Back to previous post: Losung

Go to Making Light's front page.

Forward to next post: Further Lolita alert

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

October 11, 2003

Lolita, damn her
Posted by Teresa at 02:10 PM *

Apologies to anyone who clicked on the name “Lolita” in the spam messages posted to seven of my old comments threads. I certainly didn’t enjoy the results when I did it. I’ve banned that site from posting here, but I doubt that’s the last spam we’ll see in these threads.

Those messages had some interesting properties. All the comments posted to Making light are also sent to me as e-mail. When I tried to past one of the e-mail versions of the Lolita spam into SpamCop, it hung my browser. I restarted and tried it again two more times, with the same results.

The other oddity is that when I went to delete Lolita’s comments using Movable Type, the text of the comment would replace the text of the original post as soon as the comment was deleted. I had to open the comment, copy its source code entire, delete the Lolita spam twice, then re-paste the text of the original comment into the main window.

Bad luck and a severe case of boils to whomever did this.

Addendum: Reading and Writing has the goods on this spammer. If you have a weblog of your own and have mechanisms for blocking unwanted participants, you might want to preemptively put Guy McFarland, 209.210.176.20, on your gag list.

See also Talk Left’s post and subsequent comments on this topic.

Comments on Lolita, damn her:
#1 ::: qB ::: (view all by) ::: October 11, 2003, 04:01 PM:

You can find out exactly who it was at Reading and Writing [http://chujoe.net/archives/000154.html] where Joseph Duemer did a bit of detective work.

#2 ::: brian w ::: (view all by) ::: October 11, 2003, 04:16 PM:

I've seen that bug you refer to about the comment text replacing the entry; it's an auto-fill bug in Safari, I think (the comment page text field is named "text" and so is the field on the entry page). As long as you don't hit "save" on the entry page, the entry won't be replaced by the comment. All the "Lolita" spams I've gotten have come from the same IP address so I just banned it from commenting within the MT interface. I can't wait until the MT-Blacklist is done.

#3 ::: TalkLeft ::: (view all by) ::: October 11, 2003, 04:23 PM:

We have been getting these comments posted constantly--this morning we had to delete and resave 15 posts. It's a huge pain, because the time we spent deleting this garbage could have writing our own stuff.

#4 ::: Alicia ::: (view all by) ::: October 11, 2003, 04:42 PM:

Thanks, guys. I have had this same problem on my site and was checking into it myself. Nice to find the answer where I wasn't looking!

And Teresa, I am reading "Making Book" for the first time. I am enjoying it tremendously.

#5 ::: Tim Hall ::: (view all by) ::: October 11, 2003, 05:14 PM:

Comes from Florida; could have guessed.

<Traveller>
Nuke the state from orbit; it's the only way to be sure.
</Traveller>

On a more serious topic, this post on the Movable Type message boards has a suggestion for dealing with these roaches by setting up a trap that automatically bans them.

#6 ::: Patrick Nielsen Hayden ::: (view all by) ::: October 11, 2003, 10:39 PM:

I've read those Movable Type message-board suggestions; unfortunately, they hover just beyond my level of technical understanding.

I desperately want the MT people to address this with some kind of patch or option that non-stupid, but non-technical, people like me and Teresa can understand. Now. Because if this problem isn't addressed in a hurry, it won't be long before we give up on this hobby.

#7 ::: Teresa Nielsen Hayden ::: (view all by) ::: October 11, 2003, 10:47 PM:

Electrolite just got hit with a slew of Lolitas. Patrick is deeply displeased.

#8 ::: Teresa Nielsen Hayden ::: (view all by) ::: October 11, 2003, 11:29 PM:

THIRTY-TWO OF THEM!!! Electrolite got hit with thirty-two Lolitas. The first thirty hit in a wave, and then the last two got posted while he was banning the sender.

I hunted down and killed every one of them. It was tedious and time-consuming. I could have been writing.

If you have a weblog or guestbook and have the abililty to block posts, I suggest you add 209.210.176.20 to your gag list RIGHT NOW.

#9 ::: spacewaitress ::: (view all by) ::: October 11, 2003, 11:32 PM:

I've got a DIY Movable Type setup and it has a few quirks, one being that I can't identify IP addresses.

