After upgrading from 1.6.9 to 2.4.latest yesterday, I neglected to re-install the accessible captcha extension I was running in EE1.
That meant I was running standard EE captchas and with an hour of the upgrade, my oversight was exposed - I woke up today to about 150 spam comments which were clearly automated. I am usually only bothered by persistent manual spammers that number 1-2 a week. I don’t allow any links and parse out HTML the EE creates from BB code (be great to see that as a config option) so they don’t usually try more than once in one go.
That’s fine however - it was my oversight and I’ve now installed the EE2 version of the accessible catpcha and hope that does the trick.
The issue is that I was not email notified for any of them. When I woke up, I saw a single manual spam notification, logged in to remove it and saw all the automated ones. So somehow in addition to bypassing the standard captcha, they are also preventing email notification somehow. Notification is working as it always has done as evidenced by the one received for the manual spam, just not for these messages.
For the record, this is not (or doesn’t appear to be) related to the issue linked from my signature, because the spammer email addresses for each comment are not the notification emails for the weblog. Though for the record I’d love to see some form of communication from EE on that bug I linked to. Greg Aker has left, yet the bug is still assigned to him and it’s been a while….
I have extracted some logs that deal with the particular spammer and one of the pages affected to verify they were added on the front end rather than something nastier. I have masked the IP with “AT.TA.CK.ER”.
You can see the page is requested a few times using GET, including the captcha image (but not any other page assets), then a couple of POST’s which is presumably the posting of a comment, then a couple of regular GETs.
log:23062: AT.TA.CK.ER - - [16/Apr/2012:20:01:23 -0400] "GET /path/to/entry/ HTTP/1.1" 200 17347 "http://www.domain.com/path/to/entry/" "Mozilla/4.76 [en] (Windows NT 5.0; U)"
log:23062: AT.TA.CK.ER - - [16/Apr/2012:20:01:23 -0400] "GET /path/to/entry/ HTTP/1.1" 200 17347 "http://www.domain.com/path/to/entry/" "Mozilla/4.76 [en] (Windows NT 5.0; U)"
log:23064: AT.TA.CK.ER - - [16/Apr/2012:20:01:24 -0400] "GET /images/captchas/1334620883.47.jpg HTTP/1.1" 200 2589 "http://www.domain.com/path/to/entry/" "Mozilla/4.76 [en] (Windows NT 5.0; U)"
log:23067: AT.TA.CK.ER - - [16/Apr/2012:20:01:24 -0400] "POST /path/to/entry HTTP/1.1" 302 782 "http://www.domain.com/path/to/entry/" "Mozilla/4.76 [en] (Windows NT 5.0; U)"
log:23067: AT.TA.CK.ER - - [16/Apr/2012:20:01:24 -0400] "POST /path/to/entry HTTP/1.1" 302 782 "http://www.domain.com/path/to/entry/" "Mozilla/4.76 [en] (Windows NT 5.0; U)"
log:23078: AT.TA.CK.ER - - [16/Apr/2012:20:01:25 -0400] "GET /path/to/entry HTTP/1.1" 200 18209 "http://www.domain.com/path/to/entry" "Mozilla/4.76 [en] (Windows NT 5.0; U)"
log:23078: AT.TA.CK.ER - - [16/Apr/2012:20:01:25 -0400] "GET /path/to/entry HTTP/1.1" 200 18209 "http://www.domain.com/path/to/entry" "Mozilla/4.76 [en] (Windows NT 5.0; U)"
log:23082: AT.TA.CK.ER - - [16/Apr/2012:20:01:25 -0400] "GET /path/to/entry HTTP/1.1" 200 18206 "http://www.domain.com/path/to/entry" "Mozilla/4.76 [en] (Windows NT 5.0; U)"
log:23082: AT.TA.CK.ER - - [16/Apr/2012:20:01:25 -0400] "GET /path/to/entry HTTP/1.1" 200 18206 "http://www.domain.com/path/to/entry" "Mozilla/4.76 [en] (Windows NT 5.0; U)"
How might this spammer have suppressed notification?
I have secure forms turned on etc.
Also, when I click “Recent Comments” from the CP homepage, I get a list of sorted comments. However they are presented in ascending date order, despite the toggle being on descending. It means to see the most recent comment I have to scroll to the bottom, Switching the toggle presents comments from when the site started years ago…