Comment spam increasing lately


#1

Is anyone else getting more comment spam lately? It seems that in the
past week I’ll get 10+ nightly, so I’ll turn off comments (0) but then
turn them back on in a few days, since I write HOWTOs and I want to help
folks that have questions with them. When I turn them back on I"ll get
another 10+ that night. I’ve turned it back to 7 and then 14 without
any comment spam, so today I’m going to try 21, but still, this kills my
old HOWTO threads where folks still have questions.

I’m just wondering if this is part of a scripted attach or
what…haven’t have this issue until just recently.

Thanks

P

http://fak3r.com - you dont have to kick it


#2

phil wrote:

Is anyone else getting more comment spam lately?

Less here, and I have non-AJAX commenting enabled. I do, however, limit
people to 3 URLs per reply.

I’m wondering if it’s like graffiti–being really quick and thorough to
eliminate it discourages more.

mathew


#3

On May 12, 2006, at 7:46 AM, phil wrote:

what…haven’t have this issue until just recently.
Try restricting comments to AJAX only. That worked for me.


Josh S.
http://blog.hasmanythrough.com


#4

Do you have Non-Ajax comments turned on? Try turning them off… it
helps me plenty. Also, try turning off trackbacks as well…


#5

On Fri, 12 May 2006 10:33:59 -0500, “Steve L.”
removed_email_address@domain.invalid wrote:

Whoever uses spams from the *.50webs.com domain is able to post spam to
Typo
even with AJAX comments enabled. I have had several hits from it. Seems
to
target articles older than 40 days from what I have seen so far. Lame
yes?

Absolutely – back in Drupal I used BadBehavior
[http://www.homelandstupidity.us/software/bad-behavior/installing-and-using-bad-behavior/]
to stop this kind of junk. It’s PHP so I have no idea how hard it’d be
to bring into Typo.

P

them back on in a few days, since I write HOWTOs and I want to help


http://fak3r.com - you dont have to kick it


#6

Whoever uses spams from the *.50webs.com domain is able to post spam to
Typo
even with AJAX comments enabled. I have had several hits from it.
Seems to
target articles older than 40 days from what I have seen so far. Lame
yes?


#7

“Steve L.” removed_email_address@domain.invalid writes:

Whoever uses spams from the *.50webs.com domain is able to post spam
to Typo even with AJAX comments enabled. I have had several hits
from it. Seems to target articles older than 40 days from what I
have seen so far. Lame yes?

I suppose it was inevitable that someone would work out how to get
round AJAX only comments.

I can’t remember the story number on the trac, but it looks like we
need to work on tweaking comment publication strategies and get an
approval queue working on the admin interface. Also, there’s probably
a case for making ‘nuke comment’ throw up a followup form suggesting
possible blacklist entries.

In the case where none AJAX comments are enabled, there’s probably
something to be said for harvesting possible blacklist entries from
failed comments.

Does anyone know if any work’s been done on Bayesian comment spam
stopping?


#8

On 12 May 2006, at 16:33, Steve L. wrote:

Whoever uses spams from the *.50webs.com domain is able to post
spam to Typo even with AJAX comments enabled. I have had several
hits from it. Seems to target articles older than 40 days from
what I have seen so far. Lame yes?

Are you sure you’re not allowing non-ajax comments? What version of
Typo are you using? How many hits are you talking about? It’s quite
feasible that some of these are entered manually (one fella does
that). That’s nothing too much to worry about because it’s just not
feasible for large scale spamming and you can block it via the
blacklist or htaccess far more quickly than it takes him to spam
you. I get a minimum of 300 hits a day from a spamming group, but
not all of those hits are comment attempts. Can you track the
spammer back through the server logs to see if it is automated (which
I doubt)? Could you forward me details (IP’s and UA’s)?

It could definitely be possible to write an app that automatically
submits comments to Typo sites that stop non-ajax comments, but the
economic payoff for spam is it’s bulk nature and it just wouldn’t be
worth it. If anybody did that I’d say “Clver programmer … stupid
spammer”.

Moderation and easy article/comment navigation would be a good thing
to look at.

