I’d like to tell a brief, cautionary tale about what can happen when you don’t monitor your website’s comments for spam for a little while. Please note – the events within didn’t happen over the course of years, but in around a month.

Lately I’ve been a bit lax on keeping up with my website. I’ve made sure to keep up-to-date with the latest security updates on Drupal, and posted a n article now and then, but generally speaking I’ve not been keeping a close eye on it. One thing I do know, is that the last time I posted to my site (mid-January), I did not have a truly staggering number of spam comments.

That being said, imagine my dismay on discovering today that not only did many of my pages have hundreds of thousands of comments (I believe I had several million in all, but didn’t think to look before clearing them), but that they had effectively destroyed my site, putting load times to several minutes, and often causing server errors. This page loading issue was probably related to the fact that the comments table in my database had ballooned to almost 200 megabytes of data – and as it turns out was rapidly growing.

My initial reaction was to clean out all of the comments that were recent (i.e. all since my counter-measures had failed), and then disable direct commenting – meaning that I’d have to manually approve comments – but I quickly found that this wasn’t practical, since I was getting roughly a post a second.

I’d like to point that out again. I was getting roughly a post a second.

I believe that the expression “this is why we can’t have nice things” applies here.

Needless to say, I’ve now disabled all comments, though with any luck once they’ve been shutdown for a while I’ll be able to ditch the botnet that’s targeted my site.

In the near future I’ll post a short article about how I cleaned out the spam comments, in the hopes that it might help somebody else with a similar issue.