== A small update on comment spammer behavior

Back in CommentSpammerBehavior I wrote that checking the HTTP _Referer_
header wasn't worthwhile because everyone got it right. That is no
longer true; a significant number of comment spam attempts come from
some group that is using HTTP _Referer_ headers of the (illegal) form
'URL1, URL2, ..., MyURL' (where MyUrl is the URL of my 'write a comment'
form); the number of URLs varies.

(A few times they have left out the spaces after the commas, making
their _Referer_ values technically legal.)

Most of the URLs are of other blogs, guestbooks, or bulletin boards that
are encrusted with spam, but every so often the spammers will throw in
one that isn't, apparently picked at random.

All of the machines in the past 28 days or so use a User-Agent of:

> _Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MyIE2; Maxthon)_

Also over the last month, this group of spammers seems to be the only
thing using this user-agent string. Some Google searching suggests that
places like Project Honeypot are also seeing activity from this group,
some of them from IPs that have been doing this for quite a while (see,
eg, [[here
http://www.projecthoneypot.org/bsh_X19tb2RlPWdsb2JhbCZfX2J5PTEmdWFnPU1vemlsbGElMkY0LjArJTI4Y29tcGF0aWJsZSUzQitNU0lFKzYuMCUzQitXaW5kb3dzK05UKzUuMCUzQitNeUlFMiUzQitNYXh0aG9uJTI5]], and I have to say the Project Honeypot uses really
long URLs).

After some checking, less than 20% of the IP addresses from the last
month are listed in xbl.spamhaus.org, although a couple of them are SBL
listed; interesting, one of the SBL listed IPs is in [[IP address space
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL55692]] said to belong to
the ROKSO-listed 'Hong Chen / YonHen Internet Marketing Center'.

(The other SBL listings are for 195.175.37.70 and 195.175.37.71,
in [[SBL52252 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL52252]]
and [[SBL54789 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL54789]]
as known open and actively abused proxies.)

Fortunately, blocking this group is embarrassingly easy. Also
fortunately (or unfortunately) they're not very prolific, making maybe
20 attempts a day and hitting only two entries.

(I have a certain peculiar affection for prolific but easily blocked
comment spammers; it warms the cockles of my black heart to see them
fail over and over again.)