July 23, 2004
Spam Flood
Spam Is Definitely Getting Worse
Image courtesy of Steve Jackson games.
I've said it before, I'll say it again: Thank God for MT-Blacklist, a nice little script that attaches to any Moveable Type powered blog. According to our blog's activity log, both blogs on this site (my wife's and mine) are getting lots of attempted comment spam. In the last week, it has averaged over 50 attempted spams per day. As 15-year-old Justin would say over and over, "I'm not lyin'!"
We probably only see about one-tenth of that total because MT-Blacklist automatically shuts out comments with certain strings (like "diet pills", "penis enlargement" or variations on the spellings of different prescription drugs) by comparing all text of comments to a master list of forbidden strings. This list is kept updated locally, and you can also add to it from a master list at the MT support site.
Still, some new spam that isn't on the list yet gets through occasionally. When it does, MT-Blacklist makes it really easy to delete it all at once, clean up the blog and update your blacklist to prevent future spams with the same string. I go a step further and research the IP numbers of spammers when I have time.
More than half of attempted spams are from IP addresses that track back (via ARIN) to either the "Asia Pacific Network Information Centre" in Australia or the "RIPE Network Coordination Centre" in the Netherlands. Those two entities control huge ranges of IP address (e.g. any IP address that begins with 58, 59, 60, 61, 80, 81, 82, 83, 84, 85, 86, 87, 88, 152, 159, 202, 203, 210, 211, 212, 213, 217, 218, 219, 220, 221, 222, and I am sure there are others I am missing). In other words, the addresses 58.128.95.54 or 58.4.5.6 or 58.255.243.1 all just track back to the same place, which controls all IP's with a 58 prefix.
I have decided to step up the battle a bit and ban those IP prefixes from accessing this site. I can't imagine who the hell would want to read either blog from Australia or the Netherlands anyway. I'm sure some regular readers will nevertheless get shut out of the blogs at some point, and I hope they figure out a different way to get access or email us or something.
Anyway, the rest of the spam comes from miscellaneous random addresses and is more than likely the result of virus software that posts spam comments from the computers of unsuspecting users who have been infected. I block out those individual IP's as they come in, but man, there's a flood of 'em. No telling how many attempted spams don't even show up in my activity log because they are simply banned from accessing the site.
I also get a ton of referrer spam. These are hits that seem to come from nude celebrity, poker, pharmaceutical, etc. web sites. I guess they do this because those referrals show up in web stats that are actually linked, like from extreme-dm.com. Then those URL's appear in published web pages and further increase that site's credibility with search engines like Google or Yahoo, I guess. Not much I can do about that other than banning IP's from Asia Pacific or RIPE and see if the totals drop.
I've been seeing lots more spam lately on other blogs, and it has all the hallmarks of the behavior of an exponentially increasing virus. I just hope I have enough gates shut to keep it down to a manageable trickle that I can delete with MT-Blacklist without getting overwhelmed. Of course, the internet gods are talking greatly increasing the number of available IP addresses in the near future, so I'm probably just spitting into a tidal wave.
Anyway, if you get banned from this site all of a sudden, don't take it personally (unless you are a troll, in which case please do take it personally). Email me and I'll fix it. Right now, I'm in "measure with a micrometer, mark with chalk, cut with an axe" mode, and it's a bit sloppy. There will probably be some collateral damage.
Posted by Observer at July 23, 2004 07:57 AMComments on entries can only be made in pop-up windows while those entries are still on the main index page. Sorry for the inconvenience this causes, but this blocks about 99.99% of the spam the blog receives.
Man, I am very very thankful to Mr Nosuch for hosting my blog. I get basically zero comment spam. I certainly never see any.
Posted by: Humbaba on July 23, 2004 10:04 AMYeah, there's a lot of junk email. I suppose I get a couple a day (and I know that's low, but I don't plaster my email address around too much). For a while yahoo.fr was spewing out perhaps half of the ones I was getting; right now I think most of the return addresses are simply spoofed.
On a related note, a remarkably useful reference is at http://accs-net.com/hosts/ which is a very nice "little" hosts file to put on any machine you surf from. Takes a big bunch of obnoxious URLs and maps them to IP number 0.0.0.0. I know, your posting is about spam and not spy-ad sites, but they are to some extent the same phenomenon. In my experience, that hosts file's only real downside is that your "Back" button becomes much less useful, and you have do the pull-down list eyeball search to backtrack your browsing path. Any page that loads up junk from doubleclick or other ad/spy sites will have that 0.0.0.0 in the URL visited chain.
I turned down a part-time contract to write a piece of spyware (they called it a "geolocation component", but the specs were pretty clearly spyware) back in April. Even though I decided long ago that if it came to it I *would* work on nuclear weapons technologies if that was the only job I could get, I will not consort with the archdemon of spyware.
Posted by: Feff on July 23, 2004 12:04 PMOoo, nude celebrity poker ... sounds like a hit for the Spice network where everybody wins, even the penis-enlargement interests.
Just don't ban my car, ok? Thanks.
Posted by: Polerand on July 23, 2004 12:51 PMHumbaba, do you ever go back and check your archive comments? They almost never hit most recent posts, it's always months/years back into archives, then they spam to death!
Posted by: Felicity on July 23, 2004 04:53 PMNosuch affiliates don't get spam because we use a lame-o custom comment system, so bots don't see it... yet. Could happen, I suppose. Seeing the target is tiny, I doubt anyone would ever bother.
Sometimes it's good to be non-standard.
Banning IPs from being able to access the sites seems draconian. Why not just ban dubious IPs from commenting?
Posted by: Mr. Nosuch on July 23, 2004 11:32 PMActually, I forgot the MT allows for comment banning. I guess I should try that first. I wish the interface were easier for IP banning, but 10-15 minutes of screwing around with it will probably save me time in the long run.
Posted by: Observer on July 24, 2004 07:33 AM