Scott on Writing

Musings on technical writing...

And the Point of this Comment Spam Would Be?

As I've blogged about before, ScottOnWriting.NET received its fair share of comment spams, 99% of which are stopped through pattern matching and URL counts. The vast, vast majority of comment spams I receive have some purpose: they advertise a website.  They exist to bolster the site's search engine placement and/or to attract visitors from my blog to their site.  This makes sense and makes fighting these types of comment spam relatively easy - just create a database of 'bad' URLs and filter comments accordingly.

Over the past week, however, my blog has been receiving, on average, about a dozen comment spams a day that don't fit the bill of your typical comment spam.  Rather than being some advertisement, the comment is merely a female name.  That's it.  No email address, no URL, no phone number, no instructions on how to earn that degree or overcome sexual inadequacy... nope, just a single word for the subject and body.

Clearly this is the work of a bot of some kind (or a very meticulous, bored person), as the names are progressing through alphabetic order  (I'm now receiving names starting with 'E').  I've been very proactive to deleting these through the blog admin interface upon receiving them, but this is, clearly, an annoying, repetitive task.  I am going to attempt to stop this flavor of comment spam by adding a new filter that will remove any comments with just a single word, but that's not the $64,000 question.  What I'm more interested in is why someone would do this.  Is it something personal?  Do they dislike me or this blog?  Do I know them?  Is it just a test script that they forgot to turn off?  Seriously, what does this accomplish for anyone?  It's only a slight inconvenience for me (soon to not be one once I add the filter), which makes me think it's somewhat targetted... but who knows.

I Googled for “blog comment spam female names” to see if anyone else has experienced such an automated spew of comment spam, but was unable to find any matches.  So maybe this is an isolated, annoying instance.  If the guy or gal who's comment spamming me with these female names is reading this, please stop.  Pretty please.

posted on Saturday, September 03, 2005 4:00 PM

Feedback

# re: And the Point of this Comment Spam Would Be? 9/3/2005 5:44 PM Jeff Atwood

You're crazy not to use a CAPTCHA. That would prevent this manual labor entirely..

# re: And the Point of this Comment Spam Would Be? 9/3/2005 6:53 PM Scott Mitchell

Jeff, the TRIGGER approach I use to filter comment spam works wonders. It removes 99.9% of comment spam. To date, it's stopped over 11,000 comment spams. See this blog entry for more info: http://scottonwriting.net/sowblog/posts/3083.aspx

CAPTCHAs have a couple of problems, IMHO. First, they are vulnerable to AI and social engineering schemes, as discussed here: http://scottonwriting.net/sowblog/posts/3154.aspx

Second, correct me if I'm wrong, but CAPTCHAs aren't supported via CommentAPI, meaning those that post comments to my blog via their aggregator are S-C-R-E-W-E-D if CAPTCHAs are used.

# re: And the Point of this Comment Spam Would Be? 9/3/2005 10:01 PM Arif Khan

Can you check server logs and track the IP addresses associated with those comment spams? ...any pattern or consistency ...?

# re: And the Point of this Comment Spam Would Be? 9/3/2005 10:27 PM Scott Mitchell

Arif, I believe more modern versions of .Text/CommunityServer track the commenters IP address, but not the version I'm using. I guess I could troll through the logs and *try* to determine the IP, but the user, for example, may be coming through a popular proxy (AOL, perhaps), in which case IP blocking would be less than ideal since it would block out many commenters who are not propagating the comment spam.

# re: And the Point of this Comment Spam Would Be? 9/4/2005 7:10 PM Joel Ross

About 6 months ago, blogs.sagestone.net underwent the same type of comment spam. It started with Amanda, and kept going - it eventually stopped, but it was annoying. So, no, they probably aren't targetting you directly, but it is still odd!

Oh - and we are running .Text there too...maybe it's a .Text thing. We aren't a very popular blog, so who knows why we were targetted either.

# re: And the Point of this Comment Spam Would Be? 9/6/2005 5:33 AM ron

you should check out reversedos. it works wonders.

http://www.angrypets.com/tools/rdos/

# re: And the Point of this Comment Spam Would Be? 9/7/2005 2:19 PM Andy

Could it be that someone is testing a comment spam algorithm or something similar? Just a thought...

