Winds of Change.NET: Dealing With Comment Spammer Infestations

October 12, 2003

Dealing With Comment Spammer Infestations

by Armed Liberal at October 12, 2003 12:12 AM

(Oct. 14th Update: MT-Blacklist has arrived!)

...our comments are being porn-spammed (at Armed Liberal as well, and I'll be emailing some other blogs to see if they've been hit as well). We're cleaning it up as fast as we can, but we've been hit by a series of spams from a Russian porn site. The last one appears to have left several hundred comments, and additional mutations are possible. So far we've seen "Lolita," Preteen," and "Underage". Teresa Nielsen Hayden has more info. on the spammers, Scriptygoddess has a slew of admin. options for you, and Burningbird has a fairly simple way to make it harder for spammers next time (Hat Tip: David Janes).

JK: It's an organized effort... was highly ranked at Blogdex.net a couple days ago, but I think they've put in filters. We may do the same soon, and meanwhile I've disabled all comments. We've also got a Swedish neo-nazi group that hangs out here and occasionally posts long rants. If you want to see an example, do a search for "Conspiracy and Truth Week" because I delete it everywhere else.

Re: the comment spams... why does this matter? And what can be done?

This matters because if pornospams et. al. are left unchecked, they will significantly impair the entire weblogging community - not just by killing comments as a normal blog feature, but by triggering automated filtering software at some workplaces once they notice all the porno links. What do we need to prevent that? Software, and support.

Software: Yoz Grahame's Cheerleader has a very intelligent set of suggestions, in "7 Tips for a spam-free blog". The article addresses tools vendors as well, which I especially appreciate. It also references Mark Pilgrim's outstanding overview of Club vs. LoJack solutions, which is finally available again after going down yesterday. If you're looking for serious long-term thinking about how our tools need to evolve and what we need to do, Mark's piece can't be beat. Though Shelley has a good one, with some worthy cautions about trust networks and smart feature requests.

Roald and Macdonald have an Open Letter to Google which is very much on point. We all have a mutual interest in stopping this, and working together from both ends just makes sense.

I'll add another thought. Not only do we need MT-Blacklist, we also need a clean-up utility. One that looks in the comments for the "URL" field, and when it finds a match with our ban list (or even a specific entered value for v1.0), it collects that comment and presents us with a "Power Edit" list that allows us to delete comments in batches of 25-100 at a time. When we're done, one site rebuild would allow us to have a completely clean blog.

Support: In addition, hosting providers have to get smarter. Tens or hundreds of weblogs rebuilding hundreds of entries will have the same effect on their servers as a denial-of-service attack. Comment spam should therefore be treated like one. For starters, hundreds of incoming data posts from the same IP ought to raise a red flag and cause diversion or access denial.

Mwanwhile, our provider at Bloghosts.com has already moved to firewall out the following netblocks from their servers: 209.120.176.0/24 and 62.42.228.0/24. This will help for now, but over the long term they may want to consider an add-on service. It would include installation of MT-Blacklist, configured to draw from a central blacklist hosted and updated by bloghosts.com themselves, plus renamed CGI submission scripts in their MT installations to make blogs they host a lower-profile target. The Cadillac option could even include an upgraded Host-specific MT package with a full-fledged spamtrap configuration.

That would be a substantial draw for many bloggers, I think, who would gladly pay additional fees for services that take this problem off their hands.

This much I do know - we'll need these measures sooner rather than later. Preteen, Lolita and the spawn were just the beginning. There's no reason these attacks couldn't be scaled to add hundreds of comments to each weblog, and no reason why they wouldn't be. Brace yourselves, because you ain't seen nothing yet.

Printer-friendly Version

TrackBack URL for this entry:
http://www.windsofchange.net/windsopcentre-cms/trackback.cgi/1896

Listed below are links to weblogs that reference
"Dealing With Comment Spammer Infestations"

Tracked: October 12, 2003 3:30 PM

Blogging: Comment Spam from Richy's Random Ramblings

Excerpt: Like practically everybody else in the blogsphere at the moment, I'm suffering quite a bit of comment spam: I had to block my first IP address yesterday - and now I'm blocking the following 7 IP addresses: 209.210.176.19 209.210.176.20 209.210.176.21 2...

