I've now seen comment spam attempts from Tor exit nodes

January 12, 2015

As I mentioned on Twitter, I've recently started seeing some amount of comment spam attempts from IPs that are more or less explicitly labeled as Tor exit nodes. While I haven't paid exhaustive attention to comment spam sources over time, to the best of my awareness this is relatively new behavior on the part of my comment spammers. To date not very many comment spam attempts have been made from Tor IPs and other sources still dominate.

Since none of the comment spam attempts have succeeded, I face no temptation to block the Tor exit nodes. There are plenty of legitimate uses for Tor and I'd much rather have my logs be a little bit noisier with more failed comment spam attempts than even block a legitimate anonymous comment.

(Really I only block comment spam sources because I'm irritated at them, not because I think they represent any particular danger of succeeding. So far I've seen no sign that the robotic form stuffers are changing their behavior in any way; they've been failing for more than half a decade and I expect them to keep failing for at least the next half a decade. It's very unlikely that my little corner of the web is important enough to attract actual human programming attention.)

Given that this is a recent change, my suspicion is that Tor has simply become increasingly visible and well known to spammers through its appearance in stories about Silk Road and other hidden services (and people using it). Apparently some malware is now starting to use Tor to contact its command and control infrastructure, too, and certainly we've seen attackers use Tor to hide their IP origin when they access cracked accounts.

(Ironically this makes access from Tor exit nodes a glaring sign of a cracked account for us, since basically none of our users do this normally. Conveniently there are sources for lists of Tor exit nodes (also).)

Comments on this page:

As mentioned previously, if you have some way of implementing a client-side proof-of-work for your blog, you'll watch your approved comment spam disappear. Highly recommended.

By cks at 2015-01-12 13:10:01:

As mentioned, none of the comment spam attempts have succeeded; all of them have been defeated by various precautions that already trip up software and have been doing so for years. Given that I'm already accepting no spam from robots, adding client side proof of work seems unlikely to do anything besides complicate my life. Also, I have a long-standing opposition to requiring people to run JavaScript, partly because I don't.

Client side proof of work is a popular hammer, but my experience is that it is totally unnecessary if you are already taking your own server side precautions (such as invisible honeypot form fields).

Written on 12 January 2015.
« The effects of losing a ZFS ZIL SLOG device, as I understand them
Our tradeoffs on ZFS ZIL SLOG devices for pools »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Jan 12 01:07:47 2015
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.