Forum: Typo Comment spam increasing lately

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
6fd1d0d0316a3ee723703b9520fe1c38?d=identicon&s=25 phil (Guest)
on 2006-05-12 21:35
(Received via mailing list)
Is anyone else getting more comment spam lately?  It seems that in the
past week I'll get 10+ nightly, so I'll turn off comments (0) but then
turn them back on in a few days, since I write HOWTOs and I want to help
folks that have questions with them.  When I turn them back on I"ll get
another 10+ that night.  I've turned it back to 7 and then 14 without
any comment spam, so today I'm going to try 21, but still, this kills my
old HOWTO threads where folks still have questions.

I'm just wondering if this is part of a scripted attach or
what...haven't have this issue until just recently.

Thanks

P
--
http://fak3r.com - you dont have to kick it
04d072ab8843cfd3d1714faf3a2a0fb2?d=identicon&s=25 mathew (Guest)
on 2006-05-14 20:27
(Received via mailing list)
phil wrote:
> Is anyone else getting more comment spam lately?

Less here, and I have non-AJAX commenting enabled. I do, however, limit
people to 3 URLs per reply.

I'm wondering if it's like graffiti--being really quick and thorough to
eliminate it discourages more.


mathew
9f0f89bbd9e1ecfbaab6584e429b7a2f?d=identicon&s=25 Josh Susser (jsusser)
on 2006-08-03 14:22
(Received via mailing list)
On May 12, 2006, at 7:46 AM, phil wrote:
> what...haven't have this issue until just recently.
Try restricting comments to AJAX only.  That worked for me.

--
Josh Susser
http://blog.hasmanythrough.com
329e6595ee8790feff4fe65031d7d669?d=identicon&s=25 Jake Good (Guest)
on 2006-08-03 14:22
(Received via mailing list)
Do you have Non-Ajax comments turned on? Try turning them off... it
helps me plenty. Also, try turning off trackbacks as well...
5ce55767684e0cd1727db2b8b8975640?d=identicon&s=25 Steve Longdo (Guest)
on 2006-08-03 14:23
(Received via mailing list)
Whoever uses spams from the *.50webs.com domain is able to post spam to
Typo
even with AJAX comments enabled.  I have had several hits from it.
Seems to
target articles older than 40 days from what I have seen so far.  Lame
yes?
6fd1d0d0316a3ee723703b9520fe1c38?d=identicon&s=25 phil (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On Fri, 12 May 2006 10:33:59 -0500, "Steve Longdo"
<steve.longdo@gmail.com> wrote:
> Whoever uses spams from the *.50webs.com domain is able to post spam to
> Typo
> even with AJAX comments enabled.  I have had several hits from it.  Seems
> to
> target articles older than 40 days from what I have seen so far.  Lame
> yes?

Absolutely -- back in Drupal I used BadBehavior
[http://www.homelandstupidity.us/software/bad-behav...]
to stop this kind of junk.  It's PHP so I have no idea how hard it'd be
to bring into Typo.

P

>> them back on in a few days, since I write HOWTOs and I want to help
>> >
>
--
http://fak3r.com - you dont have to kick it
0196ff65610046d2f8ba58bc4a45f144?d=identicon&s=25 Piers Cawley (Guest)
on 2006-08-03 14:23
(Received via mailing list)
"Steve Longdo" <steve.longdo@gmail.com> writes:

> Whoever uses spams from the *.50webs.com domain is able to post spam
> to Typo even with AJAX comments enabled.  I have had several hits
> from it.  Seems to target articles older than 40 days from what I
> have seen so far.  Lame yes?

I suppose it was inevitable that someone would work out how to get
round AJAX only comments.

I can't remember the story number on the trac, but it looks like we
need to work on tweaking comment publication strategies and get an
approval queue working on the admin interface. Also, there's probably
a case for making 'nuke comment' throw up a followup form suggesting
possible blacklist entries.

In the case where none AJAX comments are enabled, there's probably
something to be said for harvesting possible blacklist entries from
failed comments.

Does anyone know if any work's been done on Bayesian comment spam
stopping?
6fd1d0d0316a3ee723703b9520fe1c38?d=identicon&s=25 phil (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On Fri, 12 May 2006 18:38:50 +0100, Piers Cawley <pdcawley@bofh.org.uk>
wrote:
> I can't remember the story number on the trac, but it looks like we
> need to work on tweaking comment publication strategies and get an
> approval queue working on the admin interface. Also, there's probably
> a case for making 'nuke comment' throw up a followup form suggesting
> possible blacklist entries.
>
> In the case where none AJAX comments are enabled, there's probably
> something to be said for harvesting possible blacklist entries from
> failed comments.


