Cap'n Arbyte's


Local interest

Other sites


How Comment Spammers Attack

When I turned comments on a week and a half ago, I left the captcha (that anti-spam code you have to type in) partially disabled. My system would accept comments if the captcha was entered correctly or if it was left completely blank. (Did anybody notice this?)

I've finally gotten some comment spam — all for pharmaceuticals, it turns out — and have learned a bit about how comment spammers operate. It's interesting, so I'm sharing what I learned.

The spammers downloaded my index page and searched for comment links. They processed each comment page in alphabetical order. Their downloads were very focused, never wasting time or bandwidth on images, style sheets, or any pages except the articles that allowed comments. They used a combination of several strategies to thwart spam detection schemes:

  • They used several different IP addresses
  • The accesses were several seconds apart
  • They impersonated several different user agents (even Googlebot)
  • They only submitted one comment to each article
  • The comments included some fuzz to defeat Bayesian filters

They used both HTML and UBB Code for their links — and each pointed to a different URL, perhaps not even in the same domain!

Unfortunately, when I deleted the spam I also accidentally changed the timestamps, so the access delays are no longer visible. (I changed the database so that field wouldn't automatically update anymore when I delete comments in the future…)

I added the #comments fragment identifier to my comment links only a few days ago. I wonder whether this was really my first spam attack, or if earlier attacks were unable to identify the comment links without the fragment identifier. Alas, there's no way for me to know.

In other news, I've recently started having trouble with spammers spoofing e-mail from my domain. There's apparently some kind of conflict between my host's management tools and the SPF record I'd like to use to prevent spoofing. I am not happy about this.

Warning: mysql_pconnect(): The server requested authentication method unknown to the client [mysql_old_password] in /home/kmarkley/scripts/arrcom.php on line 47

Warning: mysql_pconnect(): The server requested authentication method unknown to the client in /home/kmarkley/scripts/arrcom.php on line 47
Tiny Island