scriptygoddess

29 Oct, 2002

Comment Spam

Posted by: promoguy In: Bookmarks

This is more of a "Heads Up" post than anything else.

This past weekend I was working on a blog entry and saw I suddenly had 128 comment notifications in my inbox. At that moment I knew either my e-mail server had regurgitated all my deleted mail or I was suddenly extremely popular.

I was wrong on both counts. A spammer had created a way to use the MT comment tool on my site to enter the same spam-filled comment in my archived entries, one post at a time. Thanks to the consecutive numbering nature of MT, I assume they just picked an archived entry number and started counting up.

They had sent 220 comments before I stopped them, and I shudder at the thought of what could have happened had I not been sitting there when it began.

Thanks to Phil (who was spammed as well) and his tip on mySQL I was able to delete all the comments at once.

I find it had to believe Phil and I were the only blogs touched by this, but I have not seen anyone else mention it. But, it seems to me that any MT blog that allows unregistered commenting could be hit by this method. I just wanted to bring this new spamming method to light and, hopefully, begin a discussion on possible solutions.

10 Responses to "Comment Spam"

1 | dave

October 29th, 2002 at 3:20 pm

Avatar

i did not get hit by this particular vulture, but recently i did have someone post some basic PHP code into my comments in an effort to try to get my .passwd file. since it was enclosed in PHP brackets, the code wasn't visible except in the email notification sent to me.

so, along the lines of your post topic, is this an additional vulnerability these spammers (or script kiddies) might be able to use against MT users in our comments?

2 | Jennifer

October 29th, 2002 at 4:03 pm

Avatar

Dave – we had similar problems like that (someone trying to write php code in the comments) a few weeks ago… since then, someone came out with a plugin for MT – that will let you filter out certain stuff… like javascript and php (you specify WHICH tags are allowed – everything else gets ignored.. Kristine posted about it (download the plugin here)… it's called the "sanitize plugin". That will help, at least, on that problem…

Promo – still don't know what to do about your problem… How annoying… I wonder if Ben and Mena could shed some light… Have you posted on the MT forums?

3 | j. brotherlove

October 29th, 2002 at 4:19 pm

Avatar

I am really stabbing in the dark (since I know very little compared to the goddesses – and gods – in this community). But, I read somewhere (probably in the MT Forums) that you didn't have to settle for consecutive numbering of entries. If, for example, you used entry titles instead of numbers, would that alleviate this ability to write a script/tool to mass send spam?

4 | Phil Ringnalda

October 29th, 2002 at 4:31 pm

Avatar

Mena said in my comments that they'll be thinking of ways to thwart the moron spammers, but it's a tough thing to block without doing things like requiring registration (and approval of registration) or not publishing comments until they've been approved, both of which would be annoying and would discourage comments. I think the solution has to involve comparing a new comment to the last few comments, looking for things that are too similar for comfort, but even with that everything I've come up with so far would take me less time to script around than it would take to implement in the first place.

Using titles rather than numbers would make things slightly more difficult for the spammers (at the expense of breaking every existing link to your entries), but not too difficult: once a spammer has your first entry, you very nicely provide him with "next entry" links to navigate through every entry, and getting a thousand entries and parsing out the next link and the data from the form shouldn't take more than a few minutes (my unthreaded, took a few minutes to write script took around a second to get five entries and parse out the form data).

5 | DidionSprague

October 29th, 2002 at 5:29 pm

Avatar

The model you might want to check out is Slashdot. It's been a while since I've looked at the code, but they have implented stuff like comment queuing (only one comment per 20 seconds), comment scanning for spam (a tweakable filter that looks at the submitted comments and sees if it has certain keyword — like 'first post' — or contains a lot of carriage returns or has one sentence per line, etc. etc.) It's not perfect, but I'd bet something like this would at least slow the potential down.

I'm planning to look into the idea of a 'comment pause' and a configurable spam filter.

6 | Scott Meinzer

October 29th, 2002 at 8:02 pm

Avatar

This is just my idea on how to keep this from happening you know, the comments subscription script how it has a go-between file? you could have it also output the name, ip, or msg or something to a file with a time stamp, then when someone posts another comment it could say "Alrrady Posted Please Wait 60 Seconds" or something, then take it out of the file. just an idea and dont know if it would work.

/Scott

7 | Jennifer

October 30th, 2002 at 8:18 am

Avatar

(posted this same comment on Phil's site…)

I think Pepino (a commenter on Phil's site) is on the right track… if it is a script, then they probably aren't even going to each page (?) to send the comment… it could be either a checksum or some value that can only be given on an ENTRY page… and without that value, the comment does not go through… kind of like a "session id" or something… the server gives it to the page new each time, each page refresh, or load… then when the comment is posted, it checks to make sure that session id is there, and it's the one that *IT* generated…

unfortunately, while I could probably figure something like that out in PHP, I'm clueless when it comes to Perl… Does this sound doable to anyone?


one additional note… when the server generates these "session id"s… if it's coming from the same IP in too short a timeframe when a comment from that same IP is generated, it could decide NOT to generate the id… or alternatively it can be cookie based… if the comments are coming from the same cookie within to tight a timeframe… etc. (Again, this would all have to be done directly into the MT code, as any "front" you put up with PHP, could eventually be gotten around…)

8 | kd

October 30th, 2002 at 4:56 pm

Avatar

ok, i'm not as geeky as i'd like to be, so this may be a dumb question: since this script is automatically filling out a form, it's probably set to look for certain fieldnames right?

wouldn't it put the script off its game if everyone made their own custom fieldnames, something that would be hard to guess at?

9 | surreally news and updates

October 30th, 2002 at 3:15 am

Avatar

comment spam
a new type of spam rears its ugly head — spambots spamming comments. this is very much a new issue,

10 | kd: a blog

October 30th, 2002 at 6:52 pm

Avatar

there's evil afoot
geeky evildoers of evil

Featured Sponsors

Genesis Framework for WordPress

Advertise Here


  • Scott: Just moved changed the site URL as WP's installed in a subfolder. Cookie clearance worked for me. Thanks!
  • Stephen Lareau: Hi great blog thanks. Just thought I would add that it helps to put target = like this:1-800-555-1212 and
  • Cord Blomquist: Jennifer, you may want to check out tp2wp.com, a new service my company just launched that converts TypePad and Movable Type export files into WordPre

About


Advertisements