The Stop Spammer Registrations Plugin checks against StopForumSpam.com, Project Honeypot and BotScout to to prevent spammers from registering or making comments.
The Stop Spammer Registrations Plugin works by checking the IP address, email and user id of anyone who tries to register, login, or leave a comment. This effectively blocks spammers who try to register on blogs or leave spam. It checks a users credentials against up to three databases: Stop Forum Spam, Project Honeypot, and BotScout. In order to use the Project HoneyPot or BotScout spam databases you will need to register at those sites and get a free API key. Stop Forum Spam does not require a key so this plugin will work immediately without getting a key. The API key for Stop Forum Spam is only used for reporting spam.
In addition to checking on the top forum spam databases, the plugin will optionally check agains several email spam DNSBL sites such as spamhaus, dsbl, sorbs, spamcop, ordb, and njabl. In testing, this sometimes caught spam that the comment spam databases missed.
Optionally, a webmaster can specify that disposable emails be denied. These disposable emails are frequently used by spammers to hide their identity. They have a certain legitimate use in that they can provide anonymity to users. Legitimate commenters will probably not feel the need to remain annonymous, though. The plugin detects about 500 disposable email domains, but there are probably many more.
This plugin keeps track of a number spammer emails and IP addresses in a cache to avoid pinging databases more often than necessary. The results of the most recent checks are saved and displayed under settings. The size of the history and bad user lists can be set from 10 to 100. This information is stored in an array in the WP options table. The size of the array can raise the resource requirements of WordPress, which is already pushing the resource limits of some hosts, so keep the cache small.
In case a user results in a false positive on one of the spam databases there is a white list that can be entered of email address or IP addresses. This will allow such users to register, login and comment on the bog.
Requirements: The plugin uses the WP_Http class to query the spam databases. Normally, if WordPress is working, then this class can access the databases. If, however, the system administrator has turned off the ability to open a url, then the plugin will not work. Sometimes placing a php.ini file in the blog’s root directory with the line “allow_url_fopen=On” will solve this.
The plugin is ON when it is installed and enabled. To turn it off just disable the plugin from the plugin menu..
The plugin keeps a count of the spammers that it has blocked and displays this on the WordPress dashboard.
The plugin will also reject registrations, comments and pings where the HTTP_ACCEPT header is missing. This header is present in all browsers and its absence indicates that a program, not a human, is attempting to leave spam.
If you are running a networked WPMU system of blogs, you can optionally control this plugin from the control panel of the main blog. By checking the “Networked ON” radio button, the individual blogs will not see the options page. The API keyes will only have to entered in one place and the history will only appear in one place, making the plugin easier to use for administrating many blogs. The comments, however, still must be maintained from each blog. The Network buttons only appear if you have a Networked installation.
The plugin adds links to the Comment Moderation page to check a comment’s credentials agains the spam databases. If you have entered the Stop Forum Spam API key you can also report the spammer to the SFS database. Please make sure that the comment is actually spam and not from some clueless commentor who likes to salt his comments with spammy links. (I find that comments that do not specifically reference the post are always spam. “Nice Blog” comments I tend to report immediately.)
The Stop Forum Spam site requires an email and an api key to report spam. If the commentor did not leave an email address (as in a pingback) then the link to report the spam will not be visible.
Problems: In systems with constraints on memory and many other plugins, this plugin will sometimes fail trying to retrieve its options. This results in resetting the configuration. The plugin uses two or three thousand bytes to store the history, cache, and settings. This is not very much, but some plugins use much more memory, and they will cause this plugin to fail. The solution is to remove or disable some of the plugins that are hogging all the memory.
StopForumSpam.com limits checks to 10,000 per day for each IP so the plugin may stop validating on very busy sites. I have not seen this happen, yet. Results are cached in order to thwart repeated attempts.
You may see your own email in the cache as spammers try to use it to leave comments. You may have to white list your own email if that is the case, to keep the plugin from locking you out.