This is something I don't fully understand, If I have it checked, it
will 'Allow non-ajax comments' -- but what does this mean?  If it's
checked or unchecked the comment still 'slides' up -- is that what is
meant by AJAX comments?

Sorry if this is obvious, I just can't get my head around it ;0(

P


> http://rubyforge.org/mailman/listinfo/typo-list
--
http://fak3r.com - you dont have to kick it
D6f24842b973de6cb75203c4c57dfbcb?d=identicon&s=25 Gary Shewan (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On 12 May 2006, at 16:33, Steve Longdo wrote:

> Whoever uses spams from the *.50webs.com domain is able to post
> spam to Typo even with AJAX comments enabled.  I have had several
> hits from it.  Seems to target articles older than 40 days from
> what I have seen so far.  Lame yes?

Are you sure you're not allowing non-ajax comments?  What version of
Typo are you using? How many hits are you talking about? It's quite
feasible that some of these are entered manually (one fella does
that).  That's nothing too much to worry about because it's just not
feasible for large scale spamming and you can block it via the
blacklist or htaccess far more quickly than it takes him to spam
you.  I get a minimum of 300 hits a day from a spamming group, but
not all of those hits are comment attempts.  Can you track the
spammer back through the server logs to see if it is automated (which
I doubt)?  Could you forward me details (IP's and UA's)?

It could definitely be possible to write an app that automatically
submits comments to Typo sites that stop non-ajax comments, but the
economic payoff for spam is it's bulk nature and it just wouldn't be
worth it.  If anybody did that I'd say "Clver programmer ... stupid
spammer".

Moderation and easy article/comment navigation would be a good thing
to look at.

Cheers

Gary
30ee518e6fdc5b07e060775b5a542bdb?d=identicon&s=25 Jón Borgþórsson (jongretar)
on 2006-08-03 14:23
(Received via mailing list)
I have actually been getting some trackback spam. A lot more difficult
to handle since it's using the xml-rpc backend.

On 5/12/06, Gary Shewan <gpsnospam@gmail.com> wrote:
> that).  That's nothing too much to worry about because it's just not
> worth it.  If anybody did that I'd say "Clver programmer ... stupid
> Typo-list@rubyforge.org
> http://rubyforge.org/mailman/listinfo/typo-list
>


--
--------------
Jon Gretar Borgthorsson
http://www.jongretar.net/
D6f24842b973de6cb75203c4c57dfbcb?d=identicon&s=25 Gary Shewan (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On 12 May 2006, at 19:22, phil wrote:
>
> This is something I don't fully understand, If I have it checked,
> it will 'Allow non-ajax comments' -- but what does this mean?  If
> it's checked or unchecked the comment still 'slides' up -- is that
> what is meant by AJAX comments?
>
> Sorry if this is obvious, I just can't get my head around it ;0(
>

It's actually quite tricky to explain.  I've tried to write this a
couple of times, maybe somebody will get in with a good explanation
before I post this.

Ajax commenting is the slide.  If you are using a browser with
javascript support then you'll see the slide always.  It doesn't
matter if you have the box checked or not.

If I access my site from my PocketPC or with javascript disabled on
my browser then I won't see that slide.  If I allow non ajax
commenting then I can still comment.

If I tried to submit a comment to a site from my PPC or from a
browser that has javascript disabled to a site which has disabled non-
ajax commenting then I couldn't.  I'd get an error and the comment
wouldn't be submitted.

Spammers don't use browsers.  They use applications that target the
post and comment 'form' directly.  They don't bother with javascripts
and CSS styling because that is a waste of resources and would slow a
spam run down ... they don't need that info to spam.  So when they
try to submit a comment to a Typo site that has non ajax commenting
disabled it's the same as if they were trying to submit a comment
from a PPC or a browser with javascript disabled ... they can't.

Does that make sense?

Gary
D6f24842b973de6cb75203c4c57dfbcb?d=identicon&s=25 Gary Shewan (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On 12 May 2006, at 19:41, Jon Gretar Borgthorsson wrote:

> I have actually been getting some trackback spam. A lot more difficult
> to handle since it's using the xml-rpc backend.

In my opinion trackbacks are only useful to spammers.  You have
engines like Technorati to look at whats being said about a site and
if you really want to comment on a post somebody has written ...
leave a comment.  For their usefulness compared to the hassle of
trackback spam it's just not worth it in my book.

