Dealing with comment spammers
October 2, 2004 10:13 AM Subscribe
Is there any way to punish comment spammers?
Comment spam started out as an annoyance, but it really seems to have gotten worse recently. Or maybe I'm just getting hit more lately. I use MT-Blacklist, and that helps me to keep my own site clean.
However, there are a lot of dead blogs out there that don't sanitize their comments, so there's an incentive for spammer scum to keep flooding our sites.
I would like to find a way to disincentivize them from doing it. My first thought, a DDoS attack on the URL's they're promoting, while attractive from a vigilante standpoint, probably isn't the best response. It would feel good, but, no.
I think common wisdom is that they're just trying to increase page rank, and maybe that's the place to hit them. Google can't like to have their systems gamed like that. Do they have an abuse department where you could report domains that are trying to game their system and get them removed entirely from the index? Maybe if enough people did it, and it got around that comment spamming was the quickest way to get your site unlisted on the various search engines, people would learn to stop doing it.
Comment spam started out as an annoyance, but it really seems to have gotten worse recently. Or maybe I'm just getting hit more lately. I use MT-Blacklist, and that helps me to keep my own site clean.
However, there are a lot of dead blogs out there that don't sanitize their comments, so there's an incentive for spammer scum to keep flooding our sites.
I would like to find a way to disincentivize them from doing it. My first thought, a DDoS attack on the URL's they're promoting, while attractive from a vigilante standpoint, probably isn't the best response. It would feel good, but, no.
I think common wisdom is that they're just trying to increase page rank, and maybe that's the place to hit them. Google can't like to have their systems gamed like that. Do they have an abuse department where you could report domains that are trying to game their system and get them removed entirely from the index? Maybe if enough people did it, and it got around that comment spamming was the quickest way to get your site unlisted on the various search engines, people would learn to stop doing it.
More recent versions of MT have link obfuscation that undercuts the googlejuice spammers get from entering a commenter's URL, but the little comment-spam I've gotten recently has posted a vast number of links in the comment body. So that doesn't help.
I don't have commenter registration, but I have hacked MT's comment script to force previews. I get very little comment spam now--maybe one/month.
It's kind of funny to think that connecting to a comment-spammer's URL would be considered an attack. After all, don't they want attention? The better answer (something I think Paul Graham proposed) is to make enough hits on their website that you drive their bandwidth bills through the roof. This could be done with e-mail spam too, of course.
posted by adamrice at 4:19 PM on October 2, 2004
I don't have commenter registration, but I have hacked MT's comment script to force previews. I get very little comment spam now--maybe one/month.
It's kind of funny to think that connecting to a comment-spammer's URL would be considered an attack. After all, don't they want attention? The better answer (something I think Paul Graham proposed) is to make enough hits on their website that you drive their bandwidth bills through the roof. This could be done with e-mail spam too, of course.
posted by adamrice at 4:19 PM on October 2, 2004
I got eight spams on my blog from eight entirely different IPs last night within ten minutes. Eight doesn't sound like very many, but considering I don't use MT's comment script but my own code and have thus only seen like five comment spams, ever, this was pretty frightening.
posted by kindall at 11:21 PM on October 2, 2004
posted by kindall at 11:21 PM on October 2, 2004
So far, a combination of Apache Deny on various IPs and user agents, plus a simple scan for keywords has done the trick. All my comment spam has been advertising certain pharmaceuticals and online casinos.
I think there may be real humans involved (explaining how kindall can get hit), but only mechanically cutting and pasting and posting (which is why they haven't sussed my block, which returns a realistic looking error page when triggered).
If they get as smart as the email spammers as far as filter frustration goes, I may just put in for a fund to firebomb a certain online pharmacy operation.
posted by i_am_joe's_spleen at 1:19 AM on October 3, 2004
I think there may be real humans involved (explaining how kindall can get hit), but only mechanically cutting and pasting and posting (which is why they haven't sussed my block, which returns a realistic looking error page when triggered).
If they get as smart as the email spammers as far as filter frustration goes, I may just put in for a fund to firebomb a certain online pharmacy operation.
posted by i_am_joe's_spleen at 1:19 AM on October 3, 2004
I use .htaccess on Apache to redirect any domains or IP addresses which have left comment or referral spam to a very high resolution image of Donald Rumsfeld on the DoD site. For some reason, it just seems apt.
posted by humuhumu at 7:01 AM on October 3, 2004
posted by humuhumu at 7:01 AM on October 3, 2004
I got eight spams on my blog from eight entirely different IPs last night within ten minutes.
This is because spammers have begun using groups of zombied machines for the purpose of comment, guestbook, and formmail spamming. Whether taking advantage of already-infected machines or infecting them themselves, there are literally tens of thousands of machines on the Internet that are backdoored and listening for commands to execute and IP addresses to harass.
Due to the nature of such distributed networking, they're next to impossible to prevent through non-invasive (read: unlike captcha, requiring registration, etc.) or proactive (read: maintaining blacklists, filtering according to behavior) means.