Watch the youtube spam trap video! The video shows one of my plugins that anti-spam cops use. They run honey pots or sites that do nothing but attract spammers. These sites report as many as 500 spammers per hour to the same database that this plugin checks.
Download
Latest version: Download Stop Spammer Registrations Plugin v2.20 [zip]
Installation
- Download the plugin.
- Upload the plugin to your wp-content/plugins directory.
- Activate the plugin.
- Under the settings, add the appropriate API keys (optional). Update the white list. Set any of the optional items and limits.
FAQ
Changelog
1.0
- initial release
1.2
- renumber releases due to typo
1.3
- Check the ip address whenever email is checked.
1.4
- Checks the user name. Cache failed attempts with option to clear cache. Cleans up after itself when uninstalled.
1.5
- fixed a bug where the the admin user was cached in error.
1.6
- Improved caching to help stop false rejections.
1.7
- Included signup form, that I forgot to add before. Cached data is automatically expired after 24 hours.
1.8
- fixed the cache cleanup (again). Changed the name in the titles and menus of the plugin to reflect that it does more than stop registrations.
1.9
- Added link to report spam to StopForumSpam.com database.
1.10
- Improved the access to StopForumSpam.com database. Fixed white space at end of plugin.
1.11
- Stored the StopForumSpam API Key. Fixed a possible security hole on the settings page.
1.12
- Fixed typo error.
1.13
- Changed Evidence field to spam url or content
1.14
- Changes suggested by Paul at StopForumSpam. Fix bug in zero history data. There has been much interest in the plugin so there has been lots of feedback. I am sorry for all the updates, but they are all good stuff.
Hi Keith,
If I mark an account in WP as being that of a spammer, will this plugin then make a call to StopForumSpam.com and report that user?
I ask because I registered at StopForumSpam.com and got an API key but I don’t see anywhere on your plugin to use it.
Thanks,
Martin
I did not go the extra step to handle reporting the spam. I expect to be able to do this in the next release of the program or in a standalone spam program.
For now it just relies on others to do the reporting.
Installed the plug-in, great, no more spam registrations.
Unfortunately it has stopped people being unable to comment on posts.
I have comments set to publish only on admin authorisation, and also use WP Spam Free to weed out the spammers who use the comment field.
tested the comments system and nothing worked, deactivated the Stop Spammer Registrations plug-in and the comments are working again.
If you need further info please let me know.
thanks
You passed through the plugin to leave this message, so it works here and at my other sites where I am getting comments.
The thing to do is to check in the cached bad emails and IPs and click the link for the rejected emails. You can then see what is in the StopForumSpam db. If they show up clean, then the plugin is failing in some way. Typically you will see the email or IP fail. If the email passes and the IP fails it means that the commenter is coming from a bad neighborhood. In the next version I will have a “white list” in order to allow comments from banned emails or IPs to leave comments.
If the plugin is failing on your site, I would like to create a special version that records some debug information so we can review why it fails.
Keith
Sorry I should have given more details.
The comments are never submitted, they don’t get that far, after filling in the form like this one, clicking the ‘submit’ button just takes you to a blank page “/wp-comments-post.php” page, and the script doesn’t you move you back to the original location.
I suspect there’s a clash between this plug-in a the WP Spam Free one.
Happy to try a test plug-in for you. I don’t get too many comments on the site I run, but right now about 10 rogue registrations a day
Update!
I deactivate the WP Spam Free plug-in, and filled in a comments page:
“Fatal error: Call to undefined function: curl_init() in /*** server path to wordpress ***/wp-content/plugins/stop-spammer-registrations-plugin/stop-spammer-registrations.php on line 361″
Hope this helps
thanks
Version 1.9.
Activation succeeded, but with this error message:
The plugin generated 2 characters of unexpected output during activation. If you notice “headers already sent” messages, problems with syndication feeds or other issues, try deactivating or removing this plugin.
