Some odd behavior from blog comment spammers

August 25, 2012

As I've written about before WanderingThoughts has always gotten a certain amount of (more or less automated) comment spam attempts, all of which has bounced off my anti-comment-spam precautions. There has never been very many of these; I would guess less than fifty a day. It was still enough to irritate me, so earlier this year I added some features to make blocking IP addresses easier (including letting me block IPs only from commenting) and then started blocking various frequent sources of comment spam attempts.

What I was expecting was that a decent chunk of the (low) comment spam volume would convert from comment spam attempts to blocked IPs and then perhaps mostly go away as the spammer software noticed that there wasn't any point to trying any more. This is not what actually happened. Even after I started adding blocks, the volume of unblocked comment spam attempts has stayed more or less constant (judged purely from perception and memory). At the same time attempts from blocked IPs have skyrocketed; they now run at several times more blocked HTTP requests than there are unblocked attempts at comment spam. In other words, blocking comment spammers seems have had the perverse twin effects of getting them to find additional IPs to keep trying from while cranking up the attempts from the old, blocked IPs just in case.

In short: blocking IP addresses has encouraged my comment spammers. It feels as if blocking IP addresses convinced them that there was something worthwhile here because there was someone awake enough to do something about their comment spam attempts.

I'm now half-tempted to remove all of my IP address blocks and see if the number of comment spam attempts drops down (or stays at) its current pretty low level. I half expect it to happen; if so, it'd strongly suggest that what spammers (and their software) target is a certain volume of active submission attempts.

(I'm actually not at all sure what the comment spammers are targeting, but that's a big enough subject to call for another entry.)

Written on 25 August 2012.
« The theoretical right way to check if an account is in a Unix group
Some brief information about a local spam incident »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Aug 25 03:36:49 2012
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.