Well, its kinda annoying. My blog has been online for about 6 months now and it was only last week that the number of spam comments I receive, crossed 1000. But I was checking the spam comments today and I was surprised to see that total number of spam comments caught has gone up to 2012. Well, thats over 1000 spams in a week!
Thanks a lot to Akismet for doing all the hard work of catching and deleting spam silently and effectively.
However, one note to spammers, if you are smart enough to get into the system by breaking the captcha or by what ever other ways, you should be smart enough to “not” continue spamming after finding out that your comments get deleted automatically.
#1 by James M on March 30, 2008 - 2:28 am
Quote
The reason why the number has risen so quickly is because a profile of your “form” has been generated and shared. Improperly secured and compromised websites have scripts that are automated to access a library of generated form profiles and post a payload of a randomized messages.
I initially started monitoring the situation on our servers and started reporting violations to host providers that I could identify… but most of the time, the servers were poorly maintained (or not in English) and I couldn’t report the problem.
I haven’t had to resort to using “cross-domain” captchas or Akismet yet and the spam has been greatly reduced. I’ve been validating posts by IP Address via Project HoneyPot. All server-wide scripts ignore posts by known IPs and display a message regarding the abuses of the currently used IP. I do this in hopes that false positives will be investigated by organizations to determine if their network has been compromised so that their own security issues can be properly addressed. (We haven’t had any complaints yet.) More information on Project HoneyPot is available from here:
http://www.projecthoneypot.org/
There’s more that I could write about this process, but I would rather not do it in a public forum or with a potential spammer that may be attempting to socially engineer information from me.
There’s lots of other tricks you could try… but as soon as you publish information on it, the tricks don’t appear to work anymore.
#2 by Anuj Gakhar on March 30, 2008 - 10:58 am
Quote
@James, Thanks for the useful insight. I heard about Project HoneyPot before but never really got to use it. When you say your scripts ignore posts from known IP’s, to me, the first thing that comes to mind is, can this not be then done using some proxy IP’s to change the outbound IP address….just a thought…
Also, the good thing is that Akismet is actually catching all my spam and it doesnt get to show on my posts but the fact that there is a LOT of spam coming in, worries me.
#3 by James M on March 30, 2008 - 7:53 pm
Quote
Yes. Proxies “can” be used, but they are limited, harder to come by and not as easy (or disposable) compared to delivering scripts to a compromised website and having automated form submissions issued directly from the already unsecured IP. (This allows them to save the proxies for higher-level “personal” interaction… like initial profiling.)
My anti-spammer scripts allow all “get” requests, but no “post” requests are allowed by any previously identified IP address. (I only want humans to perform “post” requests.)
PRIVACY: Sending a private message to a third-party for processing should probably involve the sender’s knowledge and/or consent. You should also be aware of Askimet’s privacy policy so that you can explain it to submitters that inquire. I know that a blog comment is not entirely private, but having communications reviewed by a third-party is not the norm.
RELIABLITY: If the Askimet service were experiencing a Denial-of-Service attack or experienced uptime problems, where does that leave user submissions? (still requiring manual review.) Last year we used a new anti-spam service for our mailserver… apparently it was too good and was DOSed by spammers to the point that we had to quit using their service because it wasn’t responding.
QUALITY: It wouldn’t be such a bad thing if there weren’t any false positives or required regular review. We already have to routinely retrain our mail server’s spam filters when the filter gets diluted and real messages are treated as spam and spam is treated as real messages. I don’t want to have to do this with multiple websites.
COST: This is also a factor as Askimet charges $1,000 per 1 million API calls (per month) in their developer license. This can add up very quickly if your forms are constantly being abused by a spambot.