After which, I get these warning messages on every page loaded:
Warning: Cannot modify header information – headers already sent by (output started at /srv//public/htdocs/wp-content/plugins/stop-spammer-registrations-plugin/stop-spammer-registrations.php:713) in /srv//public/htdocs/wp-includes/functions.php on line 830
Warning: Cannot modify header information – headers already sent by (output started at /srv//public/htdocs/wp-content/plugins/stop-spammer-registrations-plugin/stop-spammer-registrations.php:713) in /srv//public/htdocs/wp-includes/functions.php on line 831
I had to deactivate.
Solution:
Edit stop-spammer-registrations.php to remove the end-of-file line break.
Cheers
Awesome plugin. The only problem I see with it is the fact that the query string in the comment link for reporting spammers doesn’t work on the first try. I haven’t investigated it because I’m sure a change to the query string in the plugin would be required.
Next version I will make it so you can enter your api key and do a direct update. Right now, you have to fail once, but the site then loads the api key for you if you are logged in.
error after update to v1.11
In “Passed Emails”:
Fatal error: Call to undefined function escape_url() in /home/[...]/domains/[...]/public_html/wp-content/plugins/stop-spammer-registrations-plugin/stop-spammer-registrations.php on line 347
screen: http://img818.imageshack.us/img818/4884/errc.jpg
error after update to ver 1.11
On “Passed Emails”
Fatal error: Call to undefined function escape_url() in /home/[...]/domains/[...]/public_html/wp-content/plugins/stop-spammer-registrations-plugin/stop-spammer-registrations.php on line 347
I made a stupid stupid mistake in 1.11 and when I tested it, I did it on a site with low traffic so I didn’t see the mistake.
Fixed in 1.12.
Next release will be 2.0 where I add the bad behavior db. 2.0 will also have to option to hide the panel in MU blogs.
Keith
Just installed and was testing version 1.12 and noticed that when you hit Report to SFS it submits spammers info but it also submits the address of the submitting site into SFS evidence.
Yes, it does. The evidence is the site where the spammer hit. StopForumSpam is recodring this along with the identity of the person submitting the spam (api key).
Keith
Hey Keith…
Let me try to explain your mistake.
When I hit Report to SFS what should be sent is the spammers name, email, IP and this is the important part, COMMENT! The first part you have working very well.
But… the comment is NOT getting submitted into SFS evidence. Instead… MY blogs URL is being submitted… which is SOOOOOOO NOT good!!
My blogs URL is already tied to my API key and should NEVER be submitted into evidence. That is used for proof of what the spammer, spammed. And will later be used by other anti-spam sites!!
Please contact Paul at SFS and verify what I’m telling you.
I have asked the question at the Stop Forum Spam site.
Stop Forum Spam ignores the field. You can put anything you want in it. I’ve changed to code to put the comment_author_url and if that’s blank, the content.
Download 1.13 version and check, please. It should be up in an hour or so after I check on a couple of sites. It looks like none of my sites have spam to test this with. Between Akismet, my plugin and another plugin that I wrote that denies unregistered users who include a url, I don’t get much spam anymore.
Or nothing at all, it’s not a required, but it is an appreciated field.
SFS doesn’t ignore it but the one submitting can. I’ve worked with Paul to tweak his coed so it will auto submit every link a spammers posts on a forum.
I have the spammers, so as soon as you post your code I’ll give it a test run.
I do not see a ‘Report to SFS’ anywhere in the admin backend. Help?
All you’ve said in any documentation is “click the link”… only on the comments here do I see an allusion to ‘Report to SFS’ button/link, but can not seem to locate it.
The report link is available when you moderate comments. Go to comments and underneath each comment you will see the link to “report”.
Keith
Thank you Keith! Is there a way to report spam registrations? Will you make this possible in the near future?
I have a place in comments to report the spammer. I need to make a place in the MU registrations to do the same thing. They need a Userid, email, IP and evidence to do that. I need to confirm that I have all that from the user record under MU.
I made lots of changes to the plugin over the last week. I have to wait a few weeks before I annoy everyone again with a new update. There are several changes that I am working on, including using the bad behavior db and akismet db to check the new registrations.