Here's a single attack using this method. Fun, no?
posted by Danelope at 7:11 AM on October 3, 2004
This is because spammers have begun using groups of zombied machines for the purpose of comment, guestbook, and formmail spamming. Whether taking advantage of already-infected machines or infecting them themselves, there are literally tens of thousands of machines on the Internet that are backdoored and listening for commands to execute and IP addresses to harass.
Due to the nature of such distributed networking, they're next to impossible to prevent through non-invasive (read: unlike captcha, requiring registration, etc.) or proactive (read: maintaining blacklists, filtering according to behavior) means.
Here's a single attack using this method. Fun, no?
posted by Danelope at 7:11 AM on October 3, 2004
Yeah, I figured it was the zombie thing. What I've done for now, since they seem to have figured out my commenting script (that's the part I found scary), is to change my comment script so that the name of the comment field changes based on date, IP address, and thread number. (It's based on an MD5 hash of these things.)
If they're posting the comments manually none of this will matter, of course, but if they've scripted it, this should make it significantly harder.
posted by kindall at 9:13 AM on October 3, 2004
If they're posting the comments manually none of this will matter, of course, but if they've scripted it, this should make it significantly harder.
posted by kindall at 9:13 AM on October 3, 2004
Response by poster: Thanks guys, but my focus wasn't on protecting my site, but on punishment to discourage future floods. Ways to get their sites delisted on search engines, that kind of thing.
posted by willnot at 9:37 AM on October 3, 2004
posted by willnot at 9:37 AM on October 3, 2004
Willnot, I honestly can't think of much that's effective.
However, since the perpetrators almost all seem to be Americans, you USians could do us all a favour and complain to federal authorities if the advertised products seem dodgy in any way. If the online pharmacies could be busted for selling with prescriptions, or the casinos for violating local gambling laws, that would make me very happy.
posted by i_am_joe's_spleen at 11:42 AM on October 3, 2004
However, since the perpetrators almost all seem to be Americans, you USians could do us all a favour and complain to federal authorities if the advertised products seem dodgy in any way. If the online pharmacies could be busted for selling with prescriptions, or the casinos for violating local gambling laws, that would make me very happy.
posted by i_am_joe's_spleen at 11:42 AM on October 3, 2004
Sorry about the confusion. As i_am_joe's_spleen said, there are actions you could take in an attempt to shut them down but, short of taking up vigilantism, the effectiveness of said procedures is not guaranteed.
First, you produce a list of IP addresses that have comment spammed your site. Using whois, you can determine which provider they use to access the Internet and/or which webhost they use to host their online pharmacies et al. You can then contact each service provider* with details on the type of activity, the affected domain(s), excerpts from your logfiles that demonstrate Activity X from Connection Y at Time Z, and specific citations from that ISP's Terms of Service/Acceptable Use Policy that indicates the violation. Then repeat this process for every incident.
Afterward, all you can do is wait and hope that the recipient of said information cares enough to take action. Even if they do, there are so many ISPs in so many countries that don't care that persistent spammers will be back online in a matter of hours. If you can trace their data far enough to positively identify them, however, you could theoretically pursue legal action via the appropriate state laws, the (nigh useless) CAN-SPAM act, the police, etc.
* Try abuse@serviceprovider.com if they don't provide contact information on their site.
posted by Danelope at 1:21 PM on October 3, 2004
First, you produce a list of IP addresses that have comment spammed your site. Using whois, you can determine which provider they use to access the Internet and/or which webhost they use to host their online pharmacies et al. You can then contact each service provider* with details on the type of activity, the affected domain(s), excerpts from your logfiles that demonstrate Activity X from Connection Y at Time Z, and specific citations from that ISP's Terms of Service/Acceptable Use Policy that indicates the violation. Then repeat this process for every incident.
Afterward, all you can do is wait and hope that the recipient of said information cares enough to take action. Even if they do, there are so many ISPs in so many countries that don't care that persistent spammers will be back online in a matter of hours. If you can trace their data far enough to positively identify them, however, you could theoretically pursue legal action via the appropriate state laws, the (nigh useless) CAN-SPAM act, the police, etc.
* Try abuse@serviceprovider.com if they don't provide contact information on their site.
posted by Danelope at 1:21 PM on October 3, 2004
Now that I think about it, I have emailed ISPs about repeated posts from zombied machines, and had those posting runs suddenly cease. Whether this led to punishment for posters I can't say.
posted by i_am_joe's_spleen at 2:45 PM on October 3, 2004
posted by i_am_joe's_spleen at 2:45 PM on October 3, 2004
1) Delete them as soon as possible, 2) let them waste their time, 3) tell everyone else you know who blogs to install blacklists or other tools.
pwb.
posted by pwb503 at 10:17 AM on October 4, 2004
pwb.
posted by pwb503 at 10:17 AM on October 4, 2004
This thread is closed to new comments.
posted by Civil_Disobedient at 10:17 AM on October 2, 2004