Disabled on every post.
5ce55767684e0cd1727db2b8b8975640?d=identicon&s=25 Steve Longdo (Guest)
on 2006-08-03 14:23
(Received via mailing list)
Yes. r1022. Not many, but not sure I usually truncate my logs to under 1
meg.  My site is not getting a lot of traffic, it is entirely possible
that
it is manually entered spam.  I am curious why someone would manually
target
me though?  The email addresses appear to be machine generated though.
There was another post on this list recently (matthew?) getting hit by
the
same 50webs guy.  He posted an example of the logging output.

Comment/Trackback moderation would be good.  After Piers finishes up
changing the publishing stuff for articles it shouldn't be too hard to
add.
I don't have enough of a problem with real comments yet to worry about
it
though :-(
6fd1d0d0316a3ee723703b9520fe1c38?d=identicon&s=25 Phil Cryer (Guest)
on 2006-08-03 14:23
(Received via mailing list)
That makes allot more sense - so to be more defensive I would 'uncheck'
that option, which should stop any automated spam/posts.  I'll try that,
and if I get more spams then I can assume it's someone doing it manually
and not automated.  If I don't get any I'll 'recheck' it, wait for some
spam and grep out the IP/UA details to see if we can get a read on how
they're running the automator.

Thanks for explaining!

P
6fd1d0d0316a3ee723703b9520fe1c38?d=identicon&s=25 phil (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On Fri, 12 May 2006 14:06:11 -0500, "Steve Longdo"
<steve.longdo@gmail.com> wrote:
> Yes. r1022. Not many, but not sure I usually truncate my logs to under 1
> meg.  My site is not getting a lot of traffic, it is entirely possible
> that
> it is manually entered spam.  I am curious why someone would manually
> target
> me though?  The email addresses appear to be machine generated though.
> There was another post on this list recently (matthew?) getting hit by the
> same 50webs guy.  He posted an example of the logging output.

What would I grep for in the logs/production.log file to pull out
comments and their details?

P

>>
>> blacklist or htaccess far more quickly than it takes him to spam
>>
>>
>
>
--
http://fak3r.com - you dont have to kick it
42b570f6f4312a872c2fc671e3ddc82b?d=identicon&s=25 Trejkaz (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On Saturday 13 May 2006 04:35, Gary Shewan wrote:
> It could definitely be possible to write an app that automatically
> submits comments to Typo sites that stop non-ajax comments, but the
> economic payoff for spam is it's bulk nature and it just wouldn't be
> worth it.

Aren't all Typo sites basically the same though?  It's not like you have
to
write the code differently for each individual site, and it's not like
Typo
is a marginal weblog system anymore.  If anything, its user base gives a
spammer a targeted audience, if they wanted to spam about things related
to
Ruby. ;-)

TX
D6f24842b973de6cb75203c4c57dfbcb?d=identicon&s=25 Gary Shewan (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On 13 May 2006, at 02:16, Trejkaz wrote:

> is a marginal weblog system anymore.  If anything, its user base
> gives a
> spammer a targeted audience, if they wanted to spam about things
> related to
> Ruby. ;-)

Most of the spamming applications are targeted at specific blog
engines.  Look in your logs and no doubt you'd still see people
trying to spam wp-comments.php.  Every block engine has a different
vector for commenting.  I'm seeing spam attacks targeted specifically
at Typo installations because of the URL being called.   What I meant
is that you could write an application targeted specifically at
submitting spam comments to Typo blogs that only allow AJAX
commenting.  But the time taken to submit each comment doesn't make
it commercially viable for spammers - it's just not worth it.  The
only pay-off in spamming is it's bulk nature.  You're looking at
clickthrus because Typo uses 'no follow' as default for links (I'm
sure) so there isn't really the pagerank payoff and Typo is still a
minority platform that, arguably, has a technical user base as it's
majority - people that aren't really going to be fooled by click-
thrus.  The effort to write that application and use it isn't worth it.

But somebody is obviously looking at spamming Typo sites because it's
an untapped yet small market.  But at the moment it's more hassle
than it's worth to work around the spam protection.  That'll change
though, so it's still worth keeping Typos spam protection updated and
improved.  You'll always have the bottom feeders in the spamming
community that'll try to attack Typo ... but that's only because
they're not very good spammers.

Gary
D6f24842b973de6cb75203c4c57dfbcb?d=identicon&s=25 Gary Shewan (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On 12 May 2006, at 21:15, phil wrote:

> What would I grep for in the logs/production.log file to pull out
> comments and their details?

