You know in that horror movie where the girl is on the phone and there’s some crazy mofo who’s freaking her out but for some reason she doesn’t hang up and eventually it turns out the crazy mofo is already inside the house and really has no reason to call? I had a moment like that tonight. I’ve had a rash of spam lately, all using my Facebook identities. I waited for my spam-catchers to get a clue, but the comments kept coming. “Fine,” thought I, “I’ll just block the addresses they’re coming from.”
I fired up my diagnostics, and found the source. localhost. My server thought the comments were coming from itself! Double-plus ungood, to quote Orwell. Extra double-plus. My spam-detecting software, it turns out, recognized the evil of the comments, but was immediately overridden by the administrator. By me, or a vile piece of software pretending to be me.
I just changed a lot of passwords. I hope I can remember them later. I also set a switch that requires that all comments be approved before they go live. Alas, this is likely more an inconvenience to legit comment traffic, as the evil robot has already proven capable of emulating me and giving permission.
I also spastically updated all my wordpress plugins (I do this fairly often anyway) — including, perhaps significantly or not, the one that passes comments between here and Facebook. Later, going back, I see nothing in that plugin’s update info to the tune of “closed egregious spam hole.” But the attack vector seems to be through my Facebook identities. It may be that the conduit trusted the origin of the messages too much.
So now I wait and watch, and your comments will take a little longer to reach the page. Hopefully I can loosen things up soon.