Re: Comment Spam: new trends, failing counter-measures and why it's a big deal

[Gadi Evron <ge () linuxbox org>]

Stephen J. Smoogen wrote:
> On 2/12/06, Gadi Evron <ge () linuxbox org> wrote:
>
> > Recently