Back to previous post: Bad, bad Santas

Go to Making Light's front page.

Forward to next post: The power of the press, sort of

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

December 12, 2004

Smokin’ spam
Posted by Teresa at 10:56 PM *

We’ve been hit hard by comment spam this weekend. I’m talking 480 spams in ten minutes on Saturday morning. None of it has gotten past the combination of MT Blacklist plus the latest version of Movable Type, and Patrick hasn’t had to devote undue time or trouble to killing it.

I’d be interested in knowing whether anyone else got hit. In the meantime, if you’re having comment spam problems, consider upgrading to these fine, fine software products.

Comments on Smokin' spam:
#1 ::: iJames ::: (view all by) ::: December 12, 2004, 11:52 PM:

Hi. Long-time listener, first-time caller.

I'm curious, in the context of "consider upgrading to these fine, fine software products," does anyone have any thoughts or experiences on the relative spam-killing merits of Movable Type vs. WordPress? I have got to get off of Blogspot, but have not yet made up my mind on which tool to use.

Advance thanks for thoughts, rants, &tc.

#2 ::: pericat ::: (view all by) ::: December 12, 2004, 11:58 PM:

My latest comment spam hit was the week before last, and involved a whole lot of tacky URLs with no attempt at content. The wave before that one, perhaps two weeks prior, included content that would have been flattering had it been genuine, and attempted to munge its gambling promo URL info by using numeric HTML entities.

I think that since MT Blacklist uses regex matching, that sort of thing would be transparent to you as it would spot such a comment as spam without your doing anything special.

From my logs, it seems like waves of comment spam are preceded by a day or so's logjam of dubious referrers and robot-like leafing through all possible URLs at my site. I set up an .htaccess file to deny access to any request where the referrer (not the actual user's PC's name) was a .info or .biz domain. This has eased my worries, but YMMV.

#3 ::: pericat ::: (view all by) ::: December 13, 2004, 12:12 AM:

iJames, both MT and Wordpress can be configured to handle spam; if you use MT, MT Blacklist is da bomb, if you use WP, there are several plugin options that you can use, depending on how you want to approach the problem. They're both fine blogging systems.

#4 ::: Steve ::: (view all by) ::: December 13, 2004, 01:15 AM:

Yep, I left town Friday night and was offline until Sunday morning when I opened my mail reader to the relatively slow grind of almost 1300 Blacklist holds...all from the same spammer.

It was fairly painless to get clean up while making a couple phone calls.

#5 ::: Linkmeister ::: (view all by) ::: December 13, 2004, 01:26 AM:

I got hammered on 12/5 but have only had about 25 on the 11th and 12th. The Hawai'i Metroblogging site has had a few get through this weekend.

#6 ::: Richard Cobbett ::: (view all by) ::: December 13, 2004, 04:52 AM:

I'm getting hammered on my Drupal powered site at the moment, along with a lot of other people. I've got the spam filter eating almost all of it automatically, but it's a real pain - my referrals list is unusable due to hundreds of fake links, while I often get more comment spams in a single day than my site's ever had comments.

What really annoys me is that it's quite blatantly the SAME GUY every time, cycling through random IP addresses in an attempt to use a bottom-feeding advertising method that my site blocks at the door anyway. Ngggh!

#7 ::: David Weman ::: (view all by) ::: December 13, 2004, 06:39 AM:

Sadly, No! is down because of a massive spam attack.

#8 ::: John Scalzi ::: (view all by) ::: December 13, 2004, 08:46 AM:

Lots of spam this weekend, easily expunged, however. I need up fire up the blacklist on my MT, but that requires begging from my techie friend who set up my MT in the first place.

#9 ::: Zed ::: (view all by) ::: December 13, 2004, 01:50 PM:

I'm still on MT 2.661. MT-Blacklist blocked seven pieces of comment spam last night; six got through. Between MT-Blacklist and having a heavily modified comments configuration, that's more than I've seen in a long time.

