Back to previous post: “—but that would be wrong (click!)

Go to Making Light's front page.

Forward to next post: Crash on the ferry

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

October 14, 2003

Posted by Teresa at 12:47 AM *

Lolita’s website is down. We all still need better ways to block comment spam, but for the moment we can rejoice.

I meant to spend the last two days writing and editing. The vote in favor of a case of the boils for the authors of this episode still stands.

Comments on Fallen:
#1 ::: catie murphy ::: (view all by) ::: October 14, 2003, 01:15 AM:


I vote for the boils, too. That seems fair. A pox! A pox upon them! Bwahahahah!

Ahem. It's not even that late. I have no excuse. :)

#2 ::: Tim Hall ::: (view all by) ::: October 14, 2003, 05:06 AM:

Don't forget the Hemorrhoids I wished on them...

I assume you mean their actual pr0n site, not just their disposable Ukranian-based click-through.

#3 ::: Tim Hall ::: (view all by) ::: October 14, 2003, 05:07 AM:

Don't forget the Hemorrhoids I wished on them...

I assume you mean their actual pr0n site, not just their disposable Ukranian-based click-through.

#4 ::: Emma ::: (view all by) ::: October 14, 2003, 08:56 AM:

Gout. It's permanent...

#5 ::: Scott ::: (view all by) ::: October 14, 2003, 09:18 AM:

Gout is a good wish, Emma.

#6 ::: Karin ::: (view all by) ::: October 14, 2003, 10:47 AM:

Shingles. Or maybe incurable eczema.

They got my site too, although apparently not as badly as the Nielsen Haydens. Just wanted to say thanks to Teresa for the updates and resources -- useful stuff and much needed.

#7 ::: Teresa Nielsen Hayden ::: (view all by) ::: October 14, 2003, 11:12 AM:

You're welcome. I was greatly relieved when my IP blocks successfully staved off "Underage", the third wave of spam comments. So far I've only heard from one weblog that got zapped by it, though that may have something to do with whatever it was that took down the advertised porn site.

#8 ::: Dave Trowbridge ::: (view all by) ::: October 14, 2003, 12:31 PM:

May he lose all his fingers and get a new wireless keyboard for Christmas.

#9 ::: Tim Hall ::: (view all by) ::: October 14, 2003, 02:16 PM:

Now I'm home, I can actually try and verify this. Sadly, although the Ukranian redirection page is indeed down, the prOn site itself is still there. While there a possibility that this whole thing was a Joe Job (see, I still think it's most likely the spammer was connected with that site.

The use of an 'expendable' redirection sites is a very common tactic used by email prOn spammers.

#10 ::: Mean Dean ::: (view all by) ::: October 14, 2003, 03:52 PM:

Imagine my best Gomer Pyle immitation:

"surpise, Surprise, SURPRISE!"

Actually, not much of a surprise. I suspect it was people 'nibbling back' the url until they found an email address and then voiced concerns ... unless ...

... now none of you used wGet, Lynx or Curl for evil instead of good, did you? If you did, drop me a line and we'll arrange an online hand-slapping.

#11 ::: Tim Hall ::: (view all by) ::: October 14, 2003, 04:43 PM:

I did a traceroute on the 'real' pr0n site, and sent a complaint to the last step in the chain before them, which was a big web hosting company. I didn't bother with the Ukranian redirection site on the basis that it's usually a waste of time complaining to such places as they're ten years behind the curve when it comes to enforcing robust AUPs; that's why spammers use them.

#12 ::: John Anderson ::: (view all by) ::: October 14, 2003, 05:19 PM:

For MT: *Solution for comments spams* "To cut the story short, I wrote a plugin to MT that will verify if it is a human before it allows comments to be posted. The idea is pretty simple: Display an image with a Security Code and demand the user to enter [that] Security Code manually before allowing posting to go through." See for possible updates.

#13 ::: Tim Hall ::: (view all by) ::: October 14, 2003, 05:31 PM:

The problem with that approach is that it will prevent visually impared users from commenting.

#14 ::: Brooks Moses ::: (view all by) ::: October 14, 2003, 09:19 PM:

I had a thought on this subject, and on blocking techniques.

