Category Archives: Spam

Spam Karma

Well after deleting what seems like hundreds of bloody comment and trackback spams over the past week, I’ve installed Spam Karma (billed as a “fearless Spam Killing Machine”) on this blog. If it’s successful, I’ll be installing it on my other WordPress blogs.

It includes blacklists, captcha or email verification for suspicious comments, a myriad of settings, all that good stuff. For now I’ve set it to “lenient” mode until I get a feel for how strict it is. Feel free to leave junk comments here to see how it goes. (But beware of deliberately leaving spammy comments — for all I know it may decide to blacklist your IP address!

PS. Tuesday 21:25. The manual install as in the ReadMe worked for fine me, except that you can’t get to the config page through the menus, you have to activate it from the plugins page, then go to the URL it quotes. (This is apparently a known thing with WP1.2, but I guess it applies to WP1.2.2 as well, which we’re running here. Presumably it doesn’t apply to the current nightly builds or to the future 1.5.)

Also be sure to try the test captcha page (linked off the config page) to make sure that bit works (eg the correct PHP libraries are there somewhere. If they’re not, I guess you need to hassle your ISP. Works fine for me.)

PS. Wednesday 21:15. There is a hitch: the e-mail it sends out summarising what it’s done is encoded with something. I think this is an incompatibility with the PHP setup on my ISP… the same thing happened with WordPress 1.2’s password reminder messages. I’ll have to dig around for a fix.

It should also be noted that Tony has tried to plonk it onto a blog he runs, and is having some issues. So it’s not all beer and skittles.

On the bright side, it tells me it caught 20 spam comments in the last 24 hours. I certainly haven’t seen any get let through.

PS. Thursday 20:05. Some are getting through, but evidently nowhere near the total number being caught. Hmmm.

Interview with a spammer

The Register’s Interview with a link spammer.

When Sam begins a spam run, he has one target, though he’ll accept any of six. Principal one: come top of the search engines for his chosen site’s phrase. “But you’ll accept coming in at 1,2 or 3, or if you come at 8,9 or 10. Actually, 8, 9 and 10 have better conversion rates. I don’t know why. Maybe the eyes fix on it when you scroll down the page.” And the cost of doing it? Once the code is written, pretty much zero. “Bandwidth is cheap,” he says. “You set it going in the evening and come back in the morning to see how it’s gone.”

So what beats them? Sounds like captchas (those distorted images requiring a human to type a letter)

So what does put a link spammer off? It’s those trusty friends, captchas – test humans are meant to be able to do but computers can’t, like reading distorted images of letters.

There’s several WP plug-ins that will do them; I haven’t tried it yet. But I will soon.

Comment spam vs nofollow

More comment spam hitting us at the moment, but curiously the comments don’t seem to have URLs with them, so I’m not sure what the point is. They’re all purporting to be from non-English-speaking e-mail addresses, and many in broken English, with a generic compliment about how marvellous your web site is. Odd.

Meanwhile, Google have come up with a new <rel=”nofollow”> attribute for links to help fight comment spam. And they’ve got a bunch of blogging heavyweights to back it, too, including the MT/TypePad, Blogger (duh), MSN Spaces and the WordPress gang, which might well cover a good proportion of blogs running today.

Now, W3C ratification, anybody? Oh pah, who cares?

Lycos vs spammers

Lycos, remember them? I think they might have been my search engine of choice around 1997, somewhere between Infoseek and AltaVista, way before young upstarts like LookSmart and Google arrived on the scene.

Well according to the Reg (via AndyN), Lycos are behind a new screensaver designed to launch DDOS attacks on spammers! Well okay, not to completely shut spam servers down, but to slow them down markedly.

Hmm. I hate spam as much as the next man, but I’m not sure about this. Could do nasty things to your local traffic (watch out if you pay by the Mb when you’re over your limit). You wouldn’t want to be trying to use bits of the Innanet close by to the spammers, and you sure as hell wouldn’t want to get yourself falsely identified as running a spam server. (Hey, if I can be identified as running a hacker/phreaking journal, anything can happen).

And of course, way for Lycos to come under fire by the spammers, who have apparently already hacked the page with a message saying “Yes, attacking spammers is wrong, you know this, you shouldn’t be doing it. Your ip address and request have been logged and will be reported to your ISP for further action.”