You need to check your servers raw logs as well, but in
production.log grep for:

"submit"=>"submit"

and

"action"=>"comment"

That's narrow it down for you

Gary
42b570f6f4312a872c2fc671e3ddc82b?d=identicon&s=25 Trejkaz (Guest)
on 2006-08-03 14:23
(Received via mailing list)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 13/05/2006, at 23:23 PM, Gary Shewan wrote:
> But somebody is obviously looking at spamming Typo sites because it's
> an untapped yet small market.  But at the moment it's more hassle
> than it's worth to work around the spam protection.

They're definitely targeting us, though, because I was receiving spam
even when I had non-AJAX comments disabled (although enough to hack
in a basic CAPTCHA system, "1 + 3 = ?".)

TX

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEZfFyuMe8iwN+6nMRAkJQAJ4ydf8opA/L2B3ngekQ58Wt6aLrHgCeO3Nt
j9hPHv8F7lR9CZmHOrMO3ew=
=eRwq
-----END PGP SIGNATURE-----
1fea56414ff94d22b0b096ea039b784e?d=identicon&s=25 Morten Liebach (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On 2006-05-13 14:23:21 +0100, Gary Shewan wrote:
> > have to
> trying to spam wp-comments.php. [snipped the rest]
There's an idea.  Everyone hitting wp-comments.php and other tell-tale
pages gets blacklisted automatically.  Would that be feasible?

Have a nice day
                                 Morten
D6f24842b973de6cb75203c4c57dfbcb?d=identicon&s=25 Gary Shewan (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On 13 May 2006, at 18:19, Morten Liebach wrote:
>
> There's an idea.  Everyone hitting wp-comments.php and other tell-tale
> pages gets blacklisted automatically.  Would that be feasible?

Could be but there'd be no point.  Anybody trying to attack through
the wp-comments vector is always going to fail so there's no real
need to blacklist.  Blacklisting should always be a managed affair
otherwise the rules and contents just get unmanageable.  You'd never
know anybody was trying to comment spam your Typo site from wp-
comments unless you look in your logs.  So there's no real reason to
worry about it.

Gary
42b570f6f4312a872c2fc671e3ddc82b?d=identicon&s=25 Trejkaz (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On Sunday 14 May 2006 05:41, Gary Shewan wrote:
> On 13 May 2006, at 18:19, Morten Liebach wrote:
> > There's an idea.  Everyone hitting wp-comments.php and other tell-tale
> > pages gets blacklisted automatically.  Would that be feasible?
>
> Could be but there'd be no point.  Anybody trying to attack through
> the wp-comments vector is always going to fail so there's no real
> need to blacklist.

Not really.  The spammer will hit multiple URLs until they find the one
that
works for the blog.  If someone hits wp-comments.php, then instantly
blacklisting them would prevent their comment working later on, when the
bot
does use the correct URL.

Of course, the workaround for the spammer would then be to try Typo
first.

TX
D6f24842b973de6cb75203c4c57dfbcb?d=identicon&s=25 Gary Shewan (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On 14 May 2006, at 01:59, Trejkaz wrote:
>
Utter rubbish, why bother just making an educated guess?  It doesn't
help anyone.

They do not hit multiple URLs, for most blogs they only need to try
four.  There's no point anyway because there are enough blog spamming
apps out there that come pre populated with thousands of blogs and
the attack vector that's needed for each one.  If they want to gather
any more they just use spiders.  If somebody needs to update an app
to include Typo blogs they only need download the source to discover
the vector needed.

Seriously - don't guess because it just confuses people that don't know.

-1
42b570f6f4312a872c2fc671e3ddc82b?d=identicon&s=25 Trejkaz (Guest)
on 2006-08-03 14:23
(Received via mailing list)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 14/05/2006, at 20:10 PM, Gary Shewan wrote:
> If somebody needs to update an app
> to include Typo blogs they only need download the source to discover
> the vector needed.

Look, I didn't say we had a "Cure for Spam".  I just described how
spamming applications work.  They don't just go "oh look, the site
isn't WordPress, let's stop trying."

TX

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEZwdjuMe8iwN+6nMRAuFtAJ4gqlerOvzClYco7BdpcTjdzzGd1gCcDE7W
xOYlqdkSi2j0yfU0s2dPKEc=
=RS5w
-----END PGP SIGNATURE-----
D6f24842b973de6cb75203c4c57dfbcb?d=identicon&s=25 Gary Shewan (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On 14 May 2006, at 11:33, Trejkaz wrote:

> Look, I didn't say we had a "Cure for Spam".  I just described how
> spamming applications work.

But you aren't Trejkaz ... you're guessing how they work.  Never
helpful when trying to educate people on spam.

> They don't just go "oh look, the site
> isn't WordPress, let's stop trying."

