Cap'n Arbyte's

Advertisements

Local interest

Other sites

Blogroll

Dr. George Reisman
Mises Economics Blog
Catallarchy
FuturePundit
EconoPundit
Healing Iraq
Asymmetrical Information
EconLog
The Angry Economist
Civilian Gun Self-Defense
In The Pipeline
Belmont Club
Coyote Blog
Jacqueline
Fall of the State
WILLisms
Captain Capitalism
Fight Aging!
Voluntary Trade Blog
Savvy Saver
Mover Mike
Free Money Finance
Marginal Revolution
Miserly Bastard

How Comment Spammers Attack

When I turned comments on a week and a half ago, I left the captcha (that anti-spam code you have to type in) partially disabled. My system would accept comments if the captcha was entered correctly or if it was left completely blank. (Did anybody notice this?)

I've finally gotten some comment spam — all for pharmaceuticals, it turns out — and have learned a bit about how comment spammers operate. It's interesting, so I'm sharing what I learned.

The spammers downloaded my index page and searched for comment links. They processed each comment page in alphabetical order. Their downloads were very focused, never wasting time or bandwidth on images, style sheets, or any pages except the articles that allowed comments. They used a combination of several strategies to thwart spam detection schemes:

  • They used several different IP addresses
  • The accesses were several seconds apart
  • They impersonated several different user agents (even Googlebot)
  • They only submitted one comment to each article
  • The comments included some fuzz to defeat Bayesian filters

They used both HTML and UBB Code for their links — and each pointed to a different URL, perhaps not even in the same domain!

Unfortunately, when I deleted the spam I also accidentally changed the timestamps, so the access delays are no longer visible. (I changed the database so that field wouldn't automatically update anymore when I delete comments in the future…)

I added the #comments fragment identifier to my comment links only a few days ago. I wonder whether this was really my first spam attack, or if earlier attacks were unable to identify the comment links without the fragment identifier. Alas, there's no way for me to know.

In other news, I've recently started having trouble with spammers spoofing e-mail from my domain. There's apparently some kind of conflict between my host's management tools and the SPF record I'd like to use to prevent spoofing. I am not happy about this.