James D. MacDonald, in one of the earlier messages, made a comment along the lines that this sort of thing largely killed Usenet. Which struck me as a bit fatalistic; as far as I've seen, Usenet is far from dead, and the only problem with most groups that I read is that it's too crowded with real traffic for me to have time to read it all.

I am fairly sure that the difference is due to a fairly simple thing: the news server I use has a very simple but remarkably effective spam filter: if it's posted in more than five newsgroups (without being a crosspost that has follow-ups set to fewer than that), it goes away.

And, I suspect, this sort of thing would filter out the vast majority of blog-spams as well. The difficulty there, of course, is implementation.

So, here's what I propose: a central anti-spam comment blacklist server, run perhaps either freely or as a cheap subscription service. When I post a comment to a blog that's using this service, the blog sends a copy of the comment off to the blacklist server. The blacklist server compares the comment to a hash-based table of known spam comments, and returns a "yay" or "nay" response. Then, it stores the comment in a larger table of all received comments, and checks to see if it needs to be added to the spam table. Meanwhile, if the comment gets a "yay", it gets posted to the blog; otherwise, I get a "rejected" page.

This could, of course, be optimized in dozens of ways; particularly egregious spams could be forwarded from the blacklist to the blog servers pro-actively, so they can be rejected without any network traffic being required.

And, of course, there are all sorts of ways this could fail, but I don't think they are show-stoppers. It's vulnerable to a DDOS attack on the blacklist server, but since the server only needs to communicate with a known list of blog servers, router-level filtering should be pretty easy. It's vulnerable to randomized spam, but then again so is Usenet, and in practice on the server I use, those are remarkably uncommon. It's vulnerable to problems if the blacklist server fails, but there should be graceful ways to handle that at the blog-server level (probably by posting the messages provisionally, and then deleting later if they're spam).

A possible enhancement (or possibly simplifications) would be a "blacklist light" approach, where one blocks messages if they link to a URL that's on the blacklist. (Return a "sorry, that URL is blacklisted; please enter a different URL and repost" page when people try to use it, perhaps.) This could be used in conjunction with the above as a quick way of weeding out spams without needing network traffic if the URL blacklist entries are automatically forwarded to each blog server, or it could be used by itself to achieve some utility without requiring nearly as large a local database on the blacklist server.

#15 ::: Kris Hasson-Jones ::: (view all by) ::: October 14, 2003, 10:23 PM:

I notice a new kind of spam in Patrick's comments. Text with highlighted words that have embedded URLs. Yuck.

#16 ::: Claire ::: (view all by) ::: October 14, 2003, 10:24 PM:

I'm mean.

Shingles for the rest of their life with bouts of killer trots.

#17 ::: Karin ::: (view all by) ::: October 15, 2003, 12:11 AM:

think I've got another one:
Web site shilled: seems to be down, though, so if it's a comment spam, it's a very ineffective one.

Still, I'm banning hir arse, just to be safe.

#18 ::: Erik V. Olson ::: (view all by) ::: October 15, 2003, 12:12 AM:

Filter doesn't solve the problem. Filtering is merely a sandbage against the rising river. The spam still travels the wires. Those wires cost money.

I've started to see what companies are doing now. They're not buying more wire. They're not going to pay one thin dime more for internet access. Why?

Because they're sick of paying for spam. They are starting to get the idea that this whole internet thing isn't worth the money. And when they stop paying for wires, then the ISPs are either going to raise rates, or go out of business. Each time they raise rates, there will be more companies who declare that it's not worth the money for the spam.

And it's those lines that were supporting home dailups, DSL and cablemodems. Soon, those rates will rise, and so on.

And filtering at the client end does *nothing* to solve that problem. Indeed, what filtering has done so far is make the spammers try harder.

Losing Usenet was little loss -- reading Usenet without a killfile has been impossible for years. Losing email will suck, but, you know, the more I clear out the caughtspam folder, the less I care to even start the email client. I've hit an interesting number this month.

What might that be?

In the year 2003, I, Erik V. Olson,, have received over 100,000 unsolicited commercial emails

One. Hundred. Thousand.

I thought 33,359 was bad -- that being 2002's total. Hell, I thought 5962 was bad, that being 2001's total. If I only knew. Heck, I'm well on my way to 20,000 spam a month.