CONSPIRACY: Some folks (I know I’m being general here) believe that anti-virus companies are responsible for releasing new viruses to sell more software. It “is” plausible to think that your forms could be targeted because of the platform or lack of security used, profiled and spammed repeatedly ($) and then have a recommendation to subscribe to a third-party anti-spam tool ($). All messages are being passed for free to a third-party, stored for 15 days and then deleted? The conspiracist in me doesn’t trust it especially since their private policy doesn’t seem to address that messages are not encrypted and that they personally do not extract information from them.
THE MESSAGE IS ONLY THE SYMPTOM
I assume that spambot operators get paid for successful submissions, not successful posts. While Askimet may prevent spam from being displayed on your website after being posted, it doesn’t really do anything to prevent it from being posted in the first place. It only looks at the message and not the submitter… and the message is only the symptom whereas the compromised sender IP is the real problem.
ANOTHER OPTION
Another simple technique you could do without having to resort to Askimet or captcha is to daily randomize the form submission URL script name (this means physically changing the script name)… or if this isn’t possible, pass an id and hash it using a different prefix/suffix each day. If the ID and daily generated hash don’t match (in case someone is online around midnight and still composing their comments), return the form populated with the original submission and an updated hash and have them re-submit again. The spambots I’ve encountered perform their POST and parse results for some “success” text once and do nothing more. If they do not get the “success” text, your form is flagged, they return, update their script and start posting again. (Trust me… they return multiple times to update their profile of your form.) Creating a better online form submission process will reduce spam submission to almost nothing in a week or so. (I’m not familiar with WordPress, so I can’t help with integration.)
Since your blog is dynamically generated, this shouldn’t be a big deal. I’m betting that you would see 1,000′s of 404′s in your logfile (from a limited number of IP addresses) versus 1,000′s of Askimet message scores.
FLEX/FLASH OPTION
I use Roboform to maintain all of my usernames and secure passwords. This unfortunately doesn’t work with Flex or Flash forms. (I’m glad that Adobe started using HTML standard forms for the ColdFusion Exchange.) I recently generated a schedule for CFObjective only to find that I had to store my login information in a safenote… the form was undetectable and regular CTRL+C/V operations were disabled. I’m not a big flash fan, but if you want to make it nearly impossible for your forms to be hacked, use Flex/Flash and hope that they aren’t smart enough to monitor the background HTTP requests (oops, see… I gave something away to the spammers again.)
#4 by Anuj Gakhar on March 31, 2008 - 7:00 am
Quote
@James, wow, that is no less than a complete research on the subject. I just found this as well, http://wordpress.org/extend/plugins/wp-spamfree/
which sounds like a potential solution to me.
Regarding the Cost factor, I dont pay anything to Akismet, I just use it as a plugin …Probably calls with a WordPress API key make it a free service…not sure though..
You can use Flash/Flex forms but we all know flash forms are not always the best choice to use, specially on a blog comments page…it is a pain to implement things like cookies, captcha etc inside those forms….
Overall, you made me think on some good points here, thanks for that.
#5 by James M on March 31, 2008 - 4:20 pm
Quote
Spamfree seems like a viable alternative… especially since the 1.5 version has multiple randomly generated keys and there is no real-time dependence on a third-party.
Regarding the cost factor, I believe Akismet for WordPress is free as long as you don’t make a lot of money from your blog. I initially looked into it planning on integrating into some client’s websites and they way they were getting hit with spam would have been a very expensive proposition.
#6 by Anuj Gakhar on April 13, 2008 - 8:31 pm
Quote
Just as a followup, spamfree has stopped 2500+ spam comments since my last message here. Isnt that amazing!
#7 by James Moberg on April 15, 2008 - 10:45 pm
Quote
UPDATE: Yahoo, Gmail and and now Live Hotmail captcha’s have been cracked.
http://tech.slashdot.org/article.pl?sid=08/04/15/1941236
http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html
#8 by Umendra Singh on March 26, 2009 - 2:42 pm
Quote
Communication is two way process between two or more people.The term communication covers just about any interaction with another person.Its sharing information,ideas & feelings another person.