Tracked: October 13, 2003 2:23 AM

Comment Spam - sending IPs from Asymmetrical Information

Excerpt: Here is a list of IPs from whom I/we have received this sort of thing. The first one was eight

Tracked: October 13, 2003 2:25 AM

Why right-wing blogs don't have comments from Blah on steroids

Excerpt: Excuse number 94.

Tracked: October 13, 2003 2:41 AM

Blog Spam! from Creative Destruction

Excerpt: Winds of Change.NET: Comment Spammer Infestations: Report I got blog-spammed for the first time today, and lo and behold I found this link on Instapundit....

Tracked: October 13, 2003 3:04 AM

Beware Of Spammers from Jay Reding.com

Excerpt: Winds of Change points out that there's been a rash of porn-site comment spammers across the blogosphere. So far I've...

Tracked: October 13, 2003 6:58 AM

Unwanted Comments from The Curmudgeonly Clerk

Excerpt: In the past, I have had some unkind words for comments features on weblogs. I have since opted to retain...

Tracked: October 13, 2003 7:45 AM

Comment spam from holycola.net

Excerpt: Just when I thought blogs could be this cool ad-free zone, those fucking spammers have concocted bots that automatically post comments onto blogs run under Movable Type, and maybe others. I only heard about this happening yesterday, and since then...

Tracked: October 13, 2003 1:32 PM

Preteens aren't sure they agree with that statement from Quidnunc

Excerpt: The folks at Winds of Change.NET have disabled comments until they have a solution to the comment spam problem. Earlier this morning I received email notices from comments to this blog. My personal spam receipt level has been low enough that a robots.t...

Tracked: October 13, 2003 9:14 PM

Back, foul spammers. from The Ankle Biter @ Quibbling.net

Excerpt: Here's a good summary of links about the epidemic of comment spamming that has been going on lately. There's a...

Tracked: October 14, 2003 12:28 AM

Lolita, preteen from JD on MX

Excerpt: Lolita, preteen: Spam in blog comments reached new heights this weekend... I heard of several sites that got "hundreds" of blog entries spammed with porn ads under the names "lolita" and "preteen". In the Flash community Michael Gunn got hit...

Tracked: October 14, 2003 5:27 AM

Bricklin IT from au currant: politics, media & lowbrow culture

Excerpt: I may not have comments anymore (too much porn spamming and not enough inclination to delete hundreds of comments and...

Tracked: October 14, 2003 4:22 PM

Slew of Blog Spam from blog^2

Excerpt: Argh! At first I read Mitch Kapor complain about how he was getting a few spams a week on his...

Tracked: October 14, 2003 8:12 PM

An open letter to Google concerning blog comment spamming from Notes

Excerpt: I just sent the following letter to suggestions@google.com. If anybody knows anybody who works there, please feel free to...

Tracked: October 20, 2003 6:13 PM

An open letter to Google concerning blog comment spamming from Notes

Excerpt: I just sent the following letter to suggestions@google.com. If anybody knows anybody who works there, please feel free to...

Tracked: November 14, 2003 5:32 PM

Blog Spam from Flame Turns Blue

Excerpt: Spam is becoming an increasing problem for blogs. I've had my fair share of spam in the comments, but the volume has been pretty minimal. Other sites haven't been so lucky....

Comments

#1 from "Mindles H. Dreck" at 2:12 am on Oct 13, 2003

Here is a list of IPs from whom I have received this sort of thing. The first one was eight months ago or so:

207.88.76.143
219.95.12.122
219.95.14.239
209.210.176.22

#2 from pianoman at 2:30 am on Oct 13, 2003

You should consider Bayesian content-filtering. I've been using it on both my work and home emails for about a year now, and it's produced amazing results. The disadvantage is that you need a lot of "good" mail and "bad" mail in order to get the databases intelligently built, but the advantage is that they continue to get "smarter" as more and more spam is "caught".

Email for more details if you have no idea what I'm talking about.

#3 from Nukevet at 2:31 am on Oct 13, 2003

Yep, our blog (Random Nuclear Strikes) got the same Lolita crap spam.

MT-blacklist can't come too soon.

#4 from David at 2:36 am on Oct 13, 2003

Here are some more IPs I've recently had to ban:

61.189.229.61
209.210.176.20
219.95.14.69
216.228.168.110

#5 from blaster at 2:44 am on Oct 13, 2003

They even hit low volume blogs like mine.

