I've now seen comment spam attempts from Tor exit nodes
As I mentioned on Twitter, I've recently started seeing some amount of comment spam attempts from IPs that are more or less explicitly labeled as Tor exit nodes. While I haven't paid exhaustive attention to comment spam sources over time, to the best of my awareness this is relatively new behavior on the part of my comment spammers. To date not very many comment spam attempts have been made from Tor IPs and other sources still dominate.
Since none of the comment spam attempts have succeeded, I face no temptation to block the Tor exit nodes. There are plenty of legitimate uses for Tor and I'd much rather have my logs be a little bit noisier with more failed comment spam attempts than even block a legitimate anonymous comment.
(Really I only block comment spam sources because I'm irritated at them, not because I think they represent any particular danger of succeeding. So far I've seen no sign that the robotic form stuffers are changing their behavior in any way; they've been failing for more than half a decade and I expect them to keep failing for at least the next half a decade. It's very unlikely that my little corner of the web is important enough to attract actual human programming attention.)
Given that this is a recent change, my suspicion is that Tor has simply become increasingly visible and well known to spammers through its appearance in stories about Silk Road and other hidden services (and people using it). Apparently some malware is now starting to use Tor to contact its command and control infrastructure, too, and certainly we've seen attackers use Tor to hide their IP origin when they access cracked accounts.
(Ironically this makes access from Tor exit nodes a glaring sign of a cracked account for us, since basically none of our users do this normally. Conveniently there are sources for lists of Tor exit nodes (also).)
Comments on this page:Written on 12 January 2015.