Comment spam writ large
This Friday I discovered a neglected web-based bulletin board on one of our web servers that was open for posting. Unfortunately, comment spammers had discovered it months before I did and had been gleefully exploiting it since then. The result gives me an unpleasant, full throttle view into the world of comment spammers.
The raw numbers are appalling: in the time they were active, the comment spammers posted at least 233,799 spam comments (fortunately, the web board only stored the last 100,000 or so comments, a limitation that I suspect the authors never expected to be hit). At a guess, they were probably doing this for at least six months and possibly more.
(The web bulletin board itself appears to have been last used on August 23rd 2003. Google searches suggest that the spamming may have started as early as October 16th 2003. Unfortunately the searches also show that Google did indeed index the spammed comments.)
Over the past 14 full weeks that I have logs for (from May 29th), they averaged 1160 comment spams a day, which is not quite one comment spam a minute. However, their activity was actually quite bursty, with the peak week seeing 61,918 comments (8,845 a day, more than 6 a minute).
(The rest of this is about the sources of the comment spam, because that information is a lot more accessible and easier to process. Perhaps later I'll try to analyze the web sites being spammed for and who hosts them.)
2,222 different IP addresses were involved in posting the comments, with a highly uneven distribution. Here is the top 10 list of spammer shame:
Hits IP address/netblock 30117 220.127.116.11/28 4130 18.104.22.168 2364 22.214.171.124 1321 126.96.36.199 1022 188.8.131.52 899 184.108.40.206/24 773 220.127.116.11 749 18.104.22.168 686 22.214.171.124 618 126.96.36.199
188.8.131.52/28 is part of webair.com/webair.net's IP allocation, and
according to them it belongs to one 'Kevin Moll' of Watsontown PA, aka
powerstorm.net. This source has stayed active through September 9th,
but figures no more prominently than usual in the big week.
184.108.40.206/24 is anonymizer.com, in part of Verio's
netspace. Clearly they're being abused by comment spammers. I wouldn't
be surprised if any source of anonymous web access that allows
commands is being abused that way, including the EFF-sponsored
Tor network; spammers just don't care what
effects their actions have on other users of the services they're
42% of the different IP addresses (935 out of 2222) are currently listed in the XBL. Since XBL listings usually expire in significantly less than 14 weeks, this is particularly impressive. They accounted for 48% of the hits remaining after you exclude the almost 27% that come from powerstorm.net and anonymizer.com.
Top problem sources by ASN, after removing powerstorm.net and anonymizer.com:
|# of hits||ASN||(owner)|
|3842||AS7643||Vietnam Posts & Telecoms|
|3031||AS4837||CNCGROUP China169 Backbone|
|1929||AS8895||Riyadh (Saudia Arabia)|
|1748||AS1659||Taiwan Academic Network|
|1460||AS5384||Emirates Internet (UAE)|
(Verio almost makes the list, but with anonymizer.com removed they only have 1,154 hits. Webair has only 3 hits outside of powerstorm.net.)
Only 11 different IP addresses were on the SBL, so I will just put them in a table:
|# of hits||SBL listing||comments|
|567||SBL22883||listed for related malfeasance|
|405||SBL26426||SAIX web caches|
|217||SBL31555||rima-tde.net web cache|
|4||SBL30014||A ROKSO listed spammer|
Looking at the SBL listings, it looks like machines that are ultimate sources of advance fee fraud spam are also going to source other problems.
Sidebar: the specific powerstorm.net IPs:
For Google's sake, the specific powerstorm.net IPs involved are: 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, and 126.96.36.199.
I don't know why 188.8.131.52 is missing. 184.108.40.206 made only one comment spam posting, on July 14th; the others are fairly evenly active. (And they stayed active; the most recent hit was September 9th.)