Blog updates for i hate spam
5.19.06
The cat and mouse game continues
Welp, now my blog posts started getting comment spam. It was the last hold out that was never breached, until this week. But, I'm glad it happened. It really openned my eyes to how comment spammers operate.
I log traffic around this site two ways. First, I track who comes here, if/how they were referred and any searches they do while here. Second, I keep track of who's here within a 5 minute time frame. The second was more vanity than functional, until now.
Well, when the spam started, I cross checked by IP who posted it, and tracked how they moved around my site. What was noteworthly was they only had one record. At the very least, each legitimate visitor should have 2. Each visit, of course, also had a faked referrer from my site. That means, the post was submitted from a remote server, not here...and that remote server is simply running a script mimicing my comment form. The plan? Mark the post attempt as illegitimate and block it.
Using the "vanity" table tracking current visitors here, I check to see if someone trying to post has even visited the site. If not, block and list the IP as a spammer. If they try to move around the site afterwards, their block status is not updated. The block is dropped eventually, but if it's one of those spam bots that tries multiple posts each visit, I'm covered...like a jimmy hat!
There's a bit more that goes on behind the scenes, but it's a pretty neat trick that doing the trick so far.
4:50 pm in 2.22.06
Polstar Lottery Group is a fraud
My sister-in-law received an "official-looking" letter in the mail tonight congradulating her for being the "Category 'C' winner of the Polstar Lottery Group's annual Unclaimed Funds Random Drawing"...sheesh, try saying that 5 times fast!
Yada, yada, yada...huge amount of money, click here, sign there, call soon. All reeks of a scam. But how can we be sure? Let's start with the basics.
1) Their website www.polstarlg.com
It's pathetic (even if the template was provided by Network Solutions) and devoid of information for a company claiming to hold the key to riches.
Also, since there is no number on the website to call, you have to use their contact form. The contact form that sends your info to http://wsm.ezsitedesigner.com/servlet/VisitorFeedback. Yeah, nice touch.
2) Domain registration information.
The domain was registered and expires:
Updated Date: 23-jan-2006
Creation Date: 23-jan-2006
Expiration Date: 23-jan-2007
Funny how this "annual" event never happened last year and looks to end in 2007. Oh, and the Whois lookup also reveals that a Christopher Smith that registered the domain lives in the good ole' US of A. Why is that relevant? Oh, because Polstar claims to be a Canadian company (1000 tesma way vaughan, ontario canada). One more thing, Whois searches and Google Maps are a wonderful combo. I spy with my little eye ;-)
3) You NEVER, EVER, EVER pay taxes on winnings in order to claim your price. Yup, that's the clincher. That's how all these scams work. The money you pay is the only money involved in these transactions. That's how they get rich.
This scam had all the tell-tale signs, like the "Confidential Disclosure Agreement". Its only purpose is to keep the potential victim from talking to anyone who can point out the fraud.
UPDATE - Looks like Polstar's web host has disabled their account. Don't know if this post helped lead to it, but fortunately no one else will be scammed through that means.
8.13.05
Referer spam IP list
Here is a list of IP's that have been trying to post referer spam. Use it however you see fit.
Spam IP List
8.10.05
Success with Spammy Check
After a few days of really testing my new referer spam fighting tool, I can say it works flawlessly. Everything being spammed in my Shameless Plug page is getting rejected. Also, legitimate plugs are clearing through. What's more, "like" spam plugs are aiding to reject each other. So, to offer others who may be looking to try something similiar, here's how it works.
The key is how spammers use referer. Typical referer spam will load around 30 or more links that all relate to one specific link. For instance <a href=http://"www.stupid-spammer.com">www.stupid-spammer.com</a> will be added to a "URL" input on a comment section, but the "description" section will have additional links to www.stuid-spammer.com/cool.html, www.stuid-spammer.com/checkout.html, www.stuid-spammer.com/online.html, ect.
What Spammy Check does is compare the actual URL to what's in the description after it's added to a "spam" table. All plug submissions are treated as "guilty until proven innocent" so every plug goes through this filter. To have as clean of a comparison as possible, using a combination of regular expressions and substr(), I strip all links (in from the URL and description) as bare as possible. <a href=http://"www.stupid-spammer.com">www.stupid-spammer.com</a> will become a stupid spammer.
Next, I do a Boolean search of the "spam" table for URLs and descriptions to see if any words of the URL match anything in the table. Since MySQL will block noice words from being searched, this query will only be against "stupid" and "spammers". Those results are set as a score. If that score exceeds a predetermined threshold, the plug/comment is blocked. If a plug passes the test, it is deleted from the "spam" table and added to the "plug" table.
What's more, the "spam" table has learned to look for "stupid", "spammer" and what ever other words were added to the description in relation to new URLs being posted. That means that "www.hotel-spammer.com" and "www.stupid-blockers.com" will be caught as well. Since both of those would likely be spammers as well, they will have a huge list of related sites which will further block "hotel" and "blockers".
Legitimate traffic will typically pass through because spammers use certain words that identify them as such. Words that normal conversation wouldn't include. Hopefully this brief example will help others to block idiot referer plugs.
8.7.05
My fight against referer spam
Ever since I syndicated this site to Planet DSLR, I've been getting referer spam...and it seems that I'm not the only one.
For those unfamiliar with this, Wikipedia defines it (in short):
Referer spam is a kind of search engine-targeted spam...gives the spammer's site improved search engine link placement due to link-counting algorithms that search engines use.
Essentially, these are the same low lifes that want to flood your inbox with useless advertising. So how do you fight them?
Well, my main defense has always been "this" site. Since I don't use a packaged blogging system spam bots targeting those systems skimmed right over me. The two prior times I did have spam (which were manually entered), I quickly deleted it and never seen it again. That is until last week on my Shameless Plug page.
When I first made that page, comment spam was never a consideration because blogging wasn't the thing it is today. Also, I police that page pretty hard as well, so if anything crazy shows up, it gets deleted fairly quickly. Referer spam, though, is sneaky. It comes in quickly, repeatedly, and at the worst possible times. I had to come up with something that can do the policing for me.
Enter the Spammy Check. Taking advantage of a spammer's own trait (loading a referer listing with similiar links and repetative words), I parse every plug to see if it repeats the same words. If it does, it doesn't get posted. Oh, and instead of them leaving referrals about their junk, they update a list of keywords that will judge other spammers' attemps. Schweet!
I'm still tweaking it, but so far it seems really promising.
1.20.05
Looky here, comment SPAM
I guess I should consider myself fortunate. Comment spam has never been an issue for me. I just always assumed it was because I didn't use a "packaged" content management system. Maybe this poor little site was never popular enough to warrant a spammer's attention.
Looks like a have a bit of research and coding to do to prevent this in the future.