Three weeks ago, I slightly modified the comment system on this blog for an experiment. This blog is a standard wordpress installation. Comments are normally directed to the wp-comments-post.php script by the HTML form. What I did is:
- Create a
comments-post.phpwrapper script that just includeswp-comments-post.php(this allows things to still work properly after wordpress upgrades), - Make the HTML form direct to a
comments-post.phpscript, - Add a
usedForm=1parameter to the HTML form action, such thatcomments-post.phpis supposed to always be called with it, - Add a simple javascript that adds a
hasJS=1parameter to the HTML form action when the page is loaded, and aSubmit=1parameter when the form is submitted.
During the past three weeks, on this blog, there were 7170 comments, 8 of which were actual comments. 7162 were spam (~99.9%).
- 3165 spams (~44.1%) were sent to the original WordPress comment handler (
wp-comments-post.php) from 1589 unique IP addresses. - 0 spam were sent to the new comment handler without a query string (
comments-post.php), but 1 was sent with an empty query string (comments-post.php?). - 18 spams were sent to the new comment handler with a lowercased query string (
comments-post.php?usedform=1) from 6 unique IP addresses. - 3971 spams (~55.4%) were sent to the new comment handler with the form query string (
comments-post.php?usedForm=1) from 1153 unique IP addresses. - 7 spams (~0.1%) were sent to the new comment handler with the full query string, including what is added through javascript (
comments-post.php?usedForm=1&hasJS=1&Submit=1) from 5 unique IP addresses.
This means a large portion of spammers didn’t care about actually checking the comment forms and used the standard wordpress url, and another large portion don’t run javascript on their bots, although a very few do.