Comment spam writ large

September 11, 2005

This Friday I discovered a neglected web-based bulletin board on one of our web servers that was open for posting. Unfortunately, comment spammers had discovered it months before I did and had been gleefully exploiting it since then. The result gives me an unpleasant, full throttle view into the world of comment spammers.

The raw numbers are appalling: in the time they were active, the comment spammers posted at least 233,799 spam comments (fortunately, the web board only stored the last 100,000 or so comments, a limitation that I suspect the authors never expected to be hit). At a guess, they were probably doing this for at least six months and possibly more.

(The web bulletin board itself appears to have been last used on August 23rd 2003. Google searches suggest that the spamming may have started as early as October 16th 2003. Unfortunately the searches also show that Google did indeed index the spammed comments.)

Over the past 14 full weeks that I have logs for (from May 29th), they averaged 1160 comment spams a day, which is not quite one comment spam a minute. However, their activity was actually quite bursty, with the peak week seeing 61,918 comments (8,845 a day, more than 6 a minute).

(The rest of this is about the sources of the comment spam, because that information is a lot more accessible and easier to process. Perhaps later I'll try to analyze the web sites being spammed for and who hosts them.)

2,222 different IP addresses were involved in posting the comments, with a highly uneven distribution. Here is the top 10 list of spammer shame:

  Hits IP address/netblock
   618 is part of's IP allocation, and according to them it belongs to one 'Kevin Moll' of Watsontown PA, aka This source has stayed active through September 9th, but figures no more prominently than usual in the big week. is, in part of Verio's netspace. Clearly they're being abused by comment spammers. I wouldn't be surprised if any source of anonymous web access that allows POST commands is being abused that way, including the EFF-sponsored Tor network; spammers just don't care what effects their actions have on other users of the services they're exploiting.

42% of the different IP addresses (935 out of 2222) are currently listed in the XBL. Since XBL listings usually expire in significantly less than 14 weeks, this is particularly impressive. They accounted for 48% of the hits remaining after you exclude the almost 27% that come from and

Top problem sources by ASN, after removing and

# of hits ASN (owner)
4370 AS5511 France Telecom
4300 AS33774 Telecom Algeria
3842 AS7643 Vietnam Posts & Telecoms
3031 AS4837 CNCGROUP China169 Backbone
2331 AS3352 Telefonica (Spain)
2070 AS11172 Alestra (Mexico)
1929 AS8895 Riyadh (Saudia Arabia)
1872 AS3462 Hinet (Taiwan)
1748 AS1659 Taiwan Academic Network
1460 AS5384 Emirates Internet (UAE)

(Verio almost makes the list, but with removed they only have 1,154 hits. Webair has only 3 hits outside of

Many of these networks can be described as 'the usual suspects', as they will look quite familiar to readers of SpamByASN and XBLStats-2005-08-06.

Only 11 different IP addresses were on the SBL, so I will just put them in a table:

# of hits SBL listing comments
567 SBL22883 listed for related malfeasance
405 SBL26426 SAIX web caches
217 SBL31555 web cache
25 SBL24042
16 SBL25866
5 SBL17449
4 SBL30014 A ROKSO listed spammer
4 SBL16836
2 SBL23645
1 SBL21707

Looking at the SBL listings, it looks like machines that are ultimate sources of advance fee fraud spam are also going to source other problems.

Sidebar: the specific IPs:

For Google's sake, the specific IPs involved are:,,,,,,,,, and

I don't know why is missing. made only one comment spam posting, on July 14th; the others are fairly evenly active. (And they stayed active; the most recent hit was September 9th.)

Written on 11 September 2005.
« Hotmail's Other Spam Problem
Weekly spam summary on September 10th, 2005 »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Sep 11 01:24:23 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.