This could be war. (Lycos Europe deny their server was hacked, that the spammers rigged it so people get a different one.)

Dictionary ads

I find dictionary.com to be a very handy resource. But boy are their ads annoying. And it looks like they’ve gone that extra mile to get their popup ads to dodge around Firefox and IE+Google Toolbar’s popup defences. (At least I assume it’s them, not some other site with popups sitting in the background).

Not to mention the fact that the popup ads are the worst kind – the ones that look to people of limited computer-literacy like legitimate system messages, for instance:

Fake warning

Oh sure, they have “advertisement” written in tiny tiny greyed writing in the corner. That makes it all better, doesn’t it. I wonder if Cancel actually closes it? (I clicked the X in the corner.)

Blog spamming

At the time of writing, my main blog is under a sustained comment spamming attack. Over 50 spam comments today, all targeting the one old post, promoting a poker web site. At least one other WordPress-based blogger is getting them, so it’s not just me. And what’s interesting is they’re from a variety of different IP addresses, so assuming that’s not spoofed, it looks like the attack is coming from multiple zombies.

(Links in text deleted)

Author : poker (IP: 195.172.182.228 , 195.172.182.228)
E-mail : byob@y7263o.com
URL : http://www.poker-w.com
Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=195.172.182.228
Comment:
7263 JUST A FEW LINKSFOR YOU TO CHECK OU WHEN YOU GET A CHANCE
Online poker
texas holdem poker
texas hold em

When I first saw this type of comment spam, I thought huh? What’s the point? Who is going to see such comments and click on them? Particularly in this case, with dozens of the same spams hitting one particular post. But the point is getting links to your sites into the search engines, and up the rankings. Whether it works or not I don’t know.

WordPress has a fair bit of flexibility when it comes to catching comment spam. The most useful generic setting is number of links in a comment. A surprising number of comment spams have heaps of links. You can also nominate keywords (though in 1.2 there was a bug in that if the final keyword on the list had a CR after it, every comment got caught). Caught comments go to moderation, so the never see the light of day. Handy for comment spam and for moderating particular users/IP addresses too.

Comment spammers, like other spammers, are getting cleverer. Hopefully the blogging community (and in particular those who write and update blogging software) will stay one step ahead of them.

Update Friday 07:30: The attack appears to be widening to more blog posts, and branching out to Viagra and weight-loss, but is still showing signs of being from the same source. To counter it, I have shutdown comment posting on entries more than 60 days old using Scott Hanson’s Auto Shutoff Comments plugin.

Defined: Wikipedia on blog comment spam.

Possible solution for WP?: Modification to comments code that ensures it can only be called from the form, not remotely. I’ll try this when I get the chance.

Update Friday 13:00: The patch above doesn’t work for this particular attack. Looks like this one spoofs the referrer… which makes sense, any decent spammer would think of that.

Gmail and spam

Ooooooooooh. Seems Age IT writer Charles Wright isn’t too keen on people disagreeing with him. In today’s Age he writes about Hotmail’s cancellation of free WebDav (Outlook/Outlook Express) access (bastards!) and mentions in passing that Fastmail.fm is great (so I’ve heard) and that it’s better than GMail, which has “no spam protection to speak of.”

GMail spam caughtOh. Coulda fooled me. So I left a comment on his blog, mentioning that actually GMail does have spam protection. He replied reckoning yeah but it only catches about 30%. I replied saying it was catching most of mine. This apparently inspired a followup blog entry making note of overzealous Google-lovers writing to him if he criticises the company.

Well, what can I say. I’ve been using GMail for some months now, and feeding it mail addressed to one of my oldest and most spammed email addresses (dbowen at custard dot net dot au, circa 1997). GMail catches most of them. I just logged in after being away for three and a half hours (gasp!) and it’s caught 18 spams — no false positives, none slipped through into my Inbox. It’s not always this good, but I have no major complaints.

Maybe he looked at GMail early on, when the filters weren’t as good. Or maybe he attracts a higher class of spammer than me. Dunno. But it works for me.

By the way, anybody want a GMail invitation? They keep giving me lots, and although I’ve tried giving some away via GMail swap sites, they keep on coming back. Leave a comment with your email address in the email field (it won’t display publicly, but I’ll see it).