Cédric Walter | Oct 8, 2020 | 0
Slowing down spamming! Hashcash challenge in com_akocomment
So I have just finished and test the integration of a hashcash challenge (MD5) into the com_akocomment component…using the code of this page http://dev.wp-plugins.org/browser/wp-hashcash/trunk/ only an extract but all credit to original authors:
- C.S. – www.cimmanon.org
- Gene Shepherd – www.imporium.org
- John F -www.stonegauge.com
- Magenson – http://blog.magenson.de/
- Matt Mullenweg – photomatt.net
- Matt Warden – www.mattwarden.com
- Paul Andrew Johnston – pajhome.org.uk
and to Arthur Konze, the author of com_akocomment : [email protected]
I must also pack everything into a new version of the component or better say refactored the code a little bit, because it is still full of debug statements…
robot wo want to submit spam comments must pay the prize (using cpu time, approx. 100 hashcash max. each minute on a high end computer) and compute manually (can not be automated by submitting directly to the form) a Hashcash (www.Hashcash.org)
Extract form the document of wp-hashcash:
This plugin used to be called âSpam Stopgap Extreme.â? Now itâs been moved to the WP plugins repository under the new name âWordpress Hashcash.â? All future development will take place through the plugins repository.
- Log and emailing of spam, for your records
- Client-side hash required.
- The âKeyâ? is hashed once before output to the html formâso spammers canât make sense of it, and then hashed on the client side, again.
- The âKeyâ? is now a time-dependent, visitor dependent hash, for more variability. You canât just compute the right md5 once, because itâs always changing.
- Failure to compute the md5 hash results in a 1 minute timeout penalty. "
Expect a release before week end…But I must also inform Arthur Konze first for a feedback
Then I will add the same code in login page (because generizing the code),in order to avoid brute forcing password in admin login page….and in guestbook (because I was spammed many times last week)