doubletake

I’ve just gone over one of my server logs.

It’s definitely automated as the whole process from the first GET to POST takes just a second or so.

Interestingly, there’s also another ‘random username signup’ process originating from within the same IP block (I saw it on 94.102.60.77 This whole IP range seems to be owned by the same company in the Netherlands.

I’m seriously wondering whether I should block the whole range :/

I don’t like to be too quick to block ranges as legitimate users can be affected.

I’ve just gotten hit today (11/12/08) and written this article. I think it’s better to block the IP via WordPress built in comment blacklist.

Ah yes, I’d forgotten the WordPress has a built-in blacklister.

I think it may be a bit more resource intensive to block this way than via htaccess but in this particular case, the hit rate is low and I’ve elected to use your method.

Thanks ??

Hi, I’m having the same trouble tonight.

It looks very much like some sort of automated ‘water testing’ kit looking for wordpress sites to which it can automatically post.

It doesn’t appear very bright, although it posts a hash or random code to presumably identify itself with it’s own kit, it doesn’t seem to test whether it can post links or not (perhaps they’ve dreamed up a nefarious use which doesn’t involve links?!)

In the mean time, all the hit’s I’m getting seem to originate from one of three servers on the same range from 94.102.60.151-153 in the Netherlands (so says RIPE)

If you want to block them off for now, you can use your .htaccess file for Apache and block 94.102.60.151-153 with a ‘Deny’ statement but make sure you know what you’re doing with htaccess Allow/Deny or you could block the lot ??

That should at least stop this bot posting. I don’t think Akismet is going to handle it as all it will get is an apparently random string.

It’s not going to help much if this starts coming from other servers outside that range though