The Other Joy of Comment Spam

One of the blogs I host, Dana’s Security Blog, is very very popular with the comment spammers tonight. Alone his blog got 6004 attempts to post blog comment spam, a big problem for folks using many of the blogging tools out there that allow people to comment such as MovableType. Doesn’t look like they managed to post anything (his comments are turned off for old posts, and the spamming slimeball asshole idiot fucktard bastards seemed to just go numerically through entry IDs, trying to post approximately 100 spam entries per post. I’ve gotten three or four alerts from Big Brother warning me that CPU on UFies was high thanks to these guys hitting the CGIs. So even if they aren’t posting their crap to the web, they are still having an effect. Why is it again that every good thing is ruined by those trying to exploit it for money? Oh right, because the human race is full of thoughtless bastards who deserve to be strangled with their own entrails and slowly eaten alive by wolves, bears, and the sarlac.

The funny thing is the company whose IPs the spammers were posting from has a webpage (which I won’t link) with “free internet accelarator and email virus scanning”. Yea, I believe that.

Might be time to start looking at integrating a tarpit with mt-blacklist. somehow.

8 Comments on “The Other Joy of Comment Spam”

  1. Hm — seems like you’re seeing very different behaviour than I am. What I see is a GET for the page, followed by a POST less than a minute later. Wait a while — anywhere from 15 minutes to an hour — then repeat from a different IP address. Dunno why I get the polite spammers. 🙂
    If you’re seeing ’em all from the same IP, then yeah, tarpitting’ll be great; mod_trigger might help you out there. You could also see if the bots are dumb enough to follow a redirect.
    At one point someone told me that Snort could do the sort of thing you’re talking about: enough X in time Y means response Z. I never did follow up on that, since the time Y I’m seeing is so long.

  2. I’ve come across the same problem recently. I use WordPress, and there’s a lot of plugins and hacks that fight comment spam — everything from using SpamAssassin to a simple question. I’ve got a couple of these installed (see my blog for details), and boy howdy do they work.
    The trouble is, that’s no way to run a controlled experiment — there’s no way of knowing how well each component works, or of getting a comparison between one or more of these methods and nothing at all. I’m in the process of setting up an experiment that’ll try to get some hard numbers on what works and how well.
    As far as tarpitting goes, I think it’s going to be difficult. One way is to have your blog add a tarpitting rule to your firewall (say) for someone who’s just spammed you — but at that point, the packets are all sent and the fucker^Wspammer’ll just move on to another Zombie PC.
    Alternatively, you grep packets for certain strings and start tarpitting based on that, but that’s going to trip you up if you (say) have a discussion on your blog about what comment spammers are doing these days.
    One of the things I’m going to do with the sacrificial blogs is log absolutely all web traffic. If we’re lucky, a comment spam will take up more than one TCP packet (I assume it will, but it’d be nice to know for sure) and we can do something like “if someone begins a conversation with these spammy words, start tarpitting”.
    —–Sorry — this was meant to be broken up into more than one paragraph, but it seems to like One Big Block. Anyhow, check out my blog — a lot of the stuff I use on WordPress has been ported from MT.

  3. Thing is that comments spammers all use pretty much the same methods (right now anyway). They go through a wack of mt-comments.cgi entries, many per second or minute, attempting to post. Looking at silverstr’s blog I see attempts every 4 or 5 seconds to post to /blog/mt-comments.cgi with various attributes being passed.
    Yesterdays were about 9 per second. If there was a way for a firewall/IDS to watch for attempts to your comments within too short a time and start tarpitting those IPs. IE: more than one attempt to an mt-comments page every second would be considered spam. You’d have to deal with web crawling bots of course, and the less than one packet thing as well, but still, that’s my idea.

  4. New MovableType Release Addresses Spam Load Issues

    The new Movable Type 3.14 apparently addresses the load issues that have come up from comment spammers attacking system and…