I woke up this morning to find 15 Lolita comments. I was not happy. Deleted every one, wrote to the guy who hosts my blog to see if we can maybe finally implement IP banning.

#10 ::: adamsj ::: (view all by) ::: October 11, 2003, 11:33 PM:

Hi, Patrick and Teresa,

There are a fair number of technically-skilled people who read these weblogs and who would be perfectly thrilled to help you out with the suggested fix.

It's not my area of expertise, but if push comes to shove, I'd take a shot at doing it for you.

(There! That should shame someone better than me into helping you out.)

#11 ::: spacewaitress ::: (view all by) ::: October 11, 2003, 11:35 PM:

Addendum: I've been getting all kinds of spam comments on my blog lately. One-word comments that say "interesting" or "cool," and then the commenter's URL is something like www.us-discount-insurance.com. AAARRRRGHHH! I've also gotten, on one post where I discuss an email service I really like, about 15 comments from Nigerians hoping I can introduce them to Bill Gates.

Somewhat more understandable, but no less annoying, are the "my-blog-is-awesome-come-read-it" spam comments. Trust me, if you leave this kind of comment, you can rest assured that I will not go read your blog.

#12 ::: Teresa Nielsen Hayden ::: (view all by) ::: October 11, 2003, 11:52 PM:

j, I know I'd appreciate the help. I expect Patrick will too, when he calms down a little. Right now his opinion is as follows: "My idea of how to technically address this problem is that someone should go to this guy's apartment -- we have his address! -- and technically punch him in the nose, after which he should be technically chased down the street, on foot!, by a pack of wild dogs." Then he started ranting about marine predation, a scenario which I gather involves crustaceans nibbling on this guy's eyeballs.

I have no objections. In the meantime, though, I want to implement some spam-blocking measures. Lolita's proprietors aren't the only spammers who've been hitting my site. My guess is that the knowledge of how to spam weblog comments sections is spreading in the spammer community. Best batten down the hatches now.

#13 ::: Erik V. Olson ::: (view all by) ::: October 12, 2003, 12:32 AM:

What it looks like the posted script is trying to do is set a trap cgi, that, if accessed, will put a block into the .htaccess file.

I'm not convinced that this would be effective, since the easiest way to find the cgi for the message boards is to follow the link on the weblog page, and .htaccess only works if your apache server is configured to use it -- something J. Random Weblogger may not have access to change.

Worse, given the email spammer wars, I think you are in for a long, and quite possibly futile, war of attack and countermeasure. I like to think that filtering works -- but I've gotten over 100,000 spam emails hitting my server, despite more and more desperate attempts to stem the tide.

The more complex solution in the link, at first glance, looks more effective. Dropping IP addresses into a gag file may work for a while -- until they start using cracked machines as proxy servers, in which case, they'll dance from machine to machine.

I wish I could offer you a better answer. But, in truth, in the war against spam, we're losing, and badly.

#14 ::: Erik V. Olson ::: (view all by) ::: October 12, 2003, 12:50 AM:

Oh, yeah. The fastest and safest way to delete them is to talk to the database directly. This presumes MySQL -- other SQL will be similar, other than step 1.

1) From the shell, type

mysql -u username -p

Give it the password. The user and pass should be set in the MT interface somewhere.

Once in, you'll get the MySQL prompt. First, we find them.

SELECT FROM mt_comment WHERE comment_url LIKE '%http://COMMENT_SPAM_URL%' OR comment_text LIKE '%http://COMMENT_SPAM_URL%';

Replace the %http://COMMENT_SPAM_URL% with the actual URL they are using, but you will need the single quotes around the string. This should return a bunch of spam -- and no real posts. If so, you can then blow them away with...

DELETE FROM mt_comment WHERE comment_url LIKE '%http://COMMENT_SPAM_URL%' OR comment_text LIKE '%http://COMMENT_SPAM_URL%';

In most SQL implementations, the capitalization of anything not in single quotes is unimportant, but tradition is you all cap keywords of the language, and lc variables and the like.

If you return, and nothing comes back except for a prompt, you almost certainly forgot the semicolon at the end. SQL statements end with a semicolon, if you don't put on, the SQL interpreter will thing you aren't done, and just ask for more. If you did forget, just put the semicolon on the next line, and it'll work. Most complex SQL statements are entered on multiple lines, so don't fret.