But it's still too many... if the spammers have bots that are smart enough to have anticipated all my mods and figure out how to automate spamming me, that leaves MT-Blacklist as my only defense, and my protection is only as good as my latest blacklist.

Time for more complications...

#10 ::: Mitch Wagner ::: (view all by) ::: December 13, 2004, 02:32 PM:

No unusual spam traffic here over the weekend.

I get a dozen to a hundred spam attempts every day. Since I installed MT 3.1x/MT-Blackist 2.x about six weeks ago, the software has only failed to block one (1) comment spam attempt, out of all the hundreds or thousands I've received. And it's blocked no legitimate comments.

#11 ::: Daniel H. Alvarez ::: (view all by) ::: December 13, 2004, 07:14 PM:

Is it just me, or is the comment/site spammer methodology counterproductive? Really, what is the point? When I have seen the spam get through on various sites that I visit, all it has done to me is annoy the hell out of me while I scroll past the spam as quickly as possible, looking for the real comments.

Or is that the point?

#12 ::: Steve Taylor ::: (view all by) ::: December 13, 2004, 08:02 PM:

Daniel Alvarez writes:

> Is it just me, or is the comment/site spammer methodology counterproductive? Really, what is the point?

I've been told that the spam is not for humans, but for Google. Google builds it's page ranking system partly by seeing how many different sites point to a given page, on the theory that the more sites that have a link to a page, the more interesting the page must be.

This theory used to be reasonably true, before people started playing games like this to artificially boost their page rankings.

#13 ::: katster ::: (view all by) ::: December 14, 2004, 12:41 AM:

I've been rather impressed at what closing all but the last ten days or so of posts has done. Between that and changing the comments link so it isn't mt-comment.cgi anymore, I haven't seen a spam for days. This is, as you can imagine, is nice, especially since I'm the one doing all the spam deletions.

Of course, I'm still on MT 2.64 because I don't have the money to upgrade to the newer version. Mebbe when I'm no longer a student, I'll do that, since people seem to like MT3.

Zed: I'm going to keep your list of tips around so that if I have to do more than renaming the comment script, I've got a URL handy with tips for implementing them.

-kat

#14 ::: Chloe ::: (view all by) ::: December 14, 2004, 11:00 AM:

My question may be veering off the post question...
But has anyone else noticed on their blogs that spam tends to hit certain posts particularly, repeatedly?

For example, when the spam got to be at its worst, I noticed that it was the same few posts, in 2 different blogs, that were always getting hit.
And I have been unable to determine a common denominator between those posts.

No one has seemed to have an answer as to why those particular posts were the targets all the time.

Or is it really just a coincidence that they always hit those posts?

#15 ::: iJames ::: (view all by) ::: December 14, 2004, 12:40 PM:

Much thanks to those who responded to my question, both here and on my blog. (Yes, it's a work of fiction. But the dilemma between WP and MT is not.)

Another question, hopefully only marginally more annoying than the first one: I notice that, in talking about spam solutions here, the universal consensus seems to be blacklisting and moderating comment attempts. I'm impressed that it's so effective, but as a way to reduce moderation work, has anyone considered placing hurdles before the comment posting? Are there sound practical reasons against it?

I'm not talking about requiring user logins or authenticating via e-mail. Those sound like too much work for the casual commenter. But what about one of those "read this non-OCR-able swirly text and type in what it says" challenges? Would something like that turn off an average reader from commenting? Or putting a time interval between allowed comments?

I know that such plug-ins exist for WordPress, because I stumbled across them, and I'm sure they must exist for Movable Type. Do people not use them primarily because MT-Blacklist does the job? Or because they're perceived as too much hassle for the user?

#16 ::: Chloe ::: (view all by) ::: December 14, 2004, 03:59 PM:

iJames:

I don't know about those swirly graphics things... But for me that would be a last resort implementation, because quite frankly, I find them very annoying on other people's comments. I don't want to make it harder for real people to post real comments.

