Update

We have tentatively turned on comments for the past month’s posts, and those posts only. We hope that this will limit the spam and keep the database running. We’re keeping a close eye on the server. If it gets unstable, though, we will close comments again. (So if you’re posting a 32-paragraph novel in comments, make sure to save it as a Word doc first.) We’re looking into other possible technical solutions, and welcome feedback and suggestions.

11 comments for “Update

  1. It would be way cool if you guys could implement kitten auth. It is a captcha, I’ll admit, but it’s so neat! You can try it out here (the new version is a little buggy, hit submit a few times if no pictures show up)

    Either way, good luck with the spam.

  2. I’m worried that Akismet is allowing such a deluge of spam get past it … the spammers must have figured something out. Is it typical spam or trackback spam? I saw something about a trackback plugin that could help to prevent trackback spam.

  3. danithew,

    It does not get through. It sits in our comment database but is not displayed. Thus we still have great front-end protection, but on the back end it causes database problems as it piles up so fast without being deleted.

  4. It sounds like WordPress needs to be changed to queue such messages in a file, rather than index them in a database table. A couple of orders of magnitude lower overhead, and hence much greater ability to sustain attacks.

  5. Just had a great lunch with John Fowles and a random john. Good times!

    (I’m still in SLC until June 8).

  6. If you’ve got root access to the machine, and if your machine is running linux, you can simply block the offending IP addresses at a system level–no user space application will even see traffic from them.

    Mark Butler, if wordpress were to store the files in text files, and were then to try to handle and track the content of the text files in anything like a sophisticated manner, wordpress would have to devise a scheme to storing them, retrieve them, order them, resolve collisions, maintain concurrency–in short, it would have to develop its own, text-driven database. Why re-invent the wheel? There are probably better ways to handle denial-of-service attacks.

    I’m sorry you guys are getting attacked, and I don’t think that internet abuse is any laughing matter. That said, I do think it would be kind of funny (in an epic, restoration gospel kind of way) if Lou Midgely stormed in uninvited to Utah Lighthouse Ministries to interrupt the Tanners in the middle of their denial-of-service attack on T&S.

  7. DKL, I think you read too much into my statement – the only messages I am talking about are postings deemed to be suspicious, which would go in a linear queue. I am not talking about replacing the use of a database completely.

    I know enough about the internals of transaction management systems that it has been one of my long time aspirations to do a database right, and put Oracle and DB2 to shame. Unfortunately that is perhaps a ten year 100 million dollar project to do properly. Even replacing something trivial like MySQL for a single application is not something to be undertaken lightly.

  8. DKL,

    > If you’ve got root access to the machine, and if your machine is running linux, you can simply block the offending
    > IP addresses at a system level–no user space application will even see traffic from them.

    I did that for a while. I have a list of over 3000 IP addresses that I’ve blocked at the root level for comment spam, trackback spam, or referrer spam. And yet the comment spam kept pouring in. I was adding dozens of IP address a day before I finally gave up and tried a different approach.

Comments are closed.