At some point, soon, I'm giving up. I'm not willing to spend time I have, or money I really don't, so that I can get over 650 spam emails a day. There's exactly one killer app on the Internet -- email -- and it's being quite throughly destroyed.

The cooperative internet has failed.

#19 ::: Lois Fundis ::: (view all by) ::: October 15, 2003, 12:56 AM:

Abscessed teeth. All 32 of 'em -- I just can't decide whether all at once or in turns.

#20 ::: Aaron ::: (view all by) ::: October 15, 2003, 11:12 AM:

Just thought I'd post one solution to the problem.

#21 ::: Brooks Moses ::: (view all by) ::: October 15, 2003, 03:20 PM:

Erik, I'm beginning to wonder if perhaps I mistakenly am using an internet connection to an alternate universe or something. You say that "reading Usenet without a killfile has been impossible for years," and yet here I am with a current habit of reading Usenet daily without a killfile. Moreover, of the newsgroups that I read -- which are large and well-carried groups -- I think I've seen maybe a half-dozen commercial advertisements on them in the last two months (out of probably 15,000 messages in that time), and every single one of those half-dozen advertisements was essentially on-topic or posted by someone who read the group and responded to comments. Even if you mean that you need a killfile to weed out the netkooks, that hasn't been at all true in the groups I read.

So, as I was saying, I'm slightly baffled by the claims that Usenet is "lost"....

#22 ::: Patrick Nielsen Hayden ::: (view all by) ::: October 15, 2003, 05:13 PM:

I think it's probably significant that the two people in these threads who seem to most frequently break out into despairing perorations about the imminent death of the "cooperative Net" are both sysops. Aside from being a full-time writer and an EMT, Jim Macdonald manages the confering systems on Erik Olson has been a systems administrator for a bunch of different customers and has done elaborate and impressive work of that sort for various fannish enterprises as well.

In other words, these guys know how much hard work in the wings has gone into creating the sense of a well-functioning net, and I suspect they feel it's just gotten harder and harder. Like Brooks, I don't find the Usenet groups I dip into to be particularly blighted by spam, but then I use a very hard-working and technical clueful ISP which is no doubt busting its ass to keep its Usenet feed relatively clean. Likewise, that same ISP runs SpamAssassin on my incoming mail on their servers, before it ever reaches my machine, so I only actually run into a few spam emails a day.

I'm not sure what the moral is here. I suspect the Internet as we have it isn't as doomed as they're making it sound, but I don't blame them for feeling discouraged.

#23 ::: J Greely ::: (view all by) ::: October 15, 2003, 07:55 PM:

Dissenting data point: I've been a large-site sysadmin for about fifteen years, used to run one of the major Usenet backbone sites (took over tut from Karl Kleinpaste), and for the past six years have been running a network of servers that gives Internet access to hundreds of thousands of people (WebTV).

I most emphatically do not think we're seeing the beginning of the end. I miss the backbone cabal as much as anyone, but I don't think Usenet is a lost cause (even if I do take multi-month vacations from it now and then), and I've rehabilitated my email addresses to the point where they're more signal than noise (OS X, JunkFilter, and an aggressive Postfix configuration on my servers).

I agree that client-side email filtering is just a bandaid, and that most of the alternatives being suggested are either worthless or too cumbersome, but I don't think it's hopeless, and I don't think that companies are going to start abandoning their Internet connections. I remember what it was like to try to tie your field offices together with dedicated frame-relay and ISDN; nobody wants to go back to those days.

"Not buying more wire" does not necessarily lead to "getting rid of the wire they have today". Most of the companies I see falling off the net are people who didn't really have a good business reason for being there in the first place.


#24 ::: Teresa Nielsen Hayden ::: (view all by) ::: October 15, 2003, 10:24 PM:

When are we going to get serious about spammers? Do you ever think about how much human effort gets pissed away dealing with them?

The invisible hand of the market is not going to fix this. All the invisible hand knows is that it's incredibly cheap to send spam, and the burden of dealing with it doesn't fall on the people making the decision to send it. So we've got sleazy US companies using sleazy US marketing firms to spam the internet, and they're doing it with impunity, because it's getting sent via some Elbonian provider that doesn't give a damn, and we don't have any other mechanism for stopping it.

