1635 - In Case You Wonder Why


Do you have a blog? Quite a lot of my readers do, and I thought I’d better relate something that I’ve found out today. Sort of a warning.

Do you get comment SPAM? Well, if you use WordPress, you most likely use Akismet to battle SPAM, and Akismet is really quite successful at it. Of course neither my reader counts (around 140 per day, around 200 page views on my photoblog, around 220 visits, around 320 page views on my programming blog) nor the number of comments are so high that I couldn’t do without it, but Akismet has made my blogging life quite easy.

There are different kinds of comment SPAM and due to the different natures of email and blogs, they are slightly different from what you may encounter in your inbox.

Some typical email SPAM types wouldn’t work as blog comments. This is certainly true of all types of advance-fee fraud, but also the typical phishing attacks make no sense. Both need the illusion of private messages being sent to you. With comments being public by nature, that doesn’t make sense.

A type that is common to email and comment SPAM is what I call the honest attempt to sell. Most of the time it’s something that would enlarge body parts or lengthen durations of inter-personal links, but whatever the product, the presentation is direct and up-front. You get some key words, sometimes embedded in completely unrelated prose, and finally you get links to the sites selling the stuff. Honest and straight-forward.

A variant is SPAM that doesn’t want to sell, but that wants to lure you to a page where your computer will get infected with malware. It’s less honest, less straight-forward, but it is a variant anyway, because both types want blog visitors to follow the links.

Then there is the other prototypical kind of comment SPAM, and that’s a blog-only type. It’s about building up links to the spammer’s sites, it’s about increasing one’s Google page rank. Here the spammer is not interested in blog visitors following the links, the only visitor they care about is the Google bot. Therefore they place such comments preferably on older blog posts, they try to be the only commenter on the post, in short, they prefer their comment not being read by humans at all.

As a commenter you have typically two ways to place a link: directly in the body of the comment or as the commenter’s home page. In trying to combat sales SPAM, blog software and anti-SPAM plugins typically limit the number of links allowed in a comment before it is flagged as SPAM, thus the link network builders tend to use the home page link, because as a blog owner you can’t really block those links. You want to encourage people to comment, and one of the incentives is the link back to their site.

After this somewhat lengthy introduction, what would you make of this comment, one in a series of similar comments that I got yesterday?

Author : Bertie (IP: 193.90.12.26 , hist.multinet.no) E-mail : 432@www.nak-nordhorn.de URL : http://www.yahoo.com/ Comment: edfGDT Kudos! What a neat way of thinking about it.

Interesting, huh? The email is only visible for the moderator and it is doubtlessly made up. The author’s name is made up as well, the IP address may be from the actual connection and thus correct, but as SPAM is never sent from the spammer’s computer, it can’t be used to track him down. It won’t be part of the comment on the blog either, thus it does not matter.

What remains are the URL and the body of the comment. In about ten comments to as many different older posts, the URL was either http://www.bing.com, or as in this case http://www.yahoo.com. I guess, even though Microsoft partners with Yahoo recently, we can take for granted that this is not an attempt of Microhoo to increase their Google page rank. Obviously the link is not used here, the field was only filled out because SPAM bots like to fill out form fields.

The message itself consists of two parts, one six character token at the beginning and then a rather generic compliment. The compliment is directed at the moderator, as an enticement to get the message approved, but also to just have any text at all. Thus obviously it is about the token.

Author name, Token and compliment were different in all comments, only the home page URL was mostly the same. Actually it was the URL that immediately caught my attention, not the token, that gave away the spammy nature. Of course after the second comment it was clear, but what was not clear, was the question: WHY???

It took me some time, in my research I found an “Ultimate Wordpress Comment Spammer” (google that phrase, it’s interesting), but that all was about link building or selling, never about SPAM without links.

In the end I found the solution. It is not verified, but I am pretty convinced that I’m right.

The settings that I use on my blog, what is most convenient for visitors and what is fairly safe for the blog as well, these settings are a WordPress setup where I set comments to “moderated” in general, but allow unmoderated comments for a particular visitor, after the first comment of that visitor has been approved. I don’t know how WordPress identifies visitors, I suppose it is just the private email address. The attack is directed at exactly this quite common and safe blog setup.

It’s a two part attack. First you place a comment with a generated, unique email address and a generated unique token. You do this in parallel on many blogs and on many posts. You save the combination of blog, email address and token in a database, and then you wait for some days.

We all know, Google is your friend, and that’s why the spammer keeps quiet for some time. It’s to let Google do its work. After a few days they just have to search Google for the unique tokens. Those that show up are on blogs where the moderators have approved the posts. If the blog setup is like on mine, the blog is now fair game. No further comments from that user will be subject to moderation, now the payload can be delivered, and that’s again “normal” SPAM.