Keith
That sounds incredible Keith. Keep up the outstanding work. I genuinely like it
Awesome plugin, but that whitelist is sorely needed since removals are manual at stopforumspam.
It is coming. I was testing the code, but had to fix a bug in the code and ripped it all out. I saved the code and the next release will have the white list.
Hello!
I’ve noticed that when this plugin is active on my blog, many people are not able to leave comments (including me) due to an error that says “Please enter a valid email address.”
This only occurs when this plugin is active. However, I LOVE this plugin because it’s reduced the number of spam registrations on my blog drastically. But I can’t use it if people can’t comment. Any suggestions?
You left a comment here and the plugin let you through just fine.
Try uninstalling the plugin and reinstalling the latest version (again). There was an error that scrambled the cache at one point. Reinstall will fix that, I hope.
The user name TIA was used by a spammer quite recently, and that might have something to do with it.
Keith
I love this plugin, but I think having a few tables in a local WP database may be a better solution than SFS queries. There is other functionality that could be incorporated to make it even better (and more accurate). I wish I knew how to do it myself, but I don’t.
Thanks for a useful plugin. I have two questions/suggestions:
1.
What happens when a comment is left by an ip registered in the SFS database? Is it transfered to “moderate”, “trashed” or just rejected (cold)?
I prefer that all comments, even spam, are moved to “moderate” for a admin to have a look at it.
2.
The SFS database are huge, some data are old and some ips are only marked once.
Does your plugin check if the SFS data are old (like more than 90 days old) and are all IP/emails blocked even if they have only been marked as spam once in the SFS database?
Thanks,
When an email IP is found on SFS, the form generates an “invalid email” error. This is mainly designed to stop user registrations, so there is no provision to make comments as spam. Since the same email check is used in comments, it also rejects anyone who tries to leave a comment who has a bad email or IP in the SFS db. (The next version that I will release tomorrow lets you ignore emails and just check the IP).
The SFS db has lots of false positives, but a users who finds themselves in the DB can easily have their email and IP address removed. I do not check age.
I have several moderately popular blogs and they get 500 times more spam attempts than legitimate comments. I have never had a complaint from anyone about not being able to comment.
In the new version, you can alternatively check the project honeypot HTTP:bl database and that does a check for age and threat level. There is also a white list in case anyone has problems.
Keith
Thanks Keith
Maybe there should be a “real” error telling rejected comment/registrations that they should search SFS and that they can can ask to be removed at the SFS site?
To me it would be better if I knew that all suspect comments are passed for moderation.
How hard is it to make your plugin to check “lastseen” and “frequency” in the SFS listing? It really would make me feel better (safer), especially when the comment/registration is auto-rejected.
I am adding some testing code to check the lastseen and frequency, although I wanted to release the latest version tomorrow. The code won’t make it into the release. Adding options takes longer, so it will be a few weeks before it appears in the next release.
I just added the lastseen and frequency to the history list so that I can monitor the values returned from SFS db.
Next release I will make selection on these so you can limit to recent hits or high frequency hits.
Great, thanks a lot Keith.
It will make SFS-lookups more like PHP (Project Honey Pot), where these settings can be tweaked.
I will install the new version tomorrow.
Wow! You have been busy!
I gave it a quick stress test 298 spammers blocked and ZERO made it through! Awesome!!!
Two suggestions for some later release.
1: can the “spammers stopped” number be kept when clearing the cache? Kinda like “total spam blocked to date xxx” (not important, but is nice to know)
2: add a check to BotScout. Out of 14 anti-spam databases SFS and BotScout will show positives before all the rest.
In case anyone hasn’t heard, SFS now has a known spam domain blacklist. Which means when checking emails, if the email “domain” matches the black list SFS will return a positive and be blocked from our sites.
The total for all time count is something I’ve wanted to add as well. It is such a little thing that I never got to it because the harder things got all my attention.
I will add it to the next release.