#6 from Mary at 2:45 am on Oct 13, 2003

I found one more obvious porn comment when cleanup Pacific Views today:

80.50.117.113 (klaus -- selling viagra and hardcore sex)

#7 from Dr. Weevil at 2:51 am on Oct 13, 2003

Warning: 209.210.176.0/24 may not cover enough ground. My 21 Lolita-spams came with last numbers 20, 21, 22 -- and 33. I got 4 more on my other site (www.curculio.org), the one with only 15 posts and 2 genuine comments in the last 6 months (maybe I should spend more time there).

#8 from David at 3:02 am on Oct 13, 2003

I'm having the same problem, but it looks like there may be something of a solution. In particular, see the comments section of this post.

The latest trick is to leave an ambigous message "I'm not sure to what extent this statement is true." is one I got today, in the hopes you'll visit their website.

Sad.

#9 from David at 3:05 am on Oct 13, 2003

Oh, and for what it's worth, here's my current banned list. Not all spammers though, but it may be handy for comparison purposes:

211.10.197.13 2003.06.23
81.135.77.87 2003.07.26
134.28.148.47 2003.08.14
203.62.10.3 2003.08.28
212.69.231.226 2003.09.16
66.111.50.170 2003.09.26
209.210.176.21 2003.10.09
209.210.176.* 2003.10.10
219.95.14.69 2003.10.12

#10 from Starhawk at 3:20 am on Oct 13, 2003

I got hit by the comments from preteen too.
I am low volume enough that I was able to catch them and delete them.

#11 from Steven at 3:41 am on Oct 13, 2003

I have had the same problem at PoliBlog. Like StarHawk I have been able to catch, delete and then IP ban. I have had the Lolita one several times, and from at least two different IPs. Plus numerous Viagra-related ones and several Direct TV ones as well.

#12 from Kevin Mickey at 4:04 am on Oct 13, 2003

I've been getting them too, but not in the volume you are.

#13 from Mean Dean at 4:10 am on Oct 13, 2003

Sometimes I wish I weren't so straight-laced. Otherwise I might consider a solution I learned on slashdot recently

Instead, I'll just volunteer to help Jay test his application on an older version of MT.

#14 from Eric at 4:31 am on Oct 13, 2003

Same problem with my site tonight -- and a problem I've been dealing with all week long.

#15 from Chuck Divine at 4:59 am on Oct 13, 2003

I've seen many porn spams on Slashdot. I wonder if people who don't like the site's viewpoints use this kind of comment as a way of attacking both the site and the people who run it.

Anyway, this kind of thing has been happening for some time on Slashdot. Slashdot has remained accessible at every place I've worked.

Slashdot's moderation mechanism tends to quickly lower this kind of crap to near invisibility. You do have to either catch the garbage early or deliberately look at comments rated -1 to find the stuff.

Perhaps they might be willing to offer advice.

#16 from beaker at 5:02 am on Oct 13, 2003

I got hit with the same lolita / preteen crap a couple of days ago. IP was 209.210.176.33. I also deleted the comment and then banned the IP.

#17 from Allison Coates at 6:04 am on Oct 13, 2003

my guess is that you can't keep up and win on ip-blocking. Take a look at how yahoo/hotmail/paypal stop people from getting oodles of accounts, etc. they use a "Reverse turing test" or a "CAPTCHA"--it's a graphic that involves reading a word that's presented in such a way that no current OCR technology can solve the problem. this way no script can activate the comments, only a human can. yes, you'd still have to block human spammers, but that's really not where the majority of the problems are coming from. for every submission, you present a graphic image as a test, and you ask the submitter to tell you what the word is that they see in the graphic. a variety of fonts and backgrounds are used that prevent ocr from handling this.
Do tell your MT people about this suggestion. I know how they are created/implemented, and so do some other folks. Good luck.

#18 from Mahesh at 5:24 pm on Oct 29, 2003

Banning entire IP ranges may be too draconian. Perhaps require registration to post.

#19 from Muriha at 9:44 am on Jan 30, 2004

Any new ideas?

#20 from ankh at 1:05 am on Mar 02, 2007

you know, i was serious about that post. you needn't have it deleted. a simple answer and i will understand.
----

{NM: Advertisements for Rolex watches were considered spam; as a result the entire post was deleted. Read the Winds of Change comments policy, please. Future posts containing those links will probably also be deleted without comment.

-- Marshal Nortius "Big Tuna" Maximus}

#21 from ankh at 3:12 am on Mar 03, 2007

thanks for the answer. i won't spam here again. sorry for the trouble i've caused.