When in doubt, do a SELECT, which just retrieves, rather than a DELETE. If you are paranoid, and your database supports it, start with.

START TRANSACTION;

and do the deletes, if you screw up, run

ROLLBACK;

and it'll come back to the point where you typed START TRANSACTION. If you're happy,

COMMIT;

ends the transaction and makes it permanent. There are certain SQL commands that are implicit COMMITs, but that gets complex -- in general, anything that alters the structure of the database or the tables themselves, rather than the data within them, will automatically COMMIT all transactions before execution.

However, you can SELECT to your heart's content without hurting anything. And, when in doubt, "man mysql" wouldn't hurt

#15 ::: Teresa Nielsen Hayden ::: (view all by) ::: October 12, 2003, 01:30 AM:

Queep, Erik.

Thank you for the information, which reads as though it ought to be admirably clear once I find out what the nouns mean. I'll start tomorrow with "SQL", and go on from there.

I'm sorry to hear that the bad guys are still winning the spam wars. Would it be so terribly wrong to launch DOS attacks againt outfits that advertise via spam?

#16 ::: Erik V. Olson ::: (view all by) ::: October 12, 2003, 01:40 AM:

SQL: "Structured Query Language" Copyeds are naturals at it. You'll grok it in a half day. (Database design is another thing, but you don't need to design the MT database, you just need to read from it, and delete items in it. Piece o' cake. If you played Zork, you'll find that oddly familar. SQL, at it's simplest, is VERB NOUN from NOUN.)

As to DOS.

1) They own many, many, many more machines that you do. You can try -- they'll either ignore you, or slap you down. Note the number of anti-spam lists that have gone away under severe and sustained DOS attacks.

2) DOS attacks not only attack the bad guy, they attack anyone between you and them. Saturate a T3 feeding a router, and everyone connected to that router falls down.

3) Spammers may be more desperate that you are.

#17 ::: Tracy ::: (view all by) ::: October 12, 2003, 01:11 PM:

You can report these assholes to the FBI, online, by filling out a nifty little form. There is more info here. I don't delete the whole post. I just put this in its place: THIS COMMENT HAS BEEN DELETED. THE PERSON WHO LEFT THIS COMMENT IS A CHILD PORNOGRAPHER. ALL HEADER INFORMATION OF THIS POST HAS BEEN REPORTED TO THE CYBERCRIMES AGAINST CHILDREN DIVISION OF THE FBI.

#18 ::: adamsj ::: (view all by) ::: October 12, 2003, 01:16 PM:

Teresa,

If you didn't tell it to use MySQL, you're probably using BerkeleyDB (I think--I haven't read up on MT 2.6). And again, let me reiterate--use this form, without the wildcard, to block a range:

209.210.176.

Erik is right that these SOBs can overpower you, but that doesn't mean they will.

#19 ::: adamsj ::: (view all by) ::: October 12, 2003, 01:19 PM:

Sorry--I was in a hurry to post, and forgot to add that it's not so simple to delete with BerkeleyDB. I think someone would have to write you a script to do it--no command-line prompt.

As the cheerleaders (hopefully, not pre-teen) say:

Block that range! Block that range! Block that range!

#20 ::: Mean Dean ::: (view all by) ::: October 12, 2003, 11:06 PM:

Sometimes I wish I weren't so straight-laced. Otherwise I might consider a solution I learned on slashdot recently:

http://yro.slashdot.org/comments.pl?sid=77014&threshold=-1&commentsort=3&tid=111&mode=thread&cid=6855944

Instead, I'll just volunteer to help Jay test his application on an older version of MT.

#21 ::: James D. Macdonald ::: (view all by) ::: October 13, 2003, 11:08 AM:

Sometime in the last two months, in this web log, there was a two-word post, "Nice site," in a comment thread that hadn't gotten a post in years. It didn't make any sense in context.

I didn't follow the link from the poster's name.

I wonder now if that might not have been the first shot in this war.

Choose:
Smaller type (our default)
Larger type
Even larger type, with serifs

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 by Patrick & Teresa Nielsen Hayden. All rights reserved.