Comment spam writ large
This Friday I discovered a neglected web-based bulletin board on one of our web servers that was open for posting. Unfortunately, comment spammers had discovered it months before I did and had been gleefully exploiting it since then. The result gives me an unpleasant, full throttle view into the world of comment spammers.
The raw numbers are appalling: in the time they were active, the comment spammers posted at least 233,799 spam comments (fortunately, the web board only stored the last 100,000 or so comments, a limitation that I suspect the authors never expected to be hit). At a guess, they were probably doing this for at least six months and possibly more.
(The web bulletin board itself appears to have been last used on August 23rd 2003. Google searches suggest that the spamming may have started as early as October 16th 2003. Unfortunately the searches also show that Google did indeed index the spammed comments.)
Over the past 14 full weeks that I have logs for (from May 29th), they averaged 1160 comment spams a day, which is not quite one comment spam a minute. However, their activity was actually quite bursty, with the peak week seeing 61,918 comments (8,845 a day, more than 6 a minute).
(The rest of this is about the sources of the comment spam, because that information is a lot more accessible and easier to process. Perhaps later I'll try to analyze the web sites being spammed for and who hosts them.)
2,222 different IP addresses were involved in posting the comments, with a highly uneven distribution. Here is the top 10 list of spammer shame:
Hits IP address/netblock 30117 209.200.11.96/28 4130 193.251.169.170 2364 203.162.3.77 1321 80.237.140.233 1022 203.162.3.78 899 168.143.113.0/24 773 207.248.240.119 749 198.65.161.88 686 195.229.241.182 618 200.201.178.58
209.200.11.96/28 is part of webair.com/webair.net's IP allocation, and
according to them it belongs to one 'Kevin Moll' of Watsontown PA, aka
powerstorm.net. This source has stayed active through September 9th,
but figures no more prominently than usual in the big week.
168.143.113.0/24 is anonymizer.com, in part of Verio's
netspace. Clearly they're being abused by comment spammers. I wouldn't
be surprised if any source of anonymous web access that allows POST
commands is being abused that way, including the EFF-sponsored
Tor network; spammers just don't care what
effects their actions have on other users of the services they're
exploiting.
42% of the different IP addresses (935 out of 2222) are currently listed in the XBL. Since XBL listings usually expire in significantly less than 14 weeks, this is particularly impressive. They accounted for 48% of the hits remaining after you exclude the almost 27% that come from powerstorm.net and anonymizer.com.
Top problem sources by ASN, after removing powerstorm.net and anonymizer.com:
| # of hits | ASN | (owner) |
| 4370 | AS5511 | France Telecom |
| 4300 | AS33774 | Telecom Algeria |
| 3842 | AS7643 | Vietnam Posts & Telecoms |
| 3409 | AS4134 | CHINANET-BACKBONE |
| 3031 | AS4837 | CNCGROUP China169 Backbone |
| 2331 | AS3352 | Telefonica (Spain) |
| 2070 | AS11172 | Alestra (Mexico) |
| 1929 | AS8895 | Riyadh (Saudia Arabia) |
| 1872 | AS3462 | Hinet (Taiwan) |
| 1748 | AS1659 | Taiwan Academic Network |
| 1460 | AS5384 | Emirates Internet (UAE) |
(Verio almost makes the list, but with anonymizer.com removed they only have 1,154 hits. Webair has only 3 hits outside of powerstorm.net.)
Many of these networks can be described as 'the usual suspects', as they will look quite familiar to readers of SpamByASN and XBLStats-2005-08-06.
Only 11 different IP addresses were on the SBL, so I will just put them in a table:
| # of hits | SBL listing | comments |
| 567 | SBL22883 | listed for related malfeasance |
| 405 | SBL26426 | SAIX web caches |
| 217 | SBL31555 | rima-tde.net web cache |
| 25 | SBL24042 | |
| 16 | SBL25866 | |
| 5 | SBL17449 | |
| 4 | SBL30014 | A ROKSO listed spammer |
| 4 | SBL16836 | |
| 2 | SBL23645 | |
| 1 | SBL21707 |
Looking at the SBL listings, it looks like machines that are ultimate sources of advance fee fraud spam are also going to source other problems.
Sidebar: the specific powerstorm.net IPs:
For Google's sake, the specific powerstorm.net IPs involved are: 209.200.11.100, 209.200.11.101, 209.200.11.102, 209.200.11.103, 209.200.11.104, 209.200.11.105, 209.200.11.106, 209.200.11.107, 209.200.11.108, and 209.200.11.110.
I don't know why 209.200.11.109 is missing. 209.200.11.110 made only one comment spam posting, on July 14th; the others are fairly evenly active. (And they stayed active; the most recent hit was September 9th.)
|
|