Originally I was going to make this
Serendipity (s9y) specific, and portions of this might slant that way, but the concepts and programs mentioned here are typically blog software agnostic. Any specific examples are going to center around
Apache,
PHP, and
S9y. I am also assuming you have the ability to install extra software on your web host account.
#1:
Akismet - First on the list, especially if you allow anonymous blog comments, is obtaining an
Akismet API key and enabling your blog software to use it.
S9y has built in support for
Akismet through the use of a recent version of the
Spamblock module. Enabling
Akismet typically blocks around 95%+ of the spam attempts by itself. Most blog programs have
Akismet support these days.
#2:
Bad Behavior - Although the documentation is a bit sparse,
Bad Behavior does a good job of detecting spammers by use of heuristics. To install and use it with
s9y, for now, you will want to unzip the package into separate directory of your website and add
require_once( '/yoursite/bb-directory/bad-behavior-generic.php'); near the beginning of
s9y's
serendipity_config.inc.php file.
#3:
Project Honeypot - By itself, this won't prevent comment spam, but it does an excellent job of collecting IP addresses of spambots that are looking for e-mail addresses. Every website that joins the collective helps with the cause. Once you have joined, you can also take advantage of
Project Honeypot's
http:BL, which will help reduce comment spam.
#4:
mod_security - I recommend installing
mod_security, which is an installable module for
Apache, and has a nice community of rule writers behind it. You could almost think of it as a
Snort module for web servers. Some of the more clever rules will protect sites from unknown and unpatched exploits due to SQL injection detection and other 'script kiddie' countermeasures.
Serendipity specific spam zombie network workaround involving comments.php:
Many years ago, around the 0.7 revision level of
s9y, there was
a bug in comments.php that script kiddies latched on to. Version 0.7-rc1 patched this bug, and any newer version cannot be exploited this way.
With that said, my site typically receives about ten exploit attempts per minute from IPs around the world. To help lighten the load on your web server and SQL server, your best bet is to make use of a custom .htaccess entry in your blog directory.
Assuming you are running
Apache with
mod_setenvif enabled, add these lines to the bottom of your .htaccess:
SetEnvIf user-agent ^$ commentexploit
Deny From env=commentexploit
If your site had been pegging the CPU from all the invalid requests before, it should handle the load much better now.
You will most likely see entries in your HTTP error log like this:
[Sat Sep 29 20:59:38 2007] [error] [client x.x.x.x] client denied by server configuration: /yoursite/comment.php
With all of these countermeasures in place, about one spam comment per month sneaks through my blockade, and most of the time, it will get marked for moderation so I can delete it before anyone sees it. Overall, I am currently winning the battle against the spammers, but their tactics are always changing.