Nobody said that.  Where did you get that from?

In fact I said the exact opposite - I still get wordpress vector
attacks because my blog is probably still included in a distributed
attack list ... along with a lot of others.

You're adding nothing now.
42b570f6f4312a872c2fc671e3ddc82b?d=identicon&s=25 Trejkaz (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On Sunday 14 May 2006 21:58, Gary Shewan wrote:
> On 14 May 2006, at 11:33, Trejkaz wrote:
> > Look, I didn't say we had a "Cure for Spam".  I just described how
> > spamming applications work.
>
> But you aren't Trejkaz ... you're guessing how they work.  Never
> helpful when trying to educate people on spam.

I'm going off what I've seen in my website logs before.  That's as much
experience as you can expect someone to have, unless they've worked for
a
spammer.  On the other hand if you've worked for a spammer, then fine,
you
have more authority in this respect.

> > They don't just go "oh look, the site
> > isn't WordPress, let's stop trying."
>
> Nobody said that.  Where did you get that from?

The original suggestion was that we detect people posting to
wp-comments.php,
and auto-blacklist them.

As I see it, this has two benefits.

  1. When the same spammer tries a second or subsequent hit on the same
site,
     they would have already been blacklisted.  This is basically the
same
     strategy firewalls use which detect scans against one port and then
     use that logic to block other ports.

  2. If we add them to a *global* blacklist, then we even help people
who
     *are* running WordPress.

When I suggested that this might be a good idea due to #1, you basically
said
"no it wouldn't", which is equivalent to saying that spammers give up
after
trying WordPress.

They don't just go "oh look, the site isn't WordPress, let's stop
trying.

TX
D6f24842b973de6cb75203c4c57dfbcb?d=identicon&s=25 Gary Shewan (Guest)
on 2006-08-03 14:23
(Received via mailing list)
Trejkaz, have you ever heard the saying "It's better to keep quiet
and have people suspect you're a fool, than to open your mouth and
have it confirmed"?  It's a brilliant quotation.  One of those that
really helps in life.

That's harsh eh?  But I can't believe how ridiculous you're being.

On 14 May 2006, at 23:25, Trejkaz wrote:

> ... On the other hand if you've worked for a spammer, then fine, you
> have more authority in this respect.

So you're suggesting I've worked for a spammer because I know what
I'm talking about? A public accusation no less. That's libel
sunshine.  Would you like me to point you to news stories where
people have been sued for that?  Don't worry I'm not litigous, I
think you're stupid, but not so stupid that you'd ever repeat
anything like that ever again without being able to back it up.
You're not in the playground now so be careful what you say ... but
let's descend to that level eh?  Let's pretend it's the 80's again
and it's usenet.  Using that same flawed logic - because I know how
to attack a server that makes me a hacker or someone who's worked for
one?

It didn't cross your mind that to know how to prevent spam, or how to
secure a server you need to know how it's served and how they are
attacked?  It has nothing to do with the years I've spent tracking,
understanding and reporting spammers?  You visited my site and
checked out all my 'spamcombat' posts eh?  It's got nothing to do
with the fact that I need to know how to secure systems so I need to
know how they can be hacked?  All the experience I have working on
security projects count for nought?  It's got nothing to do with the
fact that I started off as a programmer and network engineer light
years ago when we still hand dialed BBS and waited for the tone ...
and that, in that time, I've might have picked up a nugget of
knowledge or two?

Are you kicking yourself now?  Are you thinking "Doh! I didn't think
of that, the fella has a point?"  Are you feeling ridiculous?   Or
should I just take it that you were being petulant because your ego
was hurt?  Are you feeling as smug as when you sent that email?  In
real life this is where you'd try and salvage as much dignity as
possible and leave the room ... I know I would.  It's the 'Please let
the ground open up" scenario.  But in the same way people feel safe
enough in front of their PC's to spout drivel ... you get to read the
rest.

>      strategy firewalls use which detect scans against one port and
> up after
> trying WordPress.

If I hadn't mentioned wp-comments then it wouldn't have been up for
discussion.  You'd only know it was there if you looked in server
logs ... but by the way feel free to explain how you have a different
picture from your logs.  Especially the entries where spammers are
trying multiple URLs to find how to comment ... because seeing
something like that would really be one for the wall.  Some of my
friends and myself would marvel at that.  I'm being serious.

Your firewall analogy is comparing two entirely different things and
stinks of something just thrown together from buzzwords:

>> This is basically the same
>>      strategy firewalls use which detect scans against one port
>> and then
>>      use that logic to block other ports.