I’ll check out BotScout. If it is not too difficult, I’ll add it.
Keith
Thanks for the updates, great work
Here are some small suggestions:
The screen space in the admin panel are limited, make the text shorter in line 579, 580 and 615 (like: “Check SFS”) and add a descrption in the a href title tag (like: title=”Check Stop Forum Spam (SFS)”).
Also there is small typo in line 579 (StopFurumSpam).
I stopped using BotScout when I found that their db is more or less identical to Stop Forum Spam.
I am already looking forward to the next version of your plugin, to be able to set age and frequency on the filter data (will not block email and IPs with less than 3 reported violations and that are older than 90 days).
Thanks again Keith
I am making the changes now. I will release another version in a few weeks. I don’t like annoying people with lots of versions. I feel bad that I had to release 1.16 before it was ready, but there was a problem with 1.15.
I have heard that that BotScout is as good or better than SFS, and it was easy to implement. Leave the API Key blank and it won’t bother. It is 6th in the order of things so if a spammer get’s by the first 5 then it is unlikely it will be detected at BotScout. I get about 800 spam hits a day on 9 blogs (one gets about 500 hits) and so far BotScout has not found one. (mainly because they were already found).
“I have heard that that BotScout is as good or better than SFS, and it was easy to implement.”
Hi, this is Mike from BotScout. I’m glad you found the API easy to implement, that was one of our main goals.
You can indeed leave the API key blank if you like. Getting an API Key (it’s free) will allow you to do more queries per day so we recommend it for sites with lots of bot activity.
We have a pretty good “catch” rate, and it’s getting better as we deploy more and more bot traps in our honeypot network. We may be adding a separate check to the API for domain-specific queries (it’s under consideration right now), and we think that may prove useful.
If you have any questions on implementing the API or anything else,please feel free to contact us- we’ll be glad to help however we can.
Mike
BotScout.com
Hey Keith,
Just noticed that when a spammer is blocked hitting the wp-signup.php their user id shows as “none” in the “Recent History”
This is on a MU site if that makes any difference.
I was pulling the user id off the form post. I just checked and the wp-signup.php uses a different field name. I am making changes as you read this.
“I am making changes as you read this.”
LOL! Knowing you, the changes were made faster than I could read it!
Great Plugin, just switched from Bad Behavior. It missed lots, yours does not and its log was hard to read, yours is not.
I see you are working on things…so two quick comments.
1). Right after install I was looking for the
“clear cache” and concerned about the lack of info…..until a comment hit and it all appeared. Maybe a “dummy” entry on install would make it clear where things will be.
2). Comments about blocking good bots had me checking the BB log all the time (after first install)….yours works different and has better data. Would love to see some stats in the dashboard (even the “right now” widgit). I have looked and the API is there…since you are working on things I don’t want to add it myself.
Thanks again!
I am working on it today. I fixed some problems. I have to update the text to keep up with all the changes that I’ve made, so I’ll try to remember that the clear button won’t appear until after there is data. I will look into putting the stats on the dashboard. I don’t want to clutter the already too cluttered dashboard, though. I could make it optional.
Keith
Great…I was thinking a tab in the dashboard sub panel..e.g. akismet stats.
cheers
Very nice update (V2.0)….I like the info in the dashboard for days like today when I had a flood of spam and tracked it down to the new wordpress update having opened something back up.
It also worked out of the box (your changes) so I did not have to edit for my non-standard comment post page.
Now what to do with my time (not scanning bad posts in moderation) oh yea…write new posts.
Thanks for your work!
Thanks Red,
Keith
Rut Row…..
can’t seem to report to SFS on new comments with v2
It does not report when there is no email or username. If email is invalid then I don’t try to report. Pingbacks, for instance, don’t have email addresses.
Just a side note..
SFS has upped the API queries per day from 10K to 20K.
oh, version 2 has stopped 1189 so far, with none getting through. And it’s the only anti-spam protection my blog is using.
Yep, think ya got a winner there Keith!