# re: And the Point of this Comment Spam Would Be? 9/8/2005 8:20 AM Michael K. Campbell

I second Ron's suggestion ;)

You should use ReverseDOS. Your trigger sounds like a great approach - but why burn up cycles letting spam get clear into your data tier before it is nuked - ReverseDOS implements pattern matching in an HttpModule.

Plus, if this IS a human - you can take the fun out of it for them. If they post Ginger, Gabi, etc. and you've set up filters for that your site will look, to the spammer, like it is suffering a DOS attack, and will take a minute or two to send back the HTTP 403 header.

# re: And the Point of this Comment Spam Would Be? 12/13/2005 8:48 AM James

Things like this could be an attempt to find an SMTP injection vulnerability on your website to see if they can use it as an open relay for sending out spam. It seems to be the latest thing that spammers are up to these days. It might be worth your while setting up some kind of logging system to see if you can determine exactly what is being posted to your blog.

It seems that PHP websites are particularly at risk -- PHP's mail() function has a vulnerability that allows a malicious user to inject arbitrary headers. As far as I can tell, the System.Web.Mail classes in ASP.NET are somewhat more secure, but it probably won't stop them having a go anyway, so it's a good idea to check all your user-supplied data for newline characters where there shouldn't be any.

I've gone into more detail about this on my blog:

http://www.jamesmckay.net/archive/2005/12/51

Title:  
Name:  
Url:
Protected by Clearscreen.SharpHIPEnter the code you see:
Comments   

My Links

Ads Via DevMavens

Archives

Post Categories

 

I am a Microsoft MVP for ASP.NET.
I am an ASPInsider.
<March 2010>
SMTWTFS
28123456
78910111213
14151617181920
21222324252627
28293031123
45678910

Comment Stats

DayTotal% of Total
Sunday 2056.8%
Monday 42514.1%
Tuesday 51917.2%
Wednesday 55618.4%
Thursday 58019.2%
Friday 54718.1%
Saturday 1886.2%
Total 3020100.0%

Hour1Total% of Total
12:00 AM 782.6%
1:00 AM 812.7%
2:00 AM 682.3%
3:00 AM 822.7%
4:00 AM 692.3%
5:00 AM 1264.2%
6:00 AM 1193.9%
7:00 AM 1816.0%
8:00 AM 1926.4%
9:00 AM 1585.2%
10:00 AM 1886.2%
11:00 AM 1936.4%
12:00 PM 2016.7%
1:00 PM 1846.1%
2:00 PM 1695.6%
3:00 PM 1354.5%
4:00 PM 1153.8%
5:00 PM 1073.5%
6:00 PM 1013.3%
7:00 PM 1073.5%
8:00 PM 923.0%
9:00 PM 882.9%
10:00 PM 913.0%
11:00 PM 953.1%
Total 3020100.0%

Comments by Blog Entry Date/Time

Day Entry MadeAvg.Total
Sunday 5.00160
Monday 4.80384
Tuesday 4.04477
Wednesday 7.39680
Thursday 6.26676
Friday 5.07466
Saturday 4.78177
Total 5.403020

Hour1 Entry MadeAvg.Total
12:00 AM 5.2937
1:00 AM 1.002
5:00 AM 0.000
7:00 AM 3.8550
8:00 AM 3.72134
9:00 AM 6.06297
10:00 AM 5.63276
11:00 AM 4.22194
12:00 PM 6.16351
1:00 PM 3.09133
2:00 PM 4.89230
3:00 PM 7.67322
4:00 PM 4.00108
5:00 PM 6.07170
6:00 PM 4.64116
7:00 PM 8.95188
8:00 PM 8.63164
9:00 PM 5.00115
10:00 PM 6.31101
11:00 PM 4.5732
Total 5.403020

Learn More About Comment Stats
1 - All times GMT -8...


Blog Stats

Favorite Web Sites

My Books

My MSDN Articles