My first comment spam

August 9, 2005

I feel like I've arrived somewhere: WanderingThoughts, this blog, has had its first case of comment spam. It's interesting to look at the trail of breadcrumbs and the actual spam, and to see both how much and how little work the comment spammers seem to be putting into this.

To skip to the punchline: some machines in 69.57.150.0/24 (ev1.net) left a peculiarly crafted comment spam pushing a web page on the host 'wieler-forum.nl' (also hosted by ev1.net at 69.57.151.150). The web page pointed to seems to exist to have a bunch of internal links to web pages called things like '/credit--card-consolidation-credit-debt/'.

Presumably the ultimate goal is to give the payoff pages linked to by the blogspam target a high page rank for those words (through relevant words in the page title plus URL plus being linked from a high pagerank page). The one payoff page I checked had a huge pile of links to a CGI on 'feed.peakclick.com', which send people off to a variety of other web sites.

peakclick.com itself is a 'pay per click' company. Their web page offers 'Free SEO assistance' (SEO being the common abbreviation for 'search engine optimization', sometimes aka blog comment spamming), so I suspect that at a minimum, peakclick.com would not be particularly horrified about what wieler-forum.nl is doing. (Their terms of service appear to require a login, so I can't tell if blog spamming theoretically violates them. They certainly send your click on a URL to them through a huge cycle of HTTP and Javascript redirections before it gets to its ultimate destination.)

The comment spam didn't do them any good, since I removed it promptly (due to getting an Atom feed of all comments on CSpace, I see new comments anywhere, even on old articles, pretty promptly).

The spam itself

The comment spam was done by three IP addresses: 69.57.150.107, 69.57.150.123, and 69.57.150.128. Nothing in 69.57.150.* has visited us in the past 28 days apart from for this, and they only visited to do commentspam. Google shows that these three IP addresses have been spamming for some time; the best URL it turns up is 'A new EV1 spammer'.

(Everyones Internet, ev1.net, has of course done nothing about it. They're not well known for doing things about any sort of spammers, to put it one way.)

Their commenting target was the article LargeSystemsTrick, from July 4th (more than a month old by now). They seem to have tried to post twice (at the same time) from two different IP addresses; one post failed (probably due to a DWiki code bug, unfortunately not logged for me to look at).

They also tried to post to the login form, so they may have a piece of software that tries to submit to every POST form on the web page. (They got a 404 response, which DWiki generates on login only if you do something like not supply necessary form values.)

The spam comment was one line of about 2,000 characters of more or less disassociated text and punctuations with four control-A characters thrown in more or less random. They only mentioned their URL near the end, once as a plain text 'http://....', and once as a HTML '<a href="...">' link (with the body text being the plaintext URL). They made no attempt to use DWikiText and no attempt to use HTML apart from the one link.

(I speculate that they at least think that there is some anti-blog-spam tool that only looks at the start of the comment. Why the control-As I have no idea; maybe they disrupt some tools.)

Searching for wieler-forum.nl on Google (here) will produce lots of spam examples more or less just like mine.


Comments on this page:

From 209.149.57.26 at 2005-10-23 21:42:39:

Woo, you've arrived!

Written on 09 August 2005.
« Security is a pain
Why open source needs distributed version control »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Aug 9 03:07:32 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.