I just think it's hypocritical for blogs to complain about spam; they are in themselves spam. You spam the internet, the internet spams you back. It's soviet russia!
-- Michael On 2/13/06, Gadi Evron <[EMAIL PROTECTED]> wrote: > Recently, new bots rendered current anti spam techniques for blogs > almost useless. Here is a short write-up on the subject of comment spam, > referrer spam and what's currently happening in that area. > > I have given a lot of thought and have done a lot of checking into the > subject of comment spam. I came up with a few interesting findings. > > If you don't run a blog (which will make you an expert) or read about > this subject in the past, just Google it. You are all smart people. :) > > Basically though, comment spam is regular spam only posted in blogs and > other web pages where comments are possible, both for simple spamming > economic purposes as well as to help improve ratings of different sites > in Google and other search engines. The latter is often done by > publicized commercial companies. > > I hope by the end of this post to demonstrate how serious blog spam is > or at the very least that it deserves some extra attention if you > dismissed it in the past. > > First off, comment spam is abuse. Abuse isn't new and as soon as a > system shows up it will be abused. If not today, than 10 years from now. > > It has long been an established yet not widely-known fact that if there > are mistakes that can happen, they will happen. Leaving a potential > problem alive just because no one currently exploits it is terrible, and > yet it keeps happening. > If the power grid for a significant part of the US can go down once > every several years, so can any other system (if going down is the worst > that can happen). > > This is only relevant to comment spam in the way it is relevant to every > other security related issue, and why is that? > Because comment spam indeed isn't a new thing. Anyone remembers how big > guest books used to be in the previous century? :) > > And what about referrer spam? > > Some interesting things noticed about now newly named by me web spam / > web content poisoning or cspam (for comment spam): > > [making a point about how silly it is to give new names to spam when it > skips a medium.. what's your favorite? spit?] > > Automated spam is spam sent by a bulk-poster (taken from bulk-mailer). > It enters web pages and posts spam. > > Recently we see a serious increase in comment spam activities, namely, > in one web page I recently started to help maintain we get over 1000 > spam comments a day. I won't even start discussing the referrer spam > poisoning we get. > > The spam is no longer sent from just one IP address or even just a few. > Botnets are indeed blossoming in this field. > > Recently, there has been a serious increase in spam, coupled with the > fact that it passes current spam detection techniques (such as > black-listing for IP addresses and spammed domains, Javascript Captchas, > number of URL's in comment, key works - useless anyway, some user > Captchas, etc.). > > Apparently, there is a new bot out there which passes these successful > defenses. Further, anti spam technology in this realm in is no way > mature or tried. Mostly it is heroic and very impressive efforts done by > people because they are annoyed of the spam in their blog. > So far it has been rather successful though, but that success window is > running out. > > As an example, spammers started posting in a technique which quotes the > last paragraph of your text, or starts the post with something relevant > and then adds: > "Oh, by the way, have you tried Viagra?" > > In other occasions we see spam posts that would detail how the guy > searched the web for law related stuff, but ended up here. BTW, if you > are also interested in law... check out this page! > > My all-time favorites are the posts that say: > "Great blog! Keep up the good work!" > "I liked what you've done here, keep it up!" > > Etc. Entering the spam URL as their homepage, which is clickable from > their nickname. > > Recently we have even seen one post that had: > "Where do I find the RSS feed for this blog?" > > Sometimes it is very difficult to avoid false positives even with a > skilled human doing this full-time. > > Another type of spam we see, is the manual spam. > People enter the web page with their actual browser and type the spam > manually. How much does a skilled illegal alien worker cost per day? > > One such spam was recently posted on the site I mentioned (guess which > one) in a blog entry about Symantec. It talked of Symantec and suddenly > changed tones and said that their anti spam (of all things), failed > them. It suggested using a competitor which worked for them. > > When looking at the attacking bots, what we mostly find these days are: > 45% open proxies > 40% compromised machines > 10% misc > 5% unknown > > (I haven't actually calculated the numbers, but that's roughly right) > > Misc being anything from a completely open installation of a VNC server > to.. your guess is as good as mine. > > Some examples to captured spam and Google-poisoning attempts are > abundant, so I won't bore you. Suffice to say every blog gets very > specific spam surrounding its topic, as well as the usual peaks in this > or that type of spam. Lately the house special is pharmacy spam. > > Referrer spam is still mostly about porn. > > Looking at gangs, we managed, as an example, to identify a very big > eastern European gang (probably one noisy guy or gal), but when they > noticed our attention they disappeared for a while. > > Another important point to make is the domains used. Much like with > emails spam, these change very frequently and seem to be registered in > bulk. I don't doubt these are the same people. > > I am now talking with many who are active in this field, and we are > establishing a working group/mailing list to address these issues > mitigation-wise operationally, as well as research into new trends, bad > guys, etc. > > Some of the already proposed solutions that we are working on are better > blacklisting services, combining different types of such poisoning in > web applications from comments to referrers and other things I'd rather > not discuss right now until they are a bit clearer. > > I hope I managed to convince some people of how big this really is. We > all heard of blog spam, I and many people around me just didn't realize > the scale until we started working on it. > > I figured it's time to let others know as well. > > Something can be done about this now to make it less of a threat in > coming years. I bet most of us would wait until we have to kill it as a > fire, so that it keeps under-going evolution and come back to haunt us. > > If I didn't convince you yet of the risks, there have already been > successful worms exploiting such techniques, some examples: > http://blogs.securiteam.com/index.php/archives/180 > http://blogs.securiteam.com/index.php/archives/166 > > I will update on my (and our) findings on this subject on the SecuriTeam > Blogs site (http://blogs.securiteam.com/). > > This quick & dirty write-up can be found here: > http://blogs.securiteam.com/index.php/archives/285 > > Gadi Evron. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
