Spammers getting past

15 views
Skip to first unread message

Kitsufox

unread,
Nov 30, 2007, 11:20:33 AM11/30/07
to reCAPTCHA
Some days ago, Recaptcha broke on my wordpress site. On logging in to
recaptcha, I noticed the keys displayed for the domain were different
than the ones that were entered on my side. I re-entered the keys and
recaptcha once again appeared and is required to post comments, again.

...only I'm getting spam, now, and I can't figure out how they're
doing it. There doesn't appear to be any way for me to enter a
comment without the captcha verifying I'm human, but someone is
managing to do it. Has anyone else had this issue?

reCAPTCHA Support

unread,
Nov 30, 2007, 11:43:01 AM11/30/07
to reca...@googlegroups.com
Please see our FAQ:

HELP, I'm still seeing comment spam

There are two common issues that make reCAPTCHA appear to be broken, but are actually not problems.

  • Moderation emails: reCAPTCHA marks comments as spam, so if you get moderation emails when spam comments are sent, you will get moderation emails for all spam comments with reCAPTCHA. We highly recommend turning off moderation emails with reCAPTCHA.
  • Trackbacks and Pingbacks: reCAPTCHA can't do anything about pingbacks and trackbacks. You can disable pingbacks and trackbacks in Options | Discussion | Allow link notifications from other Weblogs (pingbacks and trackbacks).
--
reCAPTCHA: stop spam, read books
http://recaptcha.net

Kitsufox

unread,
Nov 30, 2007, 12:40:07 PM11/30/07
to reCAPTCHA
Well, they're not trackbacks or pingbacks, and comments do end up in
the moderation queue, but they're not marked as spam. I'll have to
recheck my configuration. For months recaptcha prevented spam from
even reaching the moderation queue and waiting to be trashed, now it
fills up with hundreds each day, again.

On Nov 30, 11:43 am, "reCAPTCHA Support" <supp...@recaptcha.net>
wrote:
> Please see our FAQ:
>
> HELP, I'm still seeing comment spam
>
> There are two common issues that make reCAPTCHA appear to be broken, but are
> actually not problems.
>
> - *Moderation emails*: reCAPTCHA marks comments as spam, so if you get
> moderation emails when spam comments are sent, you will get moderation
> emails for all spam comments with reCAPTCHA. We highly recommend turning off
> moderation emails with reCAPTCHA.
> - *Trackbacks and Pingbacks*: reCAPTCHA can't do anything about
> pingbacks and trackbacks. You can disable pingbacks and trackbacks in
> Options | Discussion | Allow link notifications from other Weblogs
> (pingbacks and trackbacks).
>

reCAPTCHA Support

unread,
Nov 30, 2007, 12:44:39 PM11/30/07
to reca...@googlegroups.com
Do you have any other plugins (such as Defensio) installed? Do the comments show up if you log out of Wordpress and then go to the comments page for the blog entry?

On 11/30/07, Kitsufox <kits...@gmail.com> wrote:

Kitsufox

unread,
Nov 30, 2007, 1:05:17 PM11/30/07
to reCAPTCHA
The only other plugin I have active is ShiftThis, which is a pages
organizer.

I have wordpress set to "author must have a previously approved
comment", so no comments show up unless I approve them. For a long
time, recaptcha prevented anything except for legit comments from
showing up in the moderation queue, but now it fills up with junk and
the comments don't go away unless I manually moderate them as spam as
I had to do before I installed recaptcha.

A note: When recaptcha broke (with an error about domain scope), the
spam flooded into the moderation queue because recaptcha wasn't
running. I modded all the comments as spam and fixed the recaptcha
keyset (which only broke for my one site and I haven't been able to
figure out why), but it seems they're able to post comments by getting
around it. I checked and both domain.com as well as www.domain.com
seems to be protected at the moment. I'll have to check server logs
to see if I can figure out what is being accessed to allow bot
comments.

Thanks for all the help!

On Nov 30, 12:44 pm, "reCAPTCHA Support" <supp...@recaptcha.net>
wrote:
> Do you have any other plugins (such as Defensio) installed? Do the comments
> show up if you log out of Wordpress and then go to the comments page for the
> blog entry?
>

reCAPTCHA Support

unread,
Nov 30, 2007, 2:12:11 PM11/30/07
to reca...@googlegroups.com
Hi,

The comments showing up in the moderation queue is an artifact of how the bot in question works. When a user fails a CAPTCHA we save the comment but mark it as spam. Then we send them a redirect back to the comment entry page with a reference to the spam comment. When they follow the redirect, we pre-fill the comment field with their comment then delete the record.

Sadly, due to WordPress's design, having any sort of comment moderation while using reCAPTCHA is annoying due to the large number of spam comments. We're working on a way to fix this.

On 11/30/07, Kitsufox <kits...@gmail.com> wrote:

Kitsufox

unread,
Nov 30, 2007, 4:43:45 PM11/30/07
to reCAPTCHA
Okay -- that helps correct my understanding. I thought that any
comment submission that failed the captcha never actually got
submitted. The problem is that none of the comments coming in are
getting marked as "spam" anymore -- they come in as "defer until
later". It sounds like something in wordpress might have gotten
broken, or perhaps I need to remove and reinstall reCAPTCHA again.

On Nov 30, 2:12 pm, "reCAPTCHA Support" <supp...@recaptcha.net> wrote:
> Hi,
>
> The comments showing up in the moderation queue is an artifact of how the
> bot in question works. When a user fails a CAPTCHA we save the comment but
> mark it as spam. Then we send them a redirect back to the comment entry page
> with a reference to the spam comment. When they follow the redirect, we
> pre-fill the comment field with their comment then delete the record.
>
> Sadly, due to WordPress's design, having any sort of comment moderation
> while using reCAPTCHA is annoying due to the large number of spam comments.
> We're working on a way to fix this.
>

reCAPTCHA Support

unread,
Nov 30, 2007, 7:38:51 PM11/30/07
to reca...@googlegroups.com
Can you try removing the "only allow people who have had one comment moderated" thing and see if the spam actually gets through to your blog? It'd also help to know what the domain is.

On 11/30/07, Kitsufox <kits...@gmail.com> wrote:
Reply all
Reply to author
Forward
0 new messages