That makes no sense whatsoever. Explain which firewall actively
creates logic for port scanning as compared to all those that just
log it and ignore it?  Pretty resource intensive firewall you must
have there.  Port scanning hits - both the legitimate and dodgy kind
- happen every couple of minutes on the net.  Anybody running
Zonealarm (or any firewall really) just needs to turn on notification
of everything to see how often it happens.  Firewalls just passively
log it and log it.  There's no need for logic.

Of course it's a different matter with incoming traffic ... that
needs rules.  Did you mean that instead of port scanning?  I'd say
it's always easy to confuse the two ... but I'd be telling lies.

>>   2. If we add them to a *global* blacklist, then we even help
>> people who
>>      *are* running WordPress.

What?  Grasping at straws now eh?  Have to try and find a legitimate
point for your argument?  We're starting a blog 'Better Neighbour'
programme now?  How the hell do we help them?  Because let me tell
you the spam protection for Wordpress is light years ahead of
anything Typo has.

Maybe we should gather all IP's that hit our Typo sites in a dodgy
way and pass them on to the guys behind Spam Karma?  But wait, that
would be really dumb and ineffective and you end up with large blocks
of IP's blacklisted.  All those open proxies that serve a legitimate
service? ... to hell with them they're blocked because - surprise -
spammers use them too.  So when I use a dial up connection or a wifi
connection that a spammer has used I can't access my site because
it's a blacklisted IP?  Or are you going to explain how else you
blacklist?  Because there's only three bits of info you can use and
the only one that's guaranteed to be there is the IP.  Internet
cafes, libraries, schools, colleges, universities - all blocked
because at most of them some little scrote has had a go at spamming.

For anybody else *wanting* to learn something you should only block
by IP when you're getting a huge wave of traffic from a specific IP
or range that's making your server unstable (DoS or DDoS).  In the
long term IP blocking is senseless unless you know the specific
target of the block will stay at that IP ... and spammers certainly
don't.  If you block by IP always review it at a later date.  I only
have about five IP blocks ... all specific companies that I've banned
from the site.  This is why we use baysien filtering and regex to
combat spam of every kind.

>> When I suggested that this might be a good idea due to #1, you
>> basically said
>> "no it wouldn't", which is equivalent to saying that spammers give
>> up after
>> trying WordPress.

Ah now you have me there.  You see it's hard to carry on a discussion
when the other person guesses what I mean.  Silly me I went and WROTE
what I meant.  You'd be better off quoting me Trejkaz ... the beauty
of discussion lists that. Even if you deleted the mail look it up in
the archive.  I'd actually replied to Mortens post that blacklisting
wouldn't be a good idea IMO. He first suggested it, a very good and
legitimate point as well.  Just to refresh you:

On 13 May 2006, at 20:41, Gary Shewan wrote:
> never know anybody was trying to comment spam your Typo site from
> wp-comments unless you look in your logs.  So there's no real
> reason to worry about it.

Then you'd jumped on the bandwagon in direct response to that,
completely missing the point I'd made:

On 14 May 2006, at 01:59, Trejkaz wrote:
>
> Not really.  The spammer will hit multiple URLs until they find the
> one that
> works for the blog.  If someone hits wp-comments.php, then instantly
> blacklisting them would prevent their comment working later on,
> when the bot
> does use the correct URL.

And what I said wasn't quite "No it wouldn't" but more along the
lines of

On 14 May 2006, at 11:10, Gary Shewan wrote:

> They do not hit multiple URLs, for most blogs they only need to try
> four.  There's no point anyway because there are enough blog
> spamming apps out there that come pre populated with thousands of
> blogs and the attack vector that's needed for each one.  If they
> want to gather any more they just use spiders.  If somebody needs
> to update an app to include Typo blogs they only need download the
> source to discover the vector needed.

Oh and I also told you it was utter rubbish and to stop guessing at
what happens.  So was that where you decided I must work/have worked
for a spammer?  Was that where your ego went "Ouch"?

I'm having difficulty getting where I (or anyone else for that
matter) said that spammers give up after trying wordpress, I know
you're saying I didn't say it LITERALLY - but even the suggestion is
hard to see.  But maybe it was my fault because I should have just
replied highlighting the key elements of

> "Anybody trying to attack through the wp-comments vector is always
> going to fail ... You'd never know anybody was trying to comment
> spam your Typo site from wp-comments unless you look in your logs.
> So there's no real reason to worry about it."

But I didn't see it as that confusing for people when I wrote it you
see.  It seemed REALLY clear.

