For about a month or so now I have a domain I host under serious attack from what I think are spammers. It's a wordpress site, and they are getting big numbers of POST requests to the WordPress comments file, e.g.
POST /wp-comments-post.php HTTP/1.1
It's a well distributed attack, and I'm doing well with some scripts I wrote to block the requests to the wp-comments-post.php file. The real comment file has long since been moved, so any POST to the file gets firewalled. It's several thousand IPs from all over the place.
I don't believe it's a malicious attempt to bring the site down, but I'm guessing it's a blog comment spammer that has something set wrong and he's pounding this site to death by accident. I could be wrong on that though.
So I'm just curious if anyone else is seeing this. Anyone have any good defense scripts to share?
We've seen a couple variations on this; one always uses the same referer, so it was fairly easy to turn off comments for that post, then do a <Limit POST> in their stanza in httpd.conf. Another sends no referer; our general guideline for blogs is no refer + POST = instant 403.
Some spammers work with ridiculously outdated target lists, for lack of a better term; we've one customer who used to have a blog, but for a year or more has only had a photo gallery up; they're *still* getting forty to fifty hits a day to the old mt-comments URL. On the plus side, it's only something like 1KB per hit, but, still...
There are so many comment spammers out there, on so many compromised IPs, the only real thing you can do is make sure the comments don't actually get posted (yay SpamKarma), and suck it up. (If you've got the CPU cycles, mod_security and POST filtering could work, too; you could probably 99% of spam comments with 99 keywords or phrases...) We've had to set our keepalives really low on a couple machines, to avoid having 200 processes open at once...
redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
Because Simple Things Should Be Simple - YouCANHasDNS