How to Block Darknet Market Spam

Lately my some of my WordPress-powered sites have been hit with a very specific brand of comment spam, which may be referred to as “darknet market spam”. The spam is simple but persistent. And there’s a LOT of it. Very annoying. Fortunately it is trivial to stop. Here are a few ways to block teh darknet market spam..

Contents

• Block darknet spam via WordPress
• Block darknet IP addresses via server
• Block darknet keywords via server
• Block darknet keywords via PHP

Screenshot showing darknet comment spams

Block darknet spam via WordPress

WordPress provides a Discussion setting called “Disallowed Comment Keys” that enables you to block any comments that contain specific phrases or strings of text. I have written before about how to use these built-in WordPress settings to block tons of spam and other nonsense.

Here we are using Disallowed Comment Keys to put an end to the lowlife darknet spammer. Simply visit the WordPress Discussion settings and scroll to Disallowed Comment Keys. Then add the following phrases:

dark net
dark web
dark market
darkmarket
darknet
drug store

Save changes and done. This stops 99.9% of the dorknet spam, but the kiddies may roll out some fresh techniques in the future. If so, I gladly will update this post with new ways to block ’em.

Block darknet IP addresses via server

I’ve written before about when and where to key on IP address when blocking malicious requests and activity. In a nutshell, IP-based blocking works best when the bad actor is working from a static address(es). In such cases, it’s possible and rather easy to block their attempts with a few lines of code, either via Apache/.htaccess or Nginx or PHP or whatever language you prefer.

In other cases, where bad actors are using rotating IP addresses, like via some VPN or proxy service, blocking via IP address can prove to be rather futile, if not a mildly entertaining way to pass some time. For example, I spent a few rounds trying to block the dorknet spammer by blocking the various addresses associated with their annoying spams:

# block darknet market spam
# https://perishablepress.com/block-darknet-market-spam/
<RequireAll>
	Require all granted
	
	Require not ip 217.77.102.
	Require not ip 188.68.52.
	Require not ip 176.56.105.
	Require not ip 170.106.116.
	Require not ip 157.100.108.
	Require not ip 157.66.16.
	Require not ip 152.42.200.
	Require not ip 149.50.116.
	Require not ip 125.164.213.
	Require not ip 95.17.59.
	Require not ip 91.108.130.
	Require not ip 45.140.143.
	Require not ip 45.134.225.
	Require not ip 45.84.107.
	Require not ip 43.153.103.
	Require not ip 43.153.8.
	Require not ip 42.81.157.
	Require not ip 40.76.69.
	
	# ..etc..
	
</RequireAll>

That ruleset can be added via Apache 2.4+ (config or .htaccess file), but I don’t recommend doing so because apparently the darknet spammers are using some VPN/proxy service and rotating IP addresses. So it’s kinda fun but ultimately futile to go this route. It’s better to block using WordPress settings (previous) or block using keywords at the server level (next).

Block darknet keywords via server

Update: This technique does not work as intended.. check out the next section for a sure-fire way to block the darknet moron via PHP.

For those with access and familiarity with Apache/.htaccess, a better way to block darknet and other bad bots is to handle it at the server level. With Apache servers, this can be done using config or .htaccess file. For example, here are the rules to block darknet boy at the server level:

# block darknet market spam
# https://perishablepress.com/block-darknet-market-spam/
<IfModule mod_rewrite.c>
	RewriteCond %{REQUEST_METHOD} POST [NC]
	RewriteCond %{REQUEST_URI} (dark(\s)net|dark(\s)web|dark(\s)market|darkmarket|darknet|drug(\s)store) [NC]
	RewriteRule (.*) - [F,L]
</IfModule>

WordPress comments are submitted via POST requests. So for each of the above techniques, we are checking each POST request and blocking it if any of the darknet keywords are found. This essentially is the same way that WordPress blocks comment spam using the previously discussed “Disallowed Comment Keys” setting. The only real difference is that here we are blocking the spam directly via the server.

Blocking spam and other malicious requests at the server level is better for performance. Because it prevents the server from having to call up the database and load PHP, JavaScript, CSS, images, and other assets. Blocking at the server level simply sends a 403 Forbidden (or whatever status code you prefer) to all blocked requests. Very lightweight and fast.

Block darknet keywords via PHP

This method works great to block darknet spam before it reaches WordPress comments/trash. So for example, if you try adding the previously prescribed keywords to your WordPress Comments moderation blacklist, it will prevent the spam from showing up on the WP Comments screen and just send it directly to trash. But the darknet spammer sends so much spam eventually you’ll get tired of having to check and empty your comments trash, just to delete all of the darknet idiocy. Seriously, it takes time to check through the trash and rescue any false positive comments, and the darknet spam slows the process down even further.

So to stop darknet spam before it reaches the trash bin, so it never reaches your database, simply add the following code snippet to your WordPress site. Here is a guide that explains how to add code to WordPress for those who may be unfamiliar.

// block darknet market spam
// https://perishablepress.com/block-darknet-market-spam/

function shapeSpace_block_darknet_spam() {
	
	if (isset($_SERVER['REQUEST_METHOD'])) {
		
		$method = $_SERVER['REQUEST_METHOD'];
		
		if (strtoupper($method) === 'POST') {
			
			if (isset($_POST)) {
				
				$comment = isset($_POST['comment']) ? $_POST['comment'] : null;
				
				if ($comment) {
					
					$patterns = array('dark net', 'dark web', 'dark market', 'darkmarket', 'darknet', 'drug store', 'nexus market', 'nexus link', 'nexus url', 'nexus dark', 'nexusdark', 'nexus onion');
					
					foreach ($patterns as $pattern) {
						
						if (stripos($comment, $pattern) !== false) {
							
							header('HTTP/1.1 403 Forbidden');
							exit;
							
						}
						
					}
					
				}
				
			}
			
		}
		
	}
	
}
add_action('init', 'shapeSpace_block_darknet_spam', 1);

No editing is required, simply add, test, and done. To test you can try leaving a comment on one of your posts. Include the phrase “darknet” for example, and your comment should be blocked. If you want to add a special message for the dorknet spammer, simply add an echo statement between the header() and exit lines.

While I’m revisiting this post, several weeks later, gotta say that I find it sad that spammers have not figured out how to save resources and time by checking if their spam actually goes thru and shows up on their target sites. I mean, darknet spammer has been spamming my sites for months now with TONS of useless spam comments. And not ONE of them has ever made it thru to the front end. So they’re literally wasting their own time. A simple check for successful posted comment could help to optimize and conserve resources, more efficient spamming, whatever. But I suppose it’s all moot as such concepts are impossible for the low-brow spamming mindset to comprehend.

Anyway it doesn’t matter, because they are now blocked before they ever hit the comments system. Never have to look at darknet garbage ever again. Good riddance.

About the Author

Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.