That's it from me Trejkaz - I'm done with you on this subject.
There's nothing new being shared here.  If it's sensible and
intelligent then fair enough, but what you've written so far has been
guesses and conjecture based on not a lot.  Everybody else has had
legitimate suggestions and questions.  You just brought your ego and
nothing else to back you up, coupled with an inability to accept you
might not know as much as you think.  Restraint is a great virtue ...
something I haven't demonstrated here but it might make you think
twice before you post.

So are you still feeling secure and smug sat at your PC?  Or are you
realising now that you're dealing with real people here?  I also
*strongly* suggest you don't make baseless accusations about people
in a public forum.  Think about your response - 'm sure you'll have
one.  Bear in mind if it's to me that I'll use this to judge it:

[If you're adding nothing new or you can't back it up, I'm not
interested]

Cos I'll just cut and paste that.

</ incredulous rant>

You're an active member of the discussion list Trejkaz.  That adds
value.  Just don't be an ejit.
42b570f6f4312a872c2fc671e3ddc82b?d=identicon&s=25 Trejkaz (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On Monday 15 May 2006 20:14, Gary Shewan wrote:
> Trejkaz, have you ever heard the saying "It's better to keep quiet
> and have people suspect you're a fool, than to open your mouth and
> have it confirmed"?  It's a brilliant quotation.  One of those that
> really helps in life.

Seems like it's proved itself today.

>> They do not hit multiple URLs, for most blogs they only need to try
>> four.

Does it not hit multiple URLs, or does it hit four?  You can't have it
both
ways, pick one.

> Oh and I also told you it was utter rubbish and to stop guessing at
> what happens.

I never claimed to know how they work.  I only wrote (truthfully) what I
can
see them doing.  Yes, I can see them hitting multiple URLs.  No, I don't
happen to know the code they were using to do it.

TX
D6f24842b973de6cb75203c4c57dfbcb?d=identicon&s=25 Gary Shewan (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On 15 May 2006, at 11:46, Trejkaz wrote:

> Does it not hit multiple URLs, or does it hit four?  You can't have
> it both
> ways, pick one.

As this was in the context of a spamming application, they would only
need to hit four - if the blog was Wordpress the comment submit form,
for Textpattern it's form, for Moveable Type it's form and for Typo
it's form.

All not hard to figure out as you just download the bloody code to
see EXACTLY what URL to hit for each one, which is why there is no
need for multiple URLs.

Is this getting through to you yet because I've said it about three
times now?  Are you actually reading the posts or just picking on
points?  Can we assume I know a little bit of what I talk about and I
think about what I write before I hit 'Send'?

> I never claimed to know how they work.  I only wrote (truthfully)
> what I can
> see them doing.  Yes, I can see them hitting multiple URLs.  No, I
> don't
> happen to know the code they were using to do it.

Funny it seems you claimed a lot of things ...

On 14 May 2006, at 01:59, Trejkaz wrote:
> Not really.  The spammer will hit multiple URLs until they find the
> one that
> works for the blog.  If someone hits wp-comments.php, then instantly
> blacklisting them would prevent their comment working later on,
> when the bot
> does use the correct URL.

On 14 May 2006, at 11:33, Trejkaz wrote:
> Look, I didn't say we had a "Cure for Spam".  I just described how
> spamming applications work.  They don't just go "oh look, the site
> isn't WordPress, let's stop trying."

Looks to me you were saying how they work ...  then it just got all
playground like.

Is that concept of me being able to quote EXACTLY what you said
beginning to bite yet?  Does personal dignity mean nothing to you?
Do you want to give the dead horse just one_more_kick?
0196ff65610046d2f8ba58bc4a45f144?d=identicon&s=25 Piers Cawley (Guest)
on 2006-08-03 14:23
(Received via mailing list)
Trejkaz <trejkaz@trypticon.org> writes:

> On Monday 15 May 2006 20:14, Gary Shewan wrote:
>> Trejkaz, have you ever heard the saying "It's better to keep quiet
>> and have people suspect you're a fool, than to open your mouth and
>> have it confirmed"?  It's a brilliant quotation.  One of those that
>> really helps in life.
>
> Seems like it's proved itself today.

Um, guys... Calm down. Please?

The saying I tend to think of in these matters is "Do not wrestle with
pigs, you only get muddy and the pig enjoys it."

Plus, after a while, you're both so damned muddy that nobody can tell
which one's the pig.
9d73529660c46cef8ccfcb90b0eda1ca?d=identicon&s=25 Ryan Williams (Guest)
on 2006-08-03 14:23
(Received via mailing list)
In all honesty, before Gary got all mad, it didn't sound like too bad
of an idea to me...

