Antispam is blocking all?

Thanks for the valuable info. I will try it.

@frank:

So, if the JS is <script>document.write(String.fromCharCode('. rtrim($obfus, ',') .'));</script> (which is the only one I find in Ninja’s nf_sub_antispam.php) it would be sufficient to add a substring like document.write(String.fromCharCode as an exclusion to Autoptimize?

that would probably work, yes.

BTW, it works great now. Set only to Low, and Akismet’s spam basket stays empty since then! Seems that I don’t need Akismet any more.

Sorry to revive this thread, but it stopped working again.

I’ve set the antispam to Medium ~20h ago, and an initial test was fine. Now I was notified by a friend that he couldn’t comment.

I disabled the whole JS part of Autoptimize, deleted the cache (WPSC) and preloaded again. Opened a page, with clear browser cache, couldn’t comment. But the document.write js was in the page code(!)

Now, I’ve set the Antispam back to Low, rebuilt caches etc., … and it works again (for now).

I’ll try to check out systematically what exactly is happening here. If you have any idea, please don’t hesitate to tell me.

Tom

We decided to add a new option/level for those who use caching plugins. It will probably only parse the POST request and HTTP headers, and will not require JS at all.
In the meantime, we added a warning to the next release of NinjaFirewall about that.
Maybe it is safer you keep Akismet enabled for a while.

I can confirm my previous experience:

While it was set back to Low everything went fine. WPSC was enabled, Autoptimize ?– including the JS part?– was enabled. AO exception was set to the script as “document.write(String.fromCharCode(,” and to the directory as “plugins/nfwplus/lib/,”

I set it to Medium then again, deleted WPSC caches, initially I was able to comment, but after a while every comment got blocked again. Same Autoptimize settings.

So, I’m not sure if the JS is the culprit(?)

Which antispam error code do you see in the firewall log?

I just remembered that the level 2 deals with PHP session too. It could be an expired session due to the cache, IMHO.

15/May/15 15:59:46  #6975174  medium       -  84.142.72.85     POST /wp-comments-post.php - Comment spam - [#5]
15/May/15 16:00:07  #7080286  medium       -  84.142.72.85     POST /wp-comments-post.php - Comment spam - [#5]
15/May/15 16:01:11  #1150436  medium       -  84.142.72.85     POST /wp-comments-post.php - Comment spam - [#1]
15/May/15 16:01:33  #1975477  medium       -  84.142.72.85     POST /wp-comments-post.php - Comment spam - [#1]

These are all from my IP. Must have been while on Medium. The #5 I hadn’t before (when the initial problem was the missing JS exclusion from Autoptimize, on Low)

What’s #5?

Bingo: #5 is the missing PHP session from level 2. It probably expired and was deleted server side by the PHP Garbage Collection.
That’s the problem with WP caching plugins: by default, most of them cache HTTP requests containing cookies. That makes many problems (and could even lead to some security issues).
In the next release I will make it clear that, if there is a caching plugin:
1. it should be flushed when enabling the antispam.
2. only level #1 should be used.

Did you receive any spam while using level #1?

Forgot to mention, once I had an error “you’ve already posted this”. But I think this didn’t come from Ninja.

Did you receive any spam while using level #1?

So far, no. Without Ninja Antispam I had about 10–20 spam comments per day in Akismet’s basket. These have gone. On Low.

“you’ve already posted this” is a WP error message.

Level #1 is not easy to bypass by a bot. I think it should be set as the default level, most blogs don’t need levels #2 or #3.

I think it should be set as the default level, most blogs don’t need levels #2 or #3.

Seems to be OK for me. But keep in mind, my good experiences with level 1 are based just on a few days!

That’s the problem with WP caching plugins: by default, most of them cache HTTP requests containing cookies. That makes many problems (and could even lead to some security issues).

I hear from that, you are considering it a bad idea in general to use caching plugins(?)

I think it should not be done at the plugin level.
Varnish, for instance, is a much better way to handle that (and is more secure than a WP plugin), and with a well tweaked HTTP server, a well tweaked PHP/Mysql config and a well tweaked TCP/IP stack, the blog should never need any caching plugin.