Blog spamming

At the time of writing, my main blog is under a sustained comment spamming attack. Over 50 spam comments today, all targeting the one old post, promoting a poker web site. At least one other WordPress-based blogger is getting them, so it’s not just me. And what’s interesting is they’re from a variety of different IP addresses, so assuming that’s not spoofed, it looks like the attack is coming from multiple zombies.

(Links in text deleted)

Author : poker (IP: 195.172.182.228 , 195.172.182.228)
E-mail : byob@y7263o.com
URL : http://www.poker-w.com
Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=195.172.182.228
Comment:
7263 JUST A FEW LINKSFOR YOU TO CHECK OU WHEN YOU GET A CHANCE
Online poker
texas holdem poker
texas hold em

When I first saw this type of comment spam, I thought huh? What’s the point? Who is going to see such comments and click on them? Particularly in this case, with dozens of the same spams hitting one particular post. But the point is getting links to your sites into the search engines, and up the rankings. Whether it works or not I don’t know.

WordPress has a fair bit of flexibility when it comes to catching comment spam. The most useful generic setting is number of links in a comment. A surprising number of comment spams have heaps of links. You can also nominate keywords (though in 1.2 there was a bug in that if the final keyword on the list had a CR after it, every comment got caught). Caught comments go to moderation, so the never see the light of day. Handy for comment spam and for moderating particular users/IP addresses too.

Comment spammers, like other spammers, are getting cleverer. Hopefully the blogging community (and in particular those who write and update blogging software) will stay one step ahead of them.

Update Friday 07:30: The attack appears to be widening to more blog posts, and branching out to Viagra and weight-loss, but is still showing signs of being from the same source. To counter it, I have shutdown comment posting on entries more than 60 days old using Scott Hanson’s Auto Shutoff Comments plugin.

Defined: Wikipedia on blog comment spam.

Possible solution for WP?: Modification to comments code that ensures it can only be called from the form, not remotely. I’ll try this when I get the chance.

Update Friday 13:00: The patch above doesn’t work for this particular attack. Looks like this one spoofs the referrer… which makes sense, any decent spammer would think of that.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

10 thoughts on “Blog spamming

  1. Andy Merrett

    Damn spammers, huh? I guess this is the thorn in the side of blogging – which unfortunately may only get worse – just as email is now an infurating pastime due to the attack of the spammers. The sad thing is (if it is being done for ‘link traffic’ is that

    (1) most people will block them (it’s just a pain on the admin screen) and
    (2) IMHO it does nothing for improving search engine position because search engines tend to rank highly on _relevant_ pages linking to a site – and this is hardly relevant. Oh well…

    I am currently blocking the IPs that post, direct through Apache’s .htaccess file – in the vain hope that at least some of them might be used again – not much help if they are dynamically generated or if the spam is coming from compromised computers/servers – then again I have so little traffic that blocking a few IPs won’t harm my traffic. Of course, this is reactive, though.

  2. Ren

    Oh good. It wasn’t just me then. Got whacked with exactly the same ones (about 150 – nearly killed my email) but because of the wide spread of IP address, I wasn’t game to try to ban them all. I’m just making a habbit of closing the comments on old entries. It’s easier.

  3. Andy Merrett

    My ‘spam’ came from a fairly tight block of IPs – maybe this was unusual – I took several steps including the banning and have had no spam since – access and error logs show some attempts but the methods have blocked them all 🙂

  4. Daniel

    Yeah I’m still getting them, on my diary and here. I haven’t bothered to properly analyse the IPs… is it a few, repeating? On first glance they appeared to vary widely. Nothing’s actually making it into print, but it’s annoying to have to continually go and delete them out of the moderation queue, especially when there’s dozens per day.

  5. Andy Merrett

    Only a handful of IPs seemed to be trying to find my comments php page (which isn’t there any more), and of those they are being forbidden before they even get to the not found (ie 403 before 404 – haha!). Nothing has shown up on my mod queue or comments since I did that. Give it time… 🙁

  6. Daniel

    Okay I looked through the caught comments, and came up with a list of 11 IP addresses, and put them into the .htaccess file on my blog thusly:

    # Prevent blog poker spam attack Nov 2004
    <limit POST>
    order allow,deny
    deny from 148.223.48.226
    deny from 148.244.150.58
    deny from 200.42.212.42
    deny from 203.113.29.1
    deny from 203.195.201.29
    deny from 203.197.234.177
    deny from 211.185.38.61
    deny from 212.165.158.100
    deny from 212.219.119.198
    deny from 213.112.92.165
    deny from 218.145.25.11
    allow from all
    </limit>

    …and the attack stopped. But it also stopped on geekrant.org, so I can’t be sure that it worked properly. The spammer might have shutdown. Hmmmmm.

  7. Andy Merrett

    Maybe, but I am still getting ‘error’ hits (403s and 404s) so someone is still active – they’ve not sussed out the other part of my defence yet 🙂

  8. Daniel

    A second wave today, using new IP addresses. After expansion, my current .htaccess deny list is:

    deny from 24.193.110.88
    deny from 61.189.235.207
    deny from 61.239.247.73
    deny from 65.68.242.121
    deny from 68.165.169.202
    deny from 68.33.60.242
    deny from 68.39.209.63
    deny from 140.122.77.8
    deny from 148.223.48.226
    deny from 148.244.150.58
    deny from 151.202.154.243
    deny from 193.165.223.2
    deny from 200.42.212.42
    deny from 200.45.71.40
    deny from 203.87.147.166
    deny from 203.113.29.1
    deny from 203.195.201.29
    deny from 203.197.234.177
    deny from 209.74.43.164
    deny from 211.185.38.61
    deny from 212.117.152.70
    deny from 212.165.158.100
    deny from 212.179.50.75
    deny from 212.219.119.198
    deny from 213.4.105.231
    deny from 213.112.92.165
    deny from 218.145.25.11

  9. Daniel

    The IP address blocking stopped some of it, but what has really put paid to it is renaming WordPress’s wp-comments-post.php file (and references to it). The comment spammers attack this file by name, and while it’s not impossible now to work out what it’s called, it’s stopped them for now.

Comments are closed.