Okay, as promised, I'm giving you the gory details on my battle with comment spam on Needcoffee. I wouldn't exactly call what has happened a surrender–I have had to close down all comments on Needcoffee just to keep the server from crashing–I prefer to think of it as a scorched earth policy.

Basically, here's what's been happening. And here's why nothing I tried has worked.

There's a file in Wordpress that is pinged/called up when you want to post a comment. It's called wp-comments-post.php by default. What the spammers have been doing is hitting that file in order to post their spam on my site.

Do they succeed? No, not in the least. For the first part, I have…well, had…all comments moderated. Nothing was ever posted to Needcoffee as a comment without going through me, unless you were a member of the staff and logged into the site.

Why do they want to post spam? People ask me this all the time. Basically, there are lots of blogs that have no protection up whatsoever. As a result, these spam bits have links to the spam sites. Sites get Page Rank from Google depending on how many sites link to them, propping up their Page Rank score. That's a simple way of putting it, but that's the gist. So they hammer you with spam in the hopes of improving their standing in Google search findings.

Now. This wouldn't succeed even if they did manage to post something, since a rel="nofollow" tag will negate Page Rank boostage from happening. But these spammers and their spammer zombie whateverbots don't care. They will persist regardless of whether or not any comments actually succeed in getting posted. Why? Because they can, that's why.

The first thing people say is Akismet. Use Akismet. Well, Akismet is bogus for two reasons. First, just because the comment gets auto-moderated and left off the roll call, that doesn't mean it hasn't taken up space in your Wordpress database. I found this out the hard way after the first 21,000 spam comments rolled through, got caught, and now I have to clean out my database because they're taking up gobs of space. Second, just because the comment gets auto-moderated and left off the roll call, that doesn't mean the spambot hasn't hit your wp-comments-post.php file anyway. It has. And when you've got them coming in like a spam tsunami, sure Akismet keeps them from being posted or even from you having to moderate, but your site will 503 nonetheless.

The second thing people say is Bad Behavior. Use Bad Behavior. Bad Behavior helps, but it can be overwhelmed. I can't tell you how BB works, but I literally saw dozens and dozens of bot smacks against wp-comments-post.php a minute coming in. If this is BB when it's on full on strict mode, then without it, gah. So BB doesn't help.

Then, I renamed and eventually deleted wp-comments-post.php. Fuck it, says I, if you can't get to the file at all, you can't mess with me, right? Wrong! They're trying to hit the file, there or not, which means the server takes a hit, which means…503.

Then, I had DreamHost alter my htaccess file to block hits to the wp-comments-post.php file unless the referrer site is needcoffee. So you can't hit the site from anywhere else. Should help, right? Wrong! They can spoof shit so it looks like it's coming from my site.

So I started going in and trying to add bits to the htaccess file to weed out casino and poker spams along with certain IP addresses. The spam detail file I pulled down from BB was so large, I couldn't even process it. I finally deleted everything but the last seven hours, and even that was about 10,000 lines in the CSV file I used to pull it down so I could try and manipulate it.

Nothing worked. 503 errors on IE constantly, although strangely Firefox was slow but it could get through. No telling.

So finally, boom. Comments go bye-bye. Now at least you can get to the site. If anybody has any ideas on how to effectively stop not comment spam, but the server strain of the spam equivalent of a DDOS attack, let me know. Otherwise, I'm spent. Night.