Chris's Wiki :: blog/spam/CommentSpammerTargets Commentshttps://utcc.utoronto.ca/~cks/space/blog/spam/CommentSpammerTargets?atomcommentsDWiki2012-09-24T15:11:27ZRecent comments in Chris's Wiki :: blog/spam/CommentSpammerTargets.By Chris Siebenmann on /blog/spam/CommentSpammerTargetstag:CSpace:blog/spam/CommentSpammerTargets:ca674a7da2f2227dbbeab76316353c2b78158f92Chris Siebenmann<div class="wikitext"><p>My problem with the shifting or growing pool of IPs explanation is
that the patterns I'd expect from it don't seem to match what I'm
seeing. If the pool of IPs that the spammers were using was steadily
increasing, I'd expect to see more and more non-blocked spam attempts
and I generally haven't. If the IPs were shifting, I'd expect the
attempts from old, now-blocked IPs to level off and drop over time
and again this doesn't seem to happen; they still have a significant
volume (more attempts than from unblocked IPs, generally).</p>
<p>(Also, a lot of the IPs seem to be static IPs of servers (which is one
of the things that has changed over time; they certainly used to be
botnet IPs in part).)</p>
<p>You're right that I may be assuming too much about spam software. They
might only care about 'made N attempts that were not obviously blocked'
(ie, that got 200-series responses or something).</p>
</div>2012-09-24T15:11:27ZBy Dan.Astoorian on /blog/spam/CommentSpammerTargetstag:CSpace:blog/spam/CommentSpammerTargets:01c2288a93119e1b2b3cdf59d65ae397c7c99c71Dan.Astoorian<div class="wikitext"><p>Perhaps the simplest explanation for the IP address patterns is that botnets are not static; they grow as new hosts get infected, and the hosts within them that have dynamic IP addresses don't keep them forever.</p>
<p>I don't know how the comment spamming software is typically designed, but I'm not sure there's any incentive for it or its operators to even check whether a posting is successful. If it succeeded, then it's done its job and no further action is needed; otherwise, it would take someone real work to figure out why it didn't get posted, the payoff for doing that work is relatively low, and there's probably no significant reduction in costs by pruning that forum from its list of targets for the next attempt. So why even check whether or not it worked?</p>
<p>"Never test for an error condition you don't know how to handle." --Steinbach's Guideline for Systems Programmers.</p>
</div>2012-09-22T13:29:35Z