The attack is still easy to identify as SPAM, even though it needs some pondering to realize what’s the purpose. I expect it to improve though.

One obvious improvement would be to use other URLs. I often don’t have the time to follow a commenter’s URL, thus it may go undetected.

The second thing is the token. It is easy to spot “edfGDT” or “xzaKRB” as synthetic tokens, but what about

Author : Bernie (IP: 193.90.12.26 , hist.multinet.no) E-mail : 432@www.nak-nordhorn.de URL : http://www.berniephoto.com/ Comment: Kudos! What a neat way of thikning about it.

Here is no obvious token, only a typo in “thinking”. Sure, Google has 26,500 results for “thikning”, but up to now, there was not a single occurrence on manessinger.com, and Google allows you to restrict searches to a certain domain.

In the end I think we have lost another battle against the spammers. Carefully executed, this attack can’t be blocked automatically, because there are no indicators left. Unfortunately there is also no easy way for the moderator to decide. Generic comments are common. I make them at times and so do my visitors.

Take PJ’s comment to “1630 - Some Excuse To Use “Mississippi Half-Step Uptown Toodloo””. PJ writes

I love this photo. The lines and angles are superb.

Sure, the comment refers to a photo, but from the tags on my blog, it is easy to automatically classify it as a photoblog. The comment is a compliment, but I often get compliments. It speaks about lines and angles, but lines and angles are quite common in photographs. In fact, there is no substantial difference between PJ’s comment and the fictional Bernie’s, apart from the fact that PJ’s comment contains no spelling error or typo, but typos are common as well.

Sorry, PJ, for singling you out, hope you don’t mind.

Once again, this is not verified, but I think, though the technical details may vary, the general attack scenario is correct. I can’t think of anything else that would make sense.

So here’s the warning: Just keep an eye on the messages that you moderate, and remember that it does not take a link to make a message SPAM.

The Image of the Day is rather unrelated. I made it today in Villach. The Song of the Day is “Pourquoi (Why)” from Vieux Diop’s 2000 album “Afrika Wassa”. I couldn’t find this beautiful song on YouTube, thus I have uploaded it myself. Enjoy!


There are 7 comments

Juha Haataja   (2011-04-10)

Quite a detective story, and I think you are correct. Spammers are quite clever indeed. Thanks for the warning!

💬 Reply 💬

Eric Jeschke   (2011-04-10)

Good post. If you have your blog set up like me, you will still see an email for every comment on your blog. Thus you would catch that pretty quick before too many SPAM comments had been posted.

💬 Reply 💬

andreas   (2011-04-10)

I have set it up like you. The funny thing is only, here we have a battle that is lost. No further defense possible. I've thought a little about it since I wrote this post, and fact is, not even the token is required. Use combinations of exotic words like "exquisitely elaborate", or even the exotic words alone. How many "exquisitely" do you have on your blog? Worse. It suffices that the word is rare. Make a lookup for word/domain and store the number. If you have increased the number by one, your comment is very likely through. If the blog is big and the number of hits was low, statistics are on your side, and this game is about probability anyway. It does not hurt the spammer to be wrong in a small percentage of cases. Once you do the lookup first, you can play all kinds of variants on this. Just consistently use British spelling on an American blog. It will decrease the number of hits and increase your probability to have been the cause for an increase after a few days. Throw in some French or Spanish words. And so on and so forth. And all that can easily be done programmatically. And here we are: No trace left. Your only defense would be to block people with a fancy style 🙂

💬 Reply 💬

Paul   (2011-04-10)

In general, for those generic comments, I tend to err on the side of caution and mark them as SPAM. I still have some get through, but as soon as I see them, SPLAT! Into the SPAM folder they go. I don't use Akismet, I use SPAM Karma 2 and have used it for years. It's pretty effective, but, on occasion, some will get through. Like you and Eric, I get email notification of all approved comments as well as those that need moderation. So, we have to have some manual intervention at times ... I'm happy that 99% of them are blocked. I'll take care of the other 1%. 🙂

💬 Reply 💬

Rick   (2011-04-13)

This answers a lot of 'wonders' I've had about the origin of the miscellaneous, generic compliments that exist throughout the blogosphere. Your account seems perfectly plausible, and it makes me sad. What I thought was perhaps just naive attempts for attention seeking bloggers looking for links back to their own site, now looks like good old fashioned SPAM.

💬 Reply 💬

andreas   (2011-04-13)

And highly automated as well 🙂

💬 Reply 💬

pj   (2011-04-15)

I don't mind one bit -- the comment was made quickly in passing and is a bit vague and generic -- as long as it's clear to everyone reading that it wasn't a SPAM comment.

💬 Reply 💬