Cheers

Gary


#9

On Fri, 12 May 2006 18:38:50 +0100, Piers C. removed_email_address@domain.invalid
wrote:

I can’t remember the story number on the trac, but it looks like we
need to work on tweaking comment publication strategies and get an
approval queue working on the admin interface. Also, there’s probably
a case for making ‘nuke comment’ throw up a followup form suggesting
possible blacklist entries.

In the case where none AJAX comments are enabled, there’s probably
something to be said for harvesting possible blacklist entries from
failed comments.

This is something I don’t fully understand, If I have it checked, it
will ‘Allow non-ajax comments’ – but what does this mean? If it’s
checked or unchecked the comment still ‘slides’ up – is that what is
meant by AJAX comments?

Sorry if this is obvious, I just can’t get my head around it ;0(

P

http://rubyforge.org/mailman/listinfo/typo-list

http://fak3r.com - you dont have to kick it


#10

On 12 May 2006, at 19:22, phil wrote:

This is something I don’t fully understand, If I have it checked,
it will ‘Allow non-ajax comments’ – but what does this mean? If
it’s checked or unchecked the comment still ‘slides’ up – is that
what is meant by AJAX comments?

Sorry if this is obvious, I just can’t get my head around it ;0(

It’s actually quite tricky to explain. I’ve tried to write this a
couple of times, maybe somebody will get in with a good explanation
before I post this.

Ajax commenting is the slide. If you are using a browser with
javascript support then you’ll see the slide always. It doesn’t
matter if you have the box checked or not.

If I access my site from my PocketPC or with javascript disabled on
my browser then I won’t see that slide. If I allow non ajax
commenting then I can still comment.

If I tried to submit a comment to a site from my PPC or from a
browser that has javascript disabled to a site which has disabled non-
ajax commenting then I couldn’t. I’d get an error and the comment
wouldn’t be submitted.

Spammers don’t use browsers. They use applications that target the
post and comment ‘form’ directly. They don’t bother with javascripts
and CSS styling because that is a waste of resources and would slow a
spam run down … they don’t need that info to spam. So when they
try to submit a comment to a Typo site that has non ajax commenting
disabled it’s the same as if they were trying to submit a comment
from a PPC or a browser with javascript disabled … they can’t.

Does that make sense?

Gary


#11

I have actually been getting some trackback spam. A lot more difficult
to handle since it’s using the xml-rpc backend.

On 5/12/06, Gary S. removed_email_address@domain.invalid wrote:

that). That’s nothing too much to worry about because it’s just not
worth it. If anybody did that I’d say "Clver programmer … stupid
removed_email_address@domain.invalid
http://rubyforge.org/mailman/listinfo/typo-list

Jon Gretar B.
http://www.jongretar.net/


#12

On 12 May 2006, at 19:41, Jon Gretar B. wrote:

I have actually been getting some trackback spam. A lot more difficult
to handle since it’s using the xml-rpc backend.

In my opinion trackbacks are only useful to spammers. You have
engines like Technorati to look at whats being said about a site and
if you really want to comment on a post somebody has written …
leave a comment. For their usefulness compared to the hassle of
trackback spam it’s just not worth it in my book.

Disabled on every post.


#13

That makes allot more sense - so to be more defensive I would ‘uncheck’
that option, which should stop any automated spam/posts. I’ll try that,
and if I get more spams then I can assume it’s someone doing it manually
and not automated. If I don’t get any I’ll ‘recheck’ it, wait for some
spam and grep out the IP/UA details to see if we can get a read on how
they’re running the automator.

Thanks for explaining!

P


#14

On Fri, 12 May 2006 14:06:11 -0500, “Steve L.”
removed_email_address@domain.invalid wrote:

Yes. r1022. Not many, but not sure I usually truncate my logs to under 1
meg. My site is not getting a lot of traffic, it is entirely possible
that
it is manually entered spam. I am curious why someone would manually
target
me though? The email addresses appear to be machine generated though.
There was another post on this list recently (matthew?) getting hit by the
same 50webs guy. He posted an example of the logging output.

What would I grep for in the logs/production.log file to pull out
comments and their details?

