Spam Patterns

  By Shamus   Apr 14, 2006   14 comments

A few items to note about comment spam:

It seems to come in waves, or cycles. Yesterday I got more spam than I have in the past week. Normally this would lead you to believe that one spammer has started pounding away at the site, but that doesn’t seem to be the case here. I wasn’t keeping count until afternoon, but I’m guessing I got about twenty or thirty so spam comments a all day, and each one seemed to come from a different IP. There were a few common types, and for my own purposes I’ve categorized them:

  • Mr. Brown-noser – Posts a plausible-looking comment like, “I agree! I hope others write about this as well! I love your site.”. It’s clumsy and generic enough to stand out, but I have to actually look at what URL they link before I chuck them in the bit bucket.
  • Mr. Lotsa Links – Obvious spam. The posts are just page after page of keywords and links.
  • Mr. Sneaky – Posts comments to really old posts with just one or two links, hoping they will escape my notice and remain for search engines to find. If I didn’t check the admin page I might miss these ones.
  • Mr. Infomercial – Has lots of “helpful facts” about whatever he’s linking, which is usually generic meds.

Each of the above has just a few variants they re-use, but these are the four distinct types I see. (Each one has other characteristics, like what types of bogus usernames and emails they provide and the type of bold / italics tags they use.)

Anyway, I wonder why the cyclical nature? It is possible that the coming long weekend (which had already arrived in some parts of the world, like Australia) provided the spammers with time off from their normal day jobs. (Clubbing baby seals, most likely.)

Maybe its just a coincidence. Maybe my site has propigated to another group of them.

Sometimes I block the IP of one of these spammers if I already have the admin window open. However, I suspect this is a waste of time. I’m wondering if these changing IP’s aren’t from guys who are using wireless hotspots or internet cafes to do their dirty deeds. If this is the case, then blocking them is a waste of time, and in fact creates a (very, very slight) chance that a legit visitor will arrive on the same address at some point and get rejected.

1414 comments. (Fourteen is the sum of the first three squares.)


  1. Pixy Misa says:

    Trackback spam definitely comes in waves. I’ve had 100,000 spams arrive in the space of an hour (compared to the background level of 1000 or so), and then nothing for a day or two, and then they’re back again.

    I don’t know if the blog spammers are using zombie networks yet, but that’s the next step. Fortunately my biggest problem is trackback spam rather than comment spam, and trackbacks aren’t supposed to come from PC’s so I can just go ahead and block them.

    (You can see the mu.nu trackback filter at work here.)

  2. Eric says:

    what you should do to these people is make a virus that follows the spams ip adress(not sure if correct term or tech jargon) has their own programs spam themselves, or just have pictures of huge fat (pardon my language) c**k repeatingly appear after they close each one.

  3. Shamus says:

    I wish it were so easy. These guys are not really reading my site and adding comments. The comments are coming from programs that do not care about the images on my site. You can’t give a virus to an IP addres, or anything else like that.

    There is nothing you can do but nuke incoming comments like I do, or (once your site gets REALLY big) turn off comments and trackbacks altogether.

    This blog hasn’t been around for very long (September of last year) so I don’t have a feel for what level of spam is “normal”. Perhaps one of the larger and older sites can tell me: Is it just me, or is it getting measurably worse?

  4. Eric says:

    well, to hazard a guess worse. i mean juvenile dickheads are becoming more…. how do you say…more coherent with computers. probably most spammers are 16-old years.

  5. Pixy Misa says:

    Trackback spam went has gone from being a minor problem three years ago to being completely insane. About 99.8% of trackbacks are spam. It really took off about nine months ago, to the point where I had to write a whole new trackback blocking system.

    Comment spam became a problem much earlier, but there are lots of ways to deal with it (captchas and the like), so it’s never gotten so completely out of hand.

  6. Eric says:

    man, i didn’t understand any of that. how can i keep calling my self a geek?

  7. Comment spammers and referer spammers mostly work through open proxies. There are apparently a huge number out there, mostly by accident. In some cases the dividing line between an “open proxy” and a zombie is tissue-paper thin. Email spammers are already using zombies, and I wouldn’t be surprised if comment spammers and trackback spammers will start doing so soon, if they haven’t already.

    Captchas are about the best easy way to cut out most comment spam. Does WordPress have that ability yet?

  8. Shamus says:

    Captchas are about the best easy way to cut out most comment spam. Does WordPress have that ability yet?

    If so, it must go by another name, since I’ve never heard of Captchas before.

  9. Shamus says:

    Ah! I see. The text image thing. (I heart google.) No, don’t got that.

    Would be nice.

  10. Eric says:

    I just opened my email account for the first time in about..i dunno….a year. I had 26 pages of junk mail in my inbox, and anything that would have held my intrests like games, anime,etc. was in my junk mail. Now earlier in the conversation you metioned gamespot, i gave them my address as well for updatesand so forth, are they allowed to give out my address? I thought there was some kind privacy bullshit law or some gayness to stop that. Is there?

  11. Shamus says:

    There is no law as such, since you have to agree to a EULA when you sign up, and they can put whatever expemtions they like in there.

    I doubt Gamespot is behind 26 pages of spam. They seem to have one particular spammer that emails people once within a week of their first signup. After that, I have not seen any further activity in the email I provided to gamespot.

    If you’re using yahoo, gmail, or some other free email service, then keep in mind those sites keep on-line directories. Those directories can be read by email harvesters, who then turn around and sell those email lists. So, a free email account is usually going to become useless over time, even if you don’t use it.

  12. Esben says:

    So, hi!
    Spam is, in my experience, either connected to a homepage (Such as http://www.shamusyoung.com – where posting is allowed without complicated registration-procedures), or emails, where I differ between signing up somewhere and then recieving spam, or just having a free email and therefore recieve spam.
    I’m super moderator in a private board with a registered homepage. Before, when we registered our board at places such as invisionfree or other free board-hosting places, our difficulties with spam were very limited. It was mostly actual people, with whom we’ve had contact with through a game that we played that harassed us (As it was easy to find our board through the search function in this game). I assume that either that’s because the problems with finding these boards and posting them is more difficult than finding homepages and the board they usually link to, but it could also be because places like invisionfree have a better privacy policy than the places where you register your homepage name.
    After half a year with changing boards (As some worked better than others), we decided to rent our own serverplace, and register our own homepage, so we shouldn’t rely on other’s databases.
    The first board we tried after this (Where I was co-admin) had very strong security (Where you needed to register, recieve an email with a link and a picture with a code, and then paste the code into a bar in that link), so we had no problems with security at all.
    Now we’ve changed our board, and sadly, our founding admin decided on another board with less security-functions. This means that we’ve recieved a lot of spam lately, and this has meant more work to me in my duties as super moderator.

    This lead me to the conclusion, that if you have a homepage, where you in some way can post without serious security restrictions, you’ll recieve more and more spam the longer your homepage has been registered, as more and more people (Or bots) discover your homepage and begin to spam it.
    My advice would be, that unless you wish to tighten your security alot, then you’ll have to ban cities or sometimes countries, and that’s pretty much a shame.

  13. Kel'Thuzad says:

    Hi, I am new here and have posted a few things (I hope they were coherent and smart, I am fourteen and don’t want to become a spammer or something). I hate spammers that spam forums that I have been to with useless stuff. Really annoying. But… please don’t do anything that would hurt us when trying to kill the spammers. I have looked over this blog and I love it, and don’t want to fear what a spammer should.

Leave a Reply

Comments are moderated and may not be posted immediately. Required fields are marked *

*
*

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun.

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!