How spammers spams your blog comments

As a blogger, everyday I’m receiving hundreds of spam comments. I was very curious about how spammers can sends so many automated comments to thousands of blogs. Here's an exemple which demonstrate how to spam blogs using PHP and Curl.

This article is for educationnal purposes only. It was written to help bloggers knowing one of the technics used by spammers to spam their blog, not to encourage spam of any sort.
Blog spamming is useless, anyways: Most blogs have the Akismet antispam and manually moderate comments.

Part 1: getting info

The first thing the spammer will have to know, is how your comments form works. Most WordPress comment forms works exactly the same manner, and this is probably why spammers can spam so many blogs easily.
Here’s a “basic” WordPress comment form:

<form action="wp-comments-post.php" method="post" id="commentform">
    <input type="text" name="author" id="author" value="" size="30" tabindex="1" />
    <label>Name <span class="required">
    (required)    </span> </label>
    <input type="text" name="email" id="email" value="" size="30" tabindex="2" />
    <label>Email <span class="required">
    (required)    </span></label>
    <input type="text" name="url" id="url" value="" size="30" tabindex="3" />

    <textarea name="comment" id="comment" cols="100%" rows="10"></textarea>
    <input type="image" src=submit.png"/>
    <input type="hidden" name="comment_post_ID" value="524" />
    <input type="hidden" id="_wp_unfiltered_html_comment" name="_wp_unfiltered_html_comment" value="0d870b294b" />

To submit a comment throught that form, we must fill the following fields:

  • Name (author)
  • Email (email)
  • Website (url)
  • Comment (comment)

There’s also 2 hidden fields:

  • comment_post_ID
  • _wp_unfiltered_html_comment

Part 2: Creating the script

Now that we have the required info, we can start to code our spam-script, using PHP and Curl. We are going to define an array ($postfields) containing the info that we’d like to pass to the page.

$postfields = array();
$postfields["action"] = "submit";
$postfields["author"] = "Spammer";
$postfields["email"] = "";
$postfields["url"] = "";
$postfields["comment"] = "I am a stupid spammer.";
$postfields["comment_post_ID"] = "123";
$postfields["_wp_unfiltered_html_comment"] = "0d870b294b";
//Url of the form submission
$url = "";
$useragent = "Mozilla/5.0";
$referer = $url; 

//Initialize CURL session
$ch = curl_init($url);
//CURL options
curl_setopt($ch, CURLOPT_POST, 1);
//We post $postfields data
curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields);
//We define an useragent (Mozilla/5.0)
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
//We define a refferer ($url)
curl_setopt($ch, CURLOPT_REFERER, $referer);
//We get the result page in a string
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
//We exits CURL
$result = curl_exec($ch);

//Finally, we display the result
echo $result;

All right. Now the spammer just have to call the script, and it will automatically post the message.
Of course, a real spammer will not manually type the blog post url in his script, but loop throught a csv file, or even google results, but I’m not going to say much about that since this code is only an exemple, and definitely not a functionnal spam bot.

This tutorial was inspired from this excellent article from French website