What are gibberish spam comments for?
April 5, 2005 2:25 PM   Subscribe

Recently my blog has been getting comments consisting of gibberish linking to gibberish URLs. Unlike normal spam, they cannot be removed en masse via MT-Blacklist and have to be pried out one by one, and there's no way of preventing more of them without moving to pre-authorized comments (which this may force me to do). My question: cui bono? Who's getting something out of this?

Here's an example:
uofa poiuyt http://ghjklqvtn.com/
Posted by: Ebulus at April 5, 2005 03:36 PM
posted by languagehat to Computers & Internet (14 answers total)
I've been having the same problem on my weblog. These guys even get around my renamed comments script. My guess is that either these are real people just being asshats, or else somebody is testing some sort of spamming script, maybe one to find renamed comment scripts. I lean toward the latter since the IP addresses are different on each comment. Again, this is just a guess.
posted by jdroth at 2:37 PM on April 5, 2005

Who's getting something out of this?
Probably using your site as an endorsement for theirs, to improve their google rank. The same reason as referer spam.

There are several ways to make it try and ensure a person's at the other end rather than computer, typically by doing something computers aren't good at.... "Please enter the code as seen in the image", "type the fifth word in this sentence", "remove the processed meat from this text box: youSPAMcanSPAMnowSPANpost", or asking them to get an account via email.

I don't like the image codes because blind people can't use them, and there's software that can see the code half of the time. Still, it's what most people are using.
posted by holloway at 3:15 PM on April 5, 2005

Your site is being checked to see if it should be put on a list of spammable targets. Based on the success of the spammer, it looks like it will. Something similar is done with mail spam, and it's used similarly to identify vulnerable recipients and valid addresses.
posted by majick at 3:16 PM on April 5, 2005

Gibberish? Maybe not. These are very low-frequency words that might have been taken from a cache or something.

Google returns results for uofa, poiyut, and Ebulus. Uofa = U of A, as in University of Arizona. Poiuyt appears to be a surname, and is also (consequently?) used as a username on message boards. Ebulus is a species of plant, and probably has meaning in Latin.
posted by profwhat at 3:18 PM on April 5, 2005

Poiuyt is the top letter row on a Qwerty keyboard, backwards.
posted by timeistight at 3:23 PM on April 5, 2005

You can use MT black list to list the N most recent comments. You can then tell it to delete those. I've done this in the past when MT black list wasn't finding and deleting the spam automagically.
posted by chunking express at 3:25 PM on April 5, 2005

holloway: Yeah, I know about image codes, but I'd rather not have to use them. As for improving their google rank, sure, that's the usual reason for comment spam, but these are not sites, they're gibberish, that's why I asked.

chunking express: Thanks, I tend to forget about that possibility.
posted by languagehat at 6:03 PM on April 5, 2005

why test with meaningless data? you might as well test with the real thing, surely? get extra google-juice for free.

but i can't come up with a good explanation, except for sheer bloody-mindedness. upset a script kiddy recently?
posted by andrew cooke at 7:01 PM on April 5, 2005

I also got a bunch of these recently. The only two reasons I could come up with for why they post with nonexistent domains is (1) they're trying to bloat the MT blacklist for some reason or (2) they'll put a site there later after you've ignored (ha!) their comment spam.
posted by turbodog at 7:59 PM on April 5, 2005

I combined MT-Blacklist, SCode (the image code addon) and renaming my comments page, and now have no spam whatsoever, says she knocking on wood. It seems like these days SCode or similar for Movable Type is pretty much the only option. The spammers quickly figured out the renamed file and Blacklist got far too slow and unwieldy to use - I always use it the way chunking express mentioned above. I agree with turbodog that they're trying to bloat MT-B - it really does start to lag as the blacklist fill up, to the point of being unusable.
posted by tracicle at 10:58 PM on April 5, 2005

It may be that advertisers are getting bored of raising page-rank with comment spam, so the people who provide the service are telling the zombie networks to just post nonsense. (This is probably easier than shutting them down) An advantage of this is that comment spammers can tell customers "look, we can create comment spam, but unless you pay us money, it's not going to be with the keywords and links you give us."

That's a possible explanation.
Another may be that they're just doing it as payback for not being able to fill peoples blogs with whatever they want.
posted by seanyboy at 5:55 AM on April 6, 2005

This has actually come up recently on the Movable Type Developers List-serv and there are two thoughts: 1. this is a crap-flood, and 2. this is sounding ping to see if you don't delete the comment/ping. The idea would be to send a gibberish address and then look it up via google/msn/yahoo and see if it exists, then hit your site continously with a usable URL. I always thought that bandwidth/computer cycles for spammers was approaching infinity, so the conservation of resources is interesting. It is almost like watching an amoeba evolve.
posted by plemeljr at 10:05 AM on April 6, 2005

Follow up query, mildly related: Does anyone know if Scode works on 2.661? In fact, are there any reasonable solutions for the non-upgraders? (I actually have a paid license for 3.x for my personal site, but I used MT2.661 for a group blog, and it way exceeds the licensing terms for "personal" under 3.x.)
posted by pzarquon at 11:45 AM on April 6, 2005

pzarquon, the short answer is that the MT 2.x code base just can't do all the heavy lifting that's needed to fight spam these days. you can get in touch with our license team (just email contact at sixapart) and they might be able to work out a flexible license for your group blog.

and yeah, i think the consensus on the ProNet list is correct, it's intended to both be a nuisance and to see who is or isn't deleting their spam.
posted by anildash at 11:01 AM on April 7, 2005

« Older Case for Canon SD200?   |   Good books for beginning php Newer »
This thread is closed to new comments.