Tag: blogspam

Posted on
by

I found a comment in the spam folder for Speed Force that, on first glance, looked like an actual, relevant comment…to a different post. It was a coherently-written paragraph about how someone had “considered getting a second Captain Cold” action figure to customize it, but it was posted to an article about stalled miniseries. The author’s name and link were obvious spam, though (seriously, “watch full movies” is the best you can do?).

My first thought: They’d copied the text from another comment on the site. I’ve seen that happen before, but usually it’s comments on the same post. A search through existing comments didn’t turn up any matches, though.

So then I did a search on the rest of the web, and found the original comment on a review of an Atom Smasher toy.

Someone had gone looking for a site with a similar topic (comic books about super-heroes, action figures made from super-heroes), copied text from there, and pasted it onto mine…and yet they hadn’t bothered to match up specifics (like pasting it on a post about action figures or Captain Cold). So it’s not quite as sneaky as the one who followed a link in my post and pasted in text from the other page, but it’s pretty close.

Posted on
by

Judging by a quartet of comments posted this evening, 3 of which slipped past Spam Karma, someone’s started outsourcing comment spam to India. (I’m serious, the IP addresses were assigned to Bharti Airtel and BSNL Internet, both ISPs based in New Delhi.)

They were posted quickly, as if they’d been composed in another editor and pasted into the form. More importantly, they were actually posted through the form, not just sending data directly to the handler. And most tellingly, the posters had gone to the effort to fill out the CAPTCHA that Spam Karma provides to allow human commenters to recover from a false positive.

The one I liked best, from a technical perspective, was posted on Tall Ships of San Diego. The spammer had followed my link to the San Diego Maritime Museum, then followed that to a page describing one of the ships, the Californian, and generated a post by stringing together sentences from that page. The whole thing linked to a student loan site.

At first glance, it looked like a garbled, on-topic comment from someone who maybe didn’t speak English as their first language. That happens, and if it’s a legit comment, I leave it. In fact, I considered leaving the comment but deleting the author URL, until I looked up the ship. (It wasn’t one of the ships we toured on our visit, and I didn’t recognize the name.) As I looked at the ship’s profile, I started recognizing text from the comment. At that point it became clear what was going on, and I started looking at the other comments posted over the last few hours.

Posted on
by

I recently stumbled across an archived mailing list post of mine from the days before spammers started targeting WordPress. Someone had remarked that their spam problem had disappeared when they switched from Movable Type to WordPress, and I responded:

Oh, they hit us WordPress users too, just not as often as MT. Having it automatically moderate comments with certain keywords or more than X number of links helps cut it down, and the ability to (a) see all the latest comments and (b) mass-delete comments reduces the pain of cleanup. But they do target WP blogs from time to time.

I tend to get a pair of comments sent to the moderation queue every few weeks (presumably they figure if the first two didn’t show up, they won’t waste their time with more), but just this morning I had to delete a spam comment that came in last night and didn’t trip the moderation rules. (One of those with the generic “I like your site” messages and the author’s URL being the spamvertized site.)

That was September 2004. How things have changed! All WordPress blogs come with Akismet as an anti-spam measure, but I still prefer to use Bad Behavior, which has blocked ~2900 hits to this site in the past week alone, and Spam Karma, which has collected over 17,000 comment spams.

And with all those counter-measures in place, I get a couple of comments landing in the moderation queue each week. And just this morning I had to delete a spam comment that came in last night and didn’t trip either layer of defense (it was a generic piece targeting keywords found in a post). The filters are just barely keeping pace with the increased volume.

Posted on
by

The blog spammers must be getting desperate. The only other explanation I can think of is courtesy (keeping offensive language out of the posts), and I just can’t ascribe that motive to them.

The latest attack on this site consists of randomly-generated alphanumeric strings. Name? ah87fdfbqpo3q9483fhc. Email? ahsdhufs@q98hf4i4whfcia487f.com. URL? augfagfwi7832hr732rh8732fcfiuh.example.com. (I assume they have a wildcard DNS set up for random subdomains.) Content? Try something like “ads78shafi7 uigiutgw87n srgn743fnufc42.” (I’m typing my own gibberish, just in case the plan is to search for particular strings and see which sites have actually posted.)

The “advantage” of this approach is that there is no content to filter. No references to pills, poker or porn, no common phrases, not even empty generic statements like “I really like you’re site” and “Your an idiot” with links tossed in. It’s just a bunch of meaningless letters and numbers and a link. After all, the link is all the spammer needs, to get that coveted PageRank.

Oh, about that link? Easily identifiable. SURBL-style lists eat them for breakfast, and Spam Karma has been snacking on these all morning. *chomp*

Posted on
by

Yesterday morning, I remarked to Katie that it seemed odd that with the vast number of “zombie” computers infected with remote control programs via viruses, trojans, spyware, etc., their primary use so far has been sending spam. After 7-odd years of distributed computing projects ranging from demonstrating weaknesses in encryption schemes to searching for extra-terrestrial radio signals via SETI@Home, and reports that access to zombie nets is selling on the black market, you’d think someone out there would be trying to crack into the DoD or something. (That last link refers to phishing attacks, but the current form of phishing is very tightly coupled with spam.)

Last night I saw proof that zombies are at least branching out a little: they’re not just being used for email spam, but they’re also being used for comment spam. Starting around 8:30, someone started posting pairs of comments every 20-30 minutes. The content and links were identical each time, except for some random numbers in the (probably bogus) email and at the end of the body… but the IP address was different each time.

I caught it around 10:00, added “poker” to the list of moderation triggers, figured they’d give up when they saw their comments weren’t posting, and after another 3 pair (that’s not a legal hand, is it?) I just closed comments on the two posts.

Update 6pm: After a long afternoon dealing with server recovery issues, I checked my email and found about 40 “Please approve…” notices, starting around 1:45 and running all afternoon. All from the same blog spammer. A bit more aggressive than yesterday’s, because they hit a new post every time, but this batch all went straight into moderation. You’d think after you posted 20 comments and none of them showed up, you’d get the clue that it’s not worth posting 20 more…

Update 9am: I installed a plugin last night to block those comments from even reaching the moderation queue. Then laaate last night I noticed that it was screwing up comments with apostrophes, so I disabled it. The moderation notices started coming in immediately. 60 of them from around midnight to about 6am this morning. And none were ever displayed on the site. (Thank you, WordPress!)