Who is being served by this? Most of these vendors aren't part of the legitimate economy. You hardly ever see spam from real businesses. It's all Viagra ads, make money fast, Nigerian scams, get rich working at home, reconditioned toner cartridges cheap, and fictional fuckbunnies who want you to check out the hot action on their sites. The people running these outfits are so far down the scale that they probably haven't even been hit up to pay off George.

Meanwhile, valuable, hard-working guys like Erik Olson, Jim Macdonald, Jeffrey Dwight, and lord knows how many others are putting in long hours trying to stop this tidal wave of liquid pigshit. In spite of everything they can do, little kids and old ladies (yer mudder, my mudder) are still having to search for their much-cherished bits of mail in the midst of a sea of ads about how they can increase their penis size. What good does it do for me to have a superior ISP and superior filters, if people I want to hear from are getting driven off the internet by the sheer pressure of garbage? Raise your hand if you've ever lost legit mail to a spam filter. If you've ever quit a once-lively newsgroup that became untenable because the noise of spam drowned out the signal. If your corporation employs the equivalent of one or more resident techies to deal with incoming junk. If the amount of time you annually spend dealing with spam, if reimbursed at your normal billing rate, would pay for a hot weekend, a hot laptop, or a heating bill. If you wish internet traffic ran faster.

The percent of internet traffic that's spam is increasing by eight or nine percent per year. It may top 50% of total traffic this year. And the rate of increase is increasing.

The internet is the greatest piece of direct popular empowerment to come down the pike since the invention of democracy. It doesn't automatically change everything, but it could. It lets people find each other. Look at eBay. It's just one business, something some guy started so his Pez-collecting wife and her buds could trade with each other, but it's become the weirdest and most generative source of unforeseen commercial consequences in the whole business world, and it's only going to get bigger and weirder. Or look at weblogs -- a small thing, still sorting itself out, but already making itself felt in news reporting and political campaigns.

Why are we giving this away to liars, thieves, and Viagra hucksters?

#25 ::: Jon Meltzer ::: (view all by) ::: October 15, 2003, 10:37 PM:

"The internet is the greatest piece of direct popular empowerment to come down the pike since the invention of democracy ... Why are we giving this away to liars, thieves, and Viagra hucksters? "

Because the Internet is the greatest piece of direct power empowerment, et cetera, and that really pisses off Certain People.

#26 ::: J Greely ::: (view all by) ::: October 15, 2003, 11:32 PM:

"When are we going to get serious about spammers? Do you ever think about how much human effort gets pissed away dealing with them?"

I think about it every day, because we've got 700,000 paying customers who hate the stuff. We have several people who do nothing but fight it, and too many machines devoted to filtering it out. We've got people who (almost) long for the days when our ugliest task was printing out kiddy porn to forward to the FBI.

We're losing ground, but I don't think we're losing. Spam continues because spam works; the tiny fraction of a percent of users who actually order penis-enlarging pills online currently covers the cost of infuriating the rest of us.

All the arguments seem to be about the best way to raise the cost. From my point of view, it looks like people are currently trying to use technological solutions to the social problem and social solutions to the technological problem. Of course, if I had an answer, I'd be too rich to hang out in places like this. :-)

One of the big problems we've run into is that people refuse to accept blacklisting. If you completely refuse all mail from a source/netblock/isp/country that's mostly spam, you invariably get Real Customer Complaints about the minority non-spam. The Usenet Death Penalty was a great idea, but it doesn't seem to translate to the business world. I've been in meetings where an inconvenience for 10,000 people delayed a serious benefit for 500,000. Sometimes it was the right decision to make.

I think spam will stop when it stops working, and that will be when it doesn't deliver enough business to cover the cost of reaching the suckers. I don't know which aspect of the cost will be what tips the balance. I'm kind of rooting for "hospital bills" at the moment.

In a way, I'm cheered by the recent attempt at serious blogspamming. If email spam was still producing the results they wanted, why change tactics?


#27 ::: James D. Macdonald ::: (view all by) ::: October 15, 2003, 11:53 PM:

In a way, I'm cheered by the recent attempt at serious blogspamming. If email spam was still producing the results they wanted, why change tactics?

