Speculation about what comment spammers think they're doing here
September 22, 2012
To summarize briefly, comment spam attempts here show some odd behavior; when I add sources to IP blocks, I see significant hits on those blocks but the level of non-blocked comment spam attempts stays more or less the same (but comes from new IPs). It's as if the comment spammers keep trying from the old IPs but also add new IPs. I'm a firm believer that spammers are generally not stupid. Whatever strange things they're doing are being done for reasons that make sense to the spammers. So the real question I'm left with is what the comment spammers are targeting here. What is their actual goal, which their software presumably thinks it's dutifully achieving?
What their software actually does almost all of the time is fill in all
of the text fields on the 'add a comment' page (including my honeypot
field that you are not supposed to touch), submit it for previewing, and
then not do anything more. In particular the spammers seem to basically
never attempt to resubmit the spam to actually post it; one
I've come up with two speculations on what they're doing so far. First, the spammer software could think that it's actually succeeding in posting spam comments and it could be targeting 'so many comments posted successfully'. This is a bit of a stretch but the raw text of a comment is (re)displayed on the preview page (although the HTML version is not shown if the honeypot field was touched). Software that simply searched for its submitted spam text might be satisfied and conclude that the comment had been successfully posted.
Second, the spammer software could be trying to flood a (presumed) moderation queue with a high volume of spam submissions in the hopes that something would get through by mistake. The software would then be targeting 'so many comments submitted into the queue' and it would continue to pound away even if nothing seemed to be getting through; after all, the people behind the moderation queue only have to make a mistake once.
(I feel that one of the principles of the modern Internet spam game is 'automated work is cheap'. If the spammer can just leave software running to do something, they might as well keep it banging away; the cost of leaving it running is probably low enough that even a single success pays for it. In an environment where you have to rent botnets by the 15 minutes and so on, this may not be quite as true as I've been assuming.)
* * *
Atom feeds are available; see the bottom of most pages.