However, on my own blog, I did implement some kind of "pre-posting" kind of thing. I really can't explain what it is, except it involves a hidden field. A friend directed me to some blog where the instructions for adding it to the form/cgi was in a post.

Immediately after adding this hidden field, I stopped getting spam comments. But I was warned it could be a coincidence.

Then, less than a week later, I installed mt-blacklist.

For some months, I used to get spam comments every week, usually about 5-10 in a week, usually over the course of 1-2 days, across 2 blogs and about 5 blog posts.

After installing those 2 protection measures a few weeks ago, I've gotten a grand total of ONE spam comment that slipped through mt-blacklist. And also, a grand total of ONE spam comment that mt-blacklist took care of & prevented from posting, according to my activity log.

That's 2 spam comments that I know of over about 3 weeks, when I normally would've gotten about 30 in that time.

So I'm convinced now that the hidden field thing is what's fending off the bulk of spam comments.

But I'm no expert. And of course it could be a coincidence that maybe it just so happens in the past 3 weeks, I would've only gotten 2 spam comments without either of those measures.

(I'm sorry, but I didn't keep the URL to the blog/post that explained that hidden field thing - but I can ask the person who gave me the link, if someone can't find it - I believe the blog is a popular one if that helps.)

#17 ::: OG ::: (view all by) ::: December 14, 2004, 04:25 PM:

Chloe:

Sounds like recommendation #1 on Blogspam.

It's fairly simple to circumvent, but comment spammers don't seem to have gone to the trouble yet.

#18 ::: Chloe ::: (view all by) ::: December 14, 2004, 07:02 PM:

Yes, I went & looked... and Blogspam got it from where I was sent for it:

burningbird

The first time I went there I just quick got the info and left... Didn't realize the info was that old. 2 years.

If spammers haven't gone through the trouble yet, after 2 years, one wonders why... ?

I've never gotten hit with hundreds of spam at once. Even the days I would get hit, it would be 3-4 within a few hours, but not all exactly at the same time.

What I thought was interesting is this..
My friend just transferred his blog to WordPress, and he had 1,000 posts... Hadn't linked the new blog anywhere yet. And in one day, he got comment spam on every post.
Now how does something like that happen?

When I asked people why certain posts of mine, in particular, were getting hit, and others not... Some people suggested it was the way the spammers were finding those posts.
But if someone hadn't even linked their blog yet and they got hit... I'm wondering how. I'm assuming that the bots scan for WordPress comments file name on the system.
But I know that's not the problem with my MT - because I don't have specific comments pages - my comments are ONLY listed in the individual archive page. So there's nothing with the comments.cgi file in the URL for bots to find.

So how do they find me? It doesn't seem to explain that anywhere.

#19 ::: antukin ::: (view all by) ::: December 15, 2004, 12:52 AM:

Steve Taylor writes:

I've been told that the spam is not for humans, but for Google. Google builds it's page ranking system partly by seeing how many different sites point to a given page, on the theory that the more sites that have a link to a page, the more interesting the page must be.

However, a quick look at Google explains that 'But, Google looks at more than the sheer volume of votes, or links a page receives; it also analyzes the page that casts the vote. Votes cast by pages that are themselves "important" weigh more heavily and help to make other pages "important."'

So in short, spam is doubly useless. Grrrrr.

#20 ::: John Emerson ::: (view all by) ::: December 15, 2004, 08:07 AM:

Comment spam is a sign that you're popular. Sort of like being a movie star. Suck it up and deal with it, guys. On my sites we're begging for that kind of attention.

#21 ::: Teresa Nielsen Hayden ::: (view all by) ::: December 15, 2004, 08:50 AM:

Beg to differ, John. Moribund sites get spammed too.

