Blocking bad commentators – how to get IPs you should block.

This is an update about securing wordpress admin and blocking spam bots from writing comments. Although I use Akismet, spam bots might use up your apache children connections or make harder to find false – possitives in spam messages.  The main problem I faced is how to select IPs of commentators I want to block from the comment form. Well, There are several ways to get lists for your blog.
Firstly, you can safely block many countries from your blogs wp-comments-post.php. For my english speaking sites I can safely block visitors from China and Korea. Not that I don’t value their input, but there are almost none that comment anything useful. A good list of Asian and post-soviet IPs is found here and here. I do not block countries in full myself, though.

Secondly, there are several bigger spam – hosting providers. As far as my sites concerned, the leader is PegTech, which should be blocked. At the time of the writting, I block 3 IP ranges there :

deny from 192.74.224.0/19
deny from 198.2.192.0/18
deny from 137.175.1.0/17

Thirdly, there are some other ways to get list of spam IPs. As an example, one might run

SELECT comment_author_IP, count(comment_author_IP) as c FROM `wp_comments` where comment_approved=’spam’ group by comment_author_IP order by c desc

 

This would show the most popular spamming IPs:

mysql1

 

However, one could do even better at researching bad commenter IPs. We can see that same subnetwork repeats itself :

SELECT IP,count(IP) as c from (SELECT substr(comment_author_IP FROM 1 FOR locate (‘.’,comment_author_IP,locate(‘.’,comment_author_IP)+1)) as IP FROM `wp_comments` where comment_approved=’spam’  ) as t group by IP order by c desc

Here, I get “subnetworks” that spam the most.

mysql2

 

The next step is to research what network is it and should i block it whole or not. The IPs from 60.168 might belong to several entities, so that is a required step to prevent accidental block of good visitors. So, we pick some IPs from the first log and enter them in MaxMind Geo IP demo. In our case, these are chinese IPs again, which would be blocken by rule deny 60.160.0.0/11 . If you need to calculate which IPs would be blocked by particular rule, you could use one of several Netmask calculators like this one:  http://jodies.de/ipcalc .

 



Speak Your Mind

*