They haven't changed tactics. They're adding one more string to their bow. They noticed that there was a corner of the 'Net that wasn't filled to bursting with Cut Rate Mortgages, International Drivers' Licenses, and Lovely Lez Lickers, so they moved in. This isn't Instead Of email spam, it's In Addition To.

Someone who claims to be from Nigeria left two identical off-topic messages in one of Teresa's old threads tonight, under two different names. An honest effort at communication, do you think?

#28 ::: LauraJMixon ::: (view all by) ::: October 15, 2003, 11:56 PM:

"Of course, if I had an answer, I'd be too rich to hang out in places like this. :-)"

Oh, I don't know, J Greely; I once came across a Peter Jackson post in a bloggish / BBS kind of place...


#29 ::: Mean Dean ::: (view all by) ::: October 15, 2003, 11:58 PM:

Aaron ... thanks for the tips ... I took steps 2 and 3 ... that is, rename mt-comments.cgi ... then created a new mt-comments.cgi that not only tracks who the spammer is ... but then redirects them to the site they're advertising.

With any luck, they'll DdOS themselves silly.

#30 ::: J Greely ::: (view all by) ::: October 16, 2003, 03:44 AM:

James D MacDonald: "They're adding one more string to their bow."

Are they? When the penis-pill guy calls up his ad-man, does he order X million emails and Y major blogs, or does he pick the one that offers the better return for the same price?

It may simply be that this was the test run, to see if there was a viable market in large-scale blogspamming. But as an enhancement or an alternative? I honestly don't know, which is why I hedged my optimism a bit. I'm inclined to think that they're looking for alternatives, because writing code for spamming MT comments had to be a lot easier than evading the latest spam filters. It just got a bit harder, but last week it was a ten-minute hack.

What I do know is that the only spam emails that actually get through to my inbox these days are the ones that consist almost entirely of pictures that doesn't download. They're trying so hard to avoid text-based filters that they walked right into the trap. I'm down to about half a dozen unfiltered spams a day, and the only thing that gets through is the subject line.

LauraJMixon: "I once came across a Peter Jackson post in a bloggish / BBS kind of place..."

Heh; about five years ago, we were pleasantly surprised to discover that Hugh Hefner was reading the Playboy Mailing List. He never posted, but one of his senior editors was a regular, and some people on his staff were printing out the good bits and sending them to him. We ended up being invited over to the Mansion for a breakfast tour, with Hef as our guide.

He's since found other hobbies.


#31 ::: Kathryn Cramer ::: (view all by) ::: October 16, 2003, 07:15 AM:

Here's another IP to ban:

It belongs to a smammer advertising cheap flights.

#32 ::: BSD ::: (view all by) ::: October 16, 2003, 10:08 AM:

You know, I'd love to be able to still use my CU alum address, but though their spamfilters used to be so good that if I got one piece a dya, it was above average, the sheer increase in volume led to the point where I was getting more spam than realmail (AND I was on the ffml, a high-volume list if there ever was one).

Luckily, tmo, for all their sins, seems to maintain reasonably good spamfilters: I get maybe a nigerian spam per month, and not yet the same one twice (and half of those come through my YU address now, which is new and barely used..)

#33 ::: James D. Macdonald ::: (view all by) ::: October 16, 2003, 12:14 PM:

Just a few days ago, there was a spam by Diana Dudas, she of the perfect cure for frizzy hair, in the 11 June 2002 Making Light. That was most likely done by cut-n-paste. Hand crafted spam.

#34 ::: Teresa Nielsen Hayden ::: (view all by) ::: October 16, 2003, 06:39 PM:

Diana Dudas is a no-talent broad who's so desperately impressed that she's written a single article that she thinks the rest of the world must be impressed with her as well. She's wrong.

You're right about the Nigerians. Damn. I ought to close down all my superannuated threads, but I hate doing it.

#35 ::: Sumana Harihareswara ::: (view all by) ::: October 19, 2003, 03:53 AM:

A lot of you use SpamAssassin or are familiar with other email spam-filtering systems. There is a newish bit of software called Reverend (after Reverend Bayes) that helps add Bayesian filtering smarts to any given application

and Leonard Richardson is incorporating it into a spam-filtering system for trackbacks and (soon) comments for his free weblogging software, NewsBruiser:

NewsBruiser's robustness and this sort of feature commend it to people on MT, given complaints I've heard from MT people.

You might remember Leonard from the Eater of Meaning.

The Eater of Meaning is a tool for extracting the message from the medium. Format and presentation are unaffected, but words and letters are subjected to an elaborate nonsensification progress that eliminates semantics root and branch.

#36 ::: Teresa Nielsen Hayden ::: (view all by) ::: October 19, 2003, 11:47 AM:


Sumana Harihareswara, thank you very much. Either you or someone else here will have to explain to me what those first three links do. In the meantime, I am delighted by the Eater of Meanings.

The "eat endings" option is what the Well would call a nighthawks-and-waterskins filter. If I recall correctly, that discussion started as the report of a bug in someone's Bible concordance program which caused it to output scriptural texts where every word indexed by the concordance had been turned into the word several entries down in the concordance's alphabetical list. The sample text posted to demonstrate the effect was the creation of the world in Genesis, wherein night had been turned into nighthawk, and water had been turned into waterskins. For a long time thereafter, one of the participants used "And He called the darkness Nighthawk" as his nonce-name on the Well.

For anyone who didn't follow that: the "eat endings" filter takes each word and substitutes another word that has the same first three letters. I've just tried it on Making Light. Here's the original version of a brief recent post:

Open thread 8
05:06 PM | Comments (47) | TrackBacks (0)

The dogs bark, but the conversation moves on.

In the "eat endings" version, it comes out:
Openness three 3
88:27 PM | Compacted (91) | TransLations (3)

Theorized doghouse barking, butt thermostat configuration mover on.

The "eat words" option substitutes a random word of the same length for every word in your text:
Alma leiden 9
59:32 AS | Coolidge (60) | ApothEoses (0)

Hag play bane, ibn joe deemphasizes susan is.

"Eat letters" randomly substitutes other vowels for your vowels, and other consonants for your consonants:
Iyep csviur 9
37:88 WM | Qoqvevwz (20) | DlixtQalns (7)

Nwi surl higm, wex jbu rorluzwekuac ravoh of.

"Eat in Latin" just throws it into Lorem Ipsum; no need to explain that.

There's also a set of advanced options. "Eat chewy caramel center" is particularly interesting because it leaves the first and last letters in place but scrambles the letters between them. There's a text going around that purportedly demonstrates that such scrambling doesn't actually impede readability. It's a trick. The sample text in circulation has indeed been scrambled -- but in a non-random, still-readable way. The Open Thread 8 example doesn't give you the full effect, so if you're interested, try running "Eat chewy caramel center" on (say) CNN's main page, and see how readable it is. Here's our sample:

Oepn tehrad 8
05:06 PM | Cmnomets (47) | TBkcrkacas (0)

The dgos bark, but the cariotnevson mevos on.

"Eat and regurgitate" scrambles all the letters in the words:
Nepo htrdae 8
50:06 PM |Tmeomnsc (74) |AckrsTacbk (0)

The gdso bkra, btu the octnoaisenvr moesv no.

"Eat completely" removes all the words.

Of all the options that leave you your original words and letters, "Push around on the plate, but don't eat" is the hardest to read 96 harder, even, than the options that randomly scramble letter order within words. What this one does is sort the letters in each word into alphabetical order:

Enop adehrt 8
05:06 MP |Cemmnost (47) |AabccKkrst (0)

Eht dgos abkr, btu eht aceinnoorstv emosv no.

Interesting, eh? I'll never again keep my Scrabble tiles neatly sorted.

#37 ::: Graydon asserts Comment Spam Claiming a Good Cause in "Fallen" ::: (view all by) ::: December 24, 2003, 02:14 PM:

And the link goes nowhere, too.

#38 ::: Teresa Nielsen Hayden ::: (view all by) ::: December 24, 2003, 02:28 PM:

Useless sods. Thanks for spotting that.

#39 ::: Mez sees comment spam, partly in Polish? ::: (view all by) ::: June 15, 2004, 03:39 AM:

Same as on Electrolite

Smaller type (our default)
Larger type
Even larger type, with serifs

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 by Patrick & Teresa Nielsen Hayden. All rights reserved.