#22 ::: Chloe ::: (view all by) ::: December 15, 2004, 01:04 PM:

Well, in light of Google's ranking system... Then I should be getting hammered with spam. I show up ridiculously high in google-ranking. I say ridiculously high because my site's not actually particularly popular or anything - but I come up on the first page for a lot of what I'd consider rather common search terms.
And my friend with the WordPress blog who got hammered in one day... he's not an a-list blogger, the victim blog wasn't even linked yet never mind not in google's index.

So that's not an adequate argument, I think.

Just like e-mail spam doesn't specifically target people, I don't think comment spam is particularly targeted either. It's all about the numbers. More bait, more bites. That's all.

#23 ::: John Emerson ::: (view all by) ::: December 15, 2004, 06:20 PM:

Hmph. Well, they're boycotting me.

#24 ::: Richard Cobbett ::: (view all by) ::: December 16, 2004, 04:54 AM:

"Just like e-mail spam doesn't specifically target people, I don't think comment spam is particularly targeted either. It's all about the numbers."

It just looks for the comment posting scripts, it doesn't care who you are. Once the idiots have found yours, they keep bombarding it - I get loads of folks trying to post spam to my WordPress powered blog, despite the fact that I deleted all the files and replaced it with Drupal aeons ago.

#25 ::: Dorothea Salo ::: (view all by) ::: December 16, 2004, 12:48 PM:

Chloe, the WordPress problem happens because spammers bypass the comment forms and insert their spam directly into the database underlying the weblog, including to post numbers for posts that haven't been written yet! When the post *is* written, the spam poofs into existence.

Security hole in the program, basically. The easiest (and I say this with some trepidation) fix is going into the database via phpmyadmin (a web-based MySQL database manager) and doing a mass comment delete from there.

I'm not sure whether the just-released WP 1.2.2 fixes this issue. It very well might.

Anyway, I don't even enable comments on my weblog and I still get spam -- referer spam. (Misspelling not of my making.) The Reffy boys are particularly good at trying to suck my bandwidth for no reason; check your server logs for adminshop or xopy.

#26 ::: Seth Breidbart ::: (view all by) ::: December 16, 2004, 04:15 PM:

I'm getting some really interesting ideas about what to do when I finally get around to setting up a blog.

It helps that I have a colo box that's currently sitting on an otherwise-abandoned 100Mbps line, with no bandwidth charges.

(Insert updated version of the Mark Twain line about not picking fights with people who buy ink by the barrel.)

Technical point: the comment spammers look for files with a particular name (the script used for posting comments). If they find it, they feed it a "POST" command with their spam. Now if somebody were to write a script that took whatever it was sent, and forwarded that along with some explanation ("This was generated by an unlinked script, apparently by a comment spammer, running from IP address XXX") to the appropriate abuse address for the spammer's ISP, and give it a name the spammers look for, . . .

#27 ::: Chloe ::: (view all by) ::: December 17, 2004, 12:09 AM:

Well, I did get hit today with the massive spam thing.
Started with the very first post. I think it's going to try to spam every post.

I was on-line at the time and get e-mail notification, so I was able to blacklist & purge it after only 13 spams got posted.

I checked the MT-Blacklist master list, and the URL wasn't on there. (I have updated my list from the master list a couple of times.)
I sent the URL to be added, though I'm not sure if I did it right.

I'm still curious as to the file name thing of the comment script. My comment script is not available with that file name in it anywhere... But can they get to it anyway?

#28 ::: Steve Eley ::: (view all by) ::: December 17, 2004, 09:37 AM:

Seth Breidbart wrote:
Technical point: the comment spammers look for files with a particular name (the script used for posting comments). If they find it, they feed it a "POST" command with their spam.

Possibly stupid idea: if one were to rename that script file to something random, as well as a search-and-replace across the rest of the source code, might one be able to stop all comment spam at the head?