P

blacklist or htaccess far more quickly than it takes him to spam


http://fak3r.com - you dont have to kick it


#15

Yes. r1022. Not many, but not sure I usually truncate my logs to under 1
meg. My site is not getting a lot of traffic, it is entirely possible
that
it is manually entered spam. I am curious why someone would manually
target
me though? The email addresses appear to be machine generated though.
There was another post on this list recently (matthew?) getting hit by
the
same 50webs guy. He posted an example of the logging output.

Comment/Trackback moderation would be good. After Piers finishes up
changing the publishing stuff for articles it shouldn’t be too hard to
add.
I don’t have enough of a problem with real comments yet to worry about
it
though :frowning:


#16

On Saturday 13 May 2006 04:35, Gary S. wrote:

It could definitely be possible to write an app that automatically
submits comments to Typo sites that stop non-ajax comments, but the
economic payoff for spam is it’s bulk nature and it just wouldn’t be
worth it.

Aren’t all Typo sites basically the same though? It’s not like you have
to
write the code differently for each individual site, and it’s not like
Typo
is a marginal weblog system anymore. If anything, its user base gives a
spammer a targeted audience, if they wanted to spam about things related
to
Ruby. :wink:

TX


#17

On 13 May 2006, at 02:16, Trejkaz wrote:

is a marginal weblog system anymore. If anything, its user base
gives a
spammer a targeted audience, if they wanted to spam about things
related to
Ruby. :wink:

Most of the spamming applications are targeted at specific blog
engines. Look in your logs and no doubt you’d still see people
trying to spam wp-comments.php. Every block engine has a different
vector for commenting. I’m seeing spam attacks targeted specifically
at Typo installations because of the URL being called. What I meant
is that you could write an application targeted specifically at
submitting spam comments to Typo blogs that only allow AJAX
commenting. But the time taken to submit each comment doesn’t make
it commercially viable for spammers - it’s just not worth it. The
only pay-off in spamming is it’s bulk nature. You’re looking at
clickthrus because Typo uses ‘no follow’ as default for links (I’m
sure) so there isn’t really the pagerank payoff and Typo is still a
minority platform that, arguably, has a technical user base as it’s
majority - people that aren’t really going to be fooled by click-
thrus. The effort to write that application and use it isn’t worth it.

But somebody is obviously looking at spamming Typo sites because it’s
an untapped yet small market. But at the moment it’s more hassle
than it’s worth to work around the spam protection. That’ll change
though, so it’s still worth keeping Typos spam protection updated and
improved. You’ll always have the bottom feeders in the spamming
community that’ll try to attack Typo … but that’s only because
they’re not very good spammers.

Gary


#18

On 12 May 2006, at 21:15, phil wrote:

What would I grep for in the logs/production.log file to pull out
comments and their details?

You need to check your servers raw logs as well, but in
production.log grep for:

“submit”=>“submit”

and

“action”=>“comment”

That’s narrow it down for you

Gary


#19

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 13/05/2006, at 23:23 PM, Gary S. wrote:

But somebody is obviously looking at spamming Typo sites because it’s
an untapped yet small market. But at the moment it’s more hassle
than it’s worth to work around the spam protection.

They’re definitely targeting us, though, because I was receiving spam
even when I had non-AJAX comments disabled (although enough to hack
in a basic CAPTCHA system, “1 + 3 = ?”.)

TX

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEZfFyuMe8iwN+6nMRAkJQAJ4ydf8opA/L2B3ngekQ58Wt6aLrHgCeO3Nt
j9hPHv8F7lR9CZmHOrMO3ew=
=eRwq
-----END PGP SIGNATURE-----


#20

On 13 May 2006, at 18:19, Morten Liebach wrote:

There’s an idea. Everyone hitting wp-comments.php and other tell-tale
pages gets blacklisted automatically. Would that be feasible?

Could be but there’d be no point. Anybody trying to attack through
the wp-comments vector is always going to fail so there’s no real
need to blacklist. Blacklisting should always be a managed affair
otherwise the rules and contents just get unmanageable. You’d never
know anybody was trying to comment spam your Typo site from wp-
comments unless you look in your logs. So there’s no real reason to
worry about it.

Gary