// So what do I need to do to defeat the SpamFree plugin?

/////////////////
// To defeat the WP Spam-Free plugin, only this ONE LINE is necessary.
$snoopy->cookies[ (redacted) ] = ' (redacted) ';
////////////////

// submit the comment
$snoopy->submit( $submitUri, $post );

?>

Note that only one extra line of code was necessary to defeat the plugin. If they haven’t already, spammers will soon start adding that line as a standard feature of their bots.

Even if Scott made the plugin more difficult to beat (by, for example, having that cookie’s value change instead of being the same all the time), it would require only one regular expression for me to find the JS value and post it using Snoopy. Enjoy it while it lasts, folks, but if this plugin enters widespread usage, expect the spammers to compensate.

What is to be done?

Plugins like Akismet, Spam Karma, and Bad Behavior have proved relatively robust. The easiest defense against spam is to use one or more of them. If you want better defenses, add something unique to your blog. Scott’s technique would work great if his blog were the only one using it. But if thousands of blogs use the same technique, the spammers will adjust their tactics.

9 Comments

  1. Posted February 4, 2008 at 3:12 pm | Permalink

    Hey Adam,

    I like a challenge. I’m glad you tested out the plugin. :)

    Don’t worry, I’m already quite aware bots like this are out there. There are extremely rare though….for now. However, I think we all know that Spam protection needs to evolve or every single spam plugin will become out of date in a year or two. Akismet is a pretty great plugin, but it is a huge problem that it commonly flags false positives…this pisses off a lot of readers who post legitimate comments and it wastes a lot of time for bloggers who have to sort through the queue. I’ve got some evolutions in the works for future versions that your bots are going to have a tough time beating.

    I would definitely like to chat though. Maybe I could see the full code for your bot, or perhaps you can send your bots against the new features and see how they hold up. :)

  2. Posted February 4, 2008 at 3:18 pm | Permalink

    Oop, I already replied to you over at WP.org. It’s good that you posted here too, though, so I have your email address. I’ll be in touch later this week.

  3. Posted February 4, 2008 at 3:29 pm | Permalink

    Great writeup. I can hardly wait to see how it turns out. However, anyone proficient in PHP can change the plugin themselves to make a unique cookie, no? That would get us back to: “Scott’s technique would work great if his blog were the only one using it.”

  4. Posted February 4, 2008 at 3:30 pm | Permalink

    Very true, Jonathan, but the typical WP user won’t bother–and more to the point, won’t know that it’s worth bothering.

  5. Posted February 5, 2008 at 12:20 am | Permalink

    @Adam: Excellent. Looking forward to it!

    @Jonathan: That’s actually one of the features I’ve already been working on adding, and will appear in the next version. The cookies will be randomly generated, along with 2 (or more) other types of randomly generated keys, and several other features that I won’t disclose here. No one will have to do any editing. :)

  6. Posted February 26, 2008 at 9:44 pm | Permalink

    Enter version 1.5: (link)

    :)

  7. Posted March 21, 2008 at 11:53 pm | Permalink

    Only coders say a “proof of concept” is required to criticize code. It stops most criticism.

    However since you posted this “proof”; are you not supposed to have the “proof” in your proof? yes I know what your doing, however if I was not a coder I would just say you didn’t like the plugin developer.

    I have been testing Defensio, lately and it is working nicely. Much better interface, and seems equal and in many cases better than Akismet.

  8. Posted March 25, 2008 at 2:12 pm | Permalink

    Mark, I’m not sure which part of the proof you don’t find persuasive. It’s a bit moot now, though, since Scott has updated his plugin.

  9. Posted June 24, 2010 at 7:23 am | Permalink

    It appears to be defeated now. I am getting a dozen or more comment spams a day using the latest version of SpamFree with the extra checks enabled as well. Worked great for quite a few years, though.

    I’ll have to look at the code and mess with that value and see if the spam bots are using a fixed value instead of a regular expression.