The battle against spammers won't be won until spam stops working.  In
the meantime, any idea that could give our side an edge should at
least be considered.  If it doesn't work, no harm is done.  If it
works, even for a little while, I call that successful.
A52b0e1c5d982f2512a03c5dbfd033d6?d=identicon&s=25 Dick Davies (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On 15/05/06, Ryan Williams <drcforbin@gmail.com> wrote:
> In all honesty, before Gary got all mad, it didn't sound like too bad
> of an idea to me...

I think the main point Gary was trying to make (in his own special way -
heehee)
was that 1 IP != 1 user.


--
Rasputin :: Jack of All Trades - Master of Nuns
http://number9.hellooperator.net/
5ce55767684e0cd1727db2b8b8975640?d=identicon&s=25 Steve Longdo (Guest)
on 2006-08-03 14:23
(Received via mailing list)
Gary is really over the top.  Seriously if anyone is hitting your Typo
blog
with a wordpress URL they are not a valid user, period.

Perhaps Gary will now scream at me and encourage other Typo users to
switch
to another blogging engine to not have to put up with his outbursts.
D6f24842b973de6cb75203c4c57dfbcb?d=identicon&s=25 Gary Shewan (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On 15 May 2006, at 20:15, Steve Longdo wrote:

> Gary is really over the top.  Seriously if anyone is hitting your
> Typo blog with a wordpress URL they are not a valid user, period.

I didn't think the conversation was technically accurate or helpful
then Trejkaz got personal with a silly accusation which I lost the
head over. Nothing to do with you Steve is it now?

> Perhaps Gary will now scream at me and encourage other Typo users
> to switch to another blogging engine to not have to put up with his
> outbursts.

Why would I do that?  Do you feel like switching because of a rant on
a discussion list?  Always a good criteria for choosing a blog
engine ...

Stirring trouble that's settled is never a clever thing to do.

Anybody else got anything personal to throw at me you don't need to
do it on this list.  Write about it on your blog, or comment on my
blog or mail me personally.
5ce55767684e0cd1727db2b8b8975640?d=identicon&s=25 Steve Longdo (Guest)
on 2006-08-03 14:23
(Received via mailing list)
So to be clear Trejkaz is silly, the course of functionality development
for
Typo has nothing to do with me, I am not clever for observing the
community
busting tactics of one of the commiters to Typo.

Thanks Gary, that clears it up for me.
D6f24842b973de6cb75203c4c57dfbcb?d=identicon&s=25 Gary Shewan (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On 15 May 2006, at 21:04, Steve Longdo wrote:

> So to be clear Trejkaz is silly,

To publically suggest I work for a spammer ... yes.

> the course of functionality development for Typo has nothing to do
> with me, I am not clever for observing the community busting
> tactics of one of the commiters to Typo.

What?  Who would that be?  You know I'm not a Typo commiter don't
you?  I'm a user.  The only commiter involved in that discussion was
Piers and I thought he was being a very nice fella.  Had you emailed
me privately I would have told you that ... embarrassing on a public
forum to see mistakes like that being made ...

> Thanks Gary, that clears it up for me.

I hope it does.
6451ee8093c9cedc94f6c813b4dde2c5?d=identicon&s=25 Kevin Ballard (Guest)
on 2006-08-03 14:23
(Received via mailing list)
For reference, the way AJAX comments are detected is through a Rails
convenience method, which all it really does is checks for the
presence of a specific header that the Prototype javascript library
sticks on all of its XmlHttpRequest calls, so all a spammer really
has to do is realize this and start adding that header to their spams.
6fd1d0d0316a3ee723703b9520fe1c38?d=identicon&s=25 phil (Guest)
on 2006-08-03 14:23
(Received via mailing list)
On Mon, 15 May 2006 17:46:10 -0700, Kevin Ballard <kevin@sb.org> wrote:
>> economic payoff for spam is it's bulk nature and it just wouldn't be
>> worth it.  If anybody did that I'd say "Clver programmer ... stupid
>> spammer".

Just as a followup to my original post, before, when I had "Allow
non-ajax comments" selected, I was getting 5-10 Spams each night.  Now
that I've unchecked it I haven't gotten a spam in over a week.  I would
suggest we change the wording of:

(Spam bots usually don't know anything about ajax comments)

to something along the lines of

(with this option enabled you will be more open to spam bot attacks - if
hit with allot of spam, consider unchecking this option)

Perhaps not as word-y, but you get the idea.  So, for now, things are
running great!

Viva Typo!

P
--
http://fak3r.com - you dont have to kick it
This topic is locked and can not be replied to.