Finding out if you've been hit by careful, clever spammers

January 8, 2011

When I found my example of careful and clever spammers compromising a blog, I of course thought about letting the blog's owner know about the problem so they could clean it up. But the more I thought seriously about doing that, the more uncertain I got, because of the fundamental problem here: how do I make sure that I'm notifying the blog's owner instead of handing my email address to the spammer?

Let's turn this around to the flipside question: if you're a blog owner, how can you set things up so that people can notify you of such a compromise?

(Of course, the best thing to do is to detect such compromises somehow, perhaps through external monitoring. But this may not always be feasible.)

The usual modern way of handling blog feedback is with comments or a feedback form of some sort on your website. But smart people aren't going to want to leave you a comment through your already compromised blog; since the spammers compromised your blog, they could be blocking or filtering comments in addition to doing smart things with their spam. Even an email address on the blog's domain is too dangerous to use, since the spammers might have compromised more than just your website. Instead you need something that is not only off the blog but sufficiently far off the blog that people can see that it's unlikely to have been compromised.

But when you move to off-blog mechanisms, there's another problem; people may be able to trust a GMail address or the like not to be compromised, but how do they know it actually belongs to you instead of to the spammer? They certainly can't immediately trust anything on your blog; since the spammer controls it, the spammer could have changed your 'how to contact me' information to point off to one of their GMail accounts instead of yours.

So what you need is not just alternate paths to reach you, but alternate paths where they can see that they've reached the right person. Usefully, the modern web has a bunch of these in the form of all of those social network web services (Facebook, Twitter, etc), provided that you actually use your account on the services. Ongoing activity and participation will help to validate your account as real and (probably) not compromised and convince people that they have found the right person; conversely, an inactive account could have been registered by the spammer last week as part of an ever more elaborate scheme, or just belong to someone else with your name.

(I suspect that in practice, spammers just don't go to this amount of effort just for a compromised blog. In fact, I suspect that they generally don't even try to filter and block on-blog comments and feedback, unless it can be entirely automated. Of course I lack direct experience with this, so I could easily be wrong.)


Comments on this page:

From 71.194.168.19 at 2011-01-08 11:46:50:

I haven't really thought of this, but I suppose I'd do a whois on the domain (if the blog and domain are the same thing, obviously it won't work on Blogger) and hope there's an e-mail address on a different domain listed.

Written on 08 January 2011.
« More modest suggestions for bug trackers
What would be nice for SSL is out-of-band certificate binding »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Jan 8 01:42:14 2011
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.