http://blog.teledyn.com/node/1358 Comments for "Blog-Comment SpamBots" en http://blog.teledyn.com/node/1358#comment-2758 <p>A <tt>mod_rewrite</tt> defense against comment-spam found on <a title="October 24, 2004 - 11:56" href="http://drupal.org/node/6663#comment-18700">Drupal.org</a>, posted by candygenius ...</p> <blockquote><p><cite>They are using indexers to find the comment links. I blocked the indexers as well as the originating spammer and cut down on the spam 99%. This block in .htaccess got rid of the latest and most persistent one I have seen.</cite></p> <pre> RewriteCond %{HTTP_REFERER} 12\.163\.72\.13 [NC,OR] RewriteCond %{HTTP_USER_AGENT} (Fetch\ API\ Request) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (Microsoft\ Scheduled\ Cache\ Content\ Download\ Service) [NC,OR] RewriteRule .* - [F] </pre><p><cite>Doesn't stop Google or anyone legitimate from indexing.</cite> </p></blockquote> <p>That code didn't work for me <i>directly</i>, but once I removed the <tt>NC,</tt> in each line, it worked just fine.</p> <p>The same basic technique is applicable to a whole range of abuse-thwarting Apache rewrite rules; I picked up a list at <a href="http://diveintomark.org">Dive Into Mark</a> to detect and defeat all sorts of suspect referrers and User-Agents with no business being in your site (spambots/spybots/offline downloaders) -- the list was probably overkill, banning long since forgotten offenders (I expect they evolve like flu virii) but still instructive enough to use as a template for blocking today's versions.</p> Wed, 08 Dec 2004 16:26:44 -0500 mrG comment 2758 at http://blog.teledyn.com http://blog.teledyn.com/node/1358 <p>Ok, it's real and it's official and it's here today: Automated blog-comment spambots are a reality. </p> <p>Today I was hit by two test posts, and the odd grammar of it made it simple to <a title="Feedster Search: \"here is a free tip\"" href="http://www.feedster.com/search.php?hl=en&amp;ie=UTF-8&amp;q=%22here+is+a+free+tip%22&amp;btnG=Search&amp;sort=date">test in feedster</a> where I found the same odd and pointless test <em>many times</em> ... right down to the exact same mispelled <span class="caps">URL </span>used as the spammer's homepage link.</p> <p>I posted the following to another victim's comments, but it bears repeating:</p> <blockquote><p><i>Looks like we have cause to alert people -- I was hit twice and Feedster shows a few others were hit too, and since the message is almost identical and I'll bet the <span class="caps">URL </span>too (in the one's I got, the <span class="caps">URL </span>didn't resolve, so Verisign picks it up)<br/><br /> And no, I don't see the value except for one thing: As a marker. I have heard that spammers who find open comment blogs will leave a marker that can be found with a subsequent search (Feester?) and that may explain why the previous blog-comment spam I've received always goes to the same three blog posts. I used to edit their comments to remove the <span class="caps">URL</span>s and then ridicule them, but maybe this is a mistake, maybe they just want that highly recognizable string to stay there so they can find it later ... or (as I believe is the case today) where robots can find them.<br/><br /> I got another today, simply some guy's name "rules" with a link to the same name dot com, nothing more, and that link was bogus as was the name@aol ... it <em>must</em> be some sort of marker they are leaving to bootstrap some other planned deployment. That's the only explanation I can think of that makes sense.</i></p></blockquote> <p>end of an era here folks. Open blog comments: 1997-2003. </p> <h4>A Proposal for Blogcrafters</h4> <p>I've <a href="//mt/archives/001235.html">written previously</a> on the problems with some of the obvious solutions such as the bubble-obscured pass key; any viable solution has to be open to all platforms, including those used by blind surfers and low-tech browsers. The solution has to preserve the casual conversation, <i>in situo</i> to retain the forum sense of a thread, and it has to thwart the blog spammers by making each comment somehow <em>accountable</em> ...</p> <p>I propose an <span class="caps">HTTP</span>-based comment moderation or author confirm scheme.</p> <p>Just as we do for automated subscription confirmations, I propose we still allow our blog engines to accept posts from anyone, but <em>before the post is displayed</em> someone must confirm the message. The blog engine might send the comment back to the author with a hash-code <span class="caps">URL </span>they must click to have the comment confirmed and displayed. </p> <p>Blog owners would still retain the power to override this comment-hold manually through the control panel, or perhaps they too are sent the email and can confirm or reject it. A whitelist of trusted parties wouldn't be sufficient since the spammer could just borrow emails they find on the same thread of comments.</p> <p>Since many, probably most webhosts can't accept email, email reply to confirm is probably impractical. The simplest hack for a blog like MovableType would be a comment setting for moderated and/or confirmed comments (maybe this already exists?) where email alerts it already sends on new comments are extended to include the confirm (or instant delete?) <span class="caps">URL </span>in the message.</p> <p>Is this possible as an mt-plugin? Looks like another job for <a href="http://www.lazyweb.org/">Lazyweb</a></p> http://blog.teledyn.com/node/1358#comments here comes everybody Wed, 01 Oct 2003 17:07:29 -0400 mrG 1358 at http://blog.teledyn.com