It might make upgrades and plug-ins a pain. And I'm aware, of course, that anyone would be able to find the new script name anyway by looking at the HTML. But if spammers go after the low-hanging fruit, this could possibly raise one's blog entirely above their heads.

#29 ::: pericat ::: (view all by) ::: December 17, 2004, 01:38 PM:

Possibly stupid idea: if one were to rename that script file to something random, as well as a search-and-replace across the rest of the source code, might one be able to stop all comment spam at the head?

Doing so helps, to a degree. It was one of Yoz's famous suggestions last year. But most of the spam bots look, not only for a given file name, but for the presence of certain fields and actions within any of the cgi or php files at a site. Some look also for the default phrases that appear just before the comment entry section (ex: "leave a comment", "html allowed", etc) to help them target a comment-enabled post.

#30 ::: Seth Breidbart ::: (view all by) ::: December 17, 2004, 04:03 PM:

If you really want to fight effectively, the thing to do would be to examine your logs to see what was requested "strangely": not following a link from your site (or a reasonable link from elsewhere). The IP address requesting might also prove interesting; I don't know if comment spammers are using zombies the way email spammers are (yet).

Changing all the names around would make it a lot harder to find that you allow comments and figure out how to spam them. If the changes were applied with a script, that could also be run against upgrades and plugins before applying them.

#31 ::: Paul ::: (view all by) ::: December 18, 2004, 09:26 PM:

Just posting to say that Slashdot has a story running on MT comment spams at the moment. Various links, including to Six Apart recommendations for config changes.

ijames: the "captchas" - swirly text - are annoying for most people, particularly since the spammers seem to have solved the 'easier' ones (going from the fact Yahoo switched from the clear-ish ones to the current ones). I'm told they're also a right bugger if you've got sight problems.

#32 ::: abi spots comment spam ::: (view all by) ::: January 02, 2007, 04:20 PM:

Higgledy-piggledy,
Mexico pharmacy
Haplessly cluttering
Comment threads here.

Hammedy-spammedy
Certainly time for it
Incontrovertibly
To disappear.

#33 ::: David Goldfarb notes more spam ::: (view all by) ::: January 08, 2007, 03:11 AM:

The URL doesn't even take you straight to gambling, just to a google search. Sheesh.

#34 ::: Teresa Nielsen Hayden ::: (view all by) ::: January 08, 2007, 07:25 AM:

Thank you, thank you. Spams all gone. Bad spams!

#35 ::: abi ::: (view all by) ::: February 13, 2007, 05:11 PM:

Turning beyond right
Angles, the message sits at
Ninety eight degrees.

Or does it mean heat
Just below the boiling point
Time to make our teas?

But education
Shouldn't be from comment spam
So kill it off, please.

#36 ::: abi spots comment spam ::: (view all by) ::: February 13, 2007, 05:23 PM:

Forgot to change my name to draw attention to the thread.

Kill kill kill the spam
Delete Delete Delete it
You know you want to.

#37 ::: ethan sees a spammy spammer leaving spam ::: (view all by) ::: March 26, 2007, 02:27 AM:

They sure do like this thread. Do they think they'll blend in?

#38 ::: abi sees comment spam ::: (view all by) ::: May 24, 2007, 05:29 AM:

Ironic how many times this thread gets spammed, isn't it?

#41 ::: Dawno sees double comment spam! ::: (view all by) ::: May 24, 2007, 08:51 PM:

I hope I don't need new glasses.

#42 ::: Bill Higgins-- Beam Jockey spots another one to smoke ::: (view all by) ::: May 24, 2007, 08:52 PM:

They just keep coming back for more, don't they?

#46 ::: Teresa Nielsen Hayden ::: (view all by) ::: January 08, 2008, 08:22 PM:

I think I'm going to put an end to this thread's usefulness to them as a known location.

Choose:
Smaller type (our default)
Larger type
Even larger type, with serifs

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 by Patrick & Teresa Nielsen Hayden. All rights reserved.