Wow, okay.
Some of you may be aware that a while ago I decided it would be fun to register a domain called Azeroth .ME. It’s a WPMU site, specifically created to host my own WarGirl blog so I could write long, tedious posts about World of Warcraft without it upsetting some of my friends who have some (understandable) issues with the game and really don’t want to hear about it.
Plus, I just like the idea of MU.
Anyway, about two or three days ago I started to get my first splog signups. This is not unexpected; they hit MU installs pretty hard, and I know this from past experience. No fear, says I, and I went off to impliment the usual round of things I do when things start getting spammy.
That was about 9:30am this morning, after a few days of manually deleting the blogs got old.
Noon rolls around and I’m still trying to stop the flood. Nothing is working, and I mean nothing. Step one, Project Honepot. No dice, which, okay, maybe the IPs just aren’t in their database yet.
All the signups are coming from .info domains, and after some Googling, I find out that theoretically you should be able to block those by adding /.*.info/ into the Banned Email Domains list. Still no luck. I’m starting to get a bit… concerned.
I went through no less than two different CAPTCHA plug-ins, with no luck. Grr. Dee angry!
Step back, try and think laterally.
It’s time to do the nasty, and start messing about in MU’s code. I don’t like doing this in WordPress — since all my hard work will get blown away on the next update — but I’m kinda desperate here, so…
I locate is_email_address_unsafe() in wpmu-functions.php; this is the place the Banned Email Domains list is actually implimented, and I throw in the simplest, nastiest, anti-.info domain hack I can think of:
if( stripos( $user_email, ‘.info’ ) )
return true;
Yuck. But, I test it out and lo and behold, it does actually prevent me from registering at the site with a fake .info email address. Oh. Kay. Good work, I think.
Go off to brush my teeth, come back.
More splogs.
And here’s where I start to get a bit… distressed (well, moreso). Because Something Isn’t Right Here. This is a function I know is being called and it’s still failing to stop these registrations. That’s… not good. Not good at all.
So I poke around in the code a bit more, and add my anti-.info snippet in a whole bunch of other locations, just to see. And, for good measure, I rename wp-signup.php.
That was a while ago, and so far, so good. I’ve received two new user notifications but they haven’t had any information included and no actual new users or blogs have appeared, which is good, and I can still register manually myself, so that’s good too. My non-existant wp-signup.php page is getting hammered, so the sploggers are still trying, but for the moment it looks like they’re beaten.
But it was way, way, way too hard. The CAPTCHA and the regexp on the email validation should’ve caught them. The fact that neither did… Jesus, it kinda indicates that there’s some back-door user registration process and that’s a real worry. The last MU update was supposed to be a security patch, but it looks like whatever they tried, it didn’t work.
Hrm.
And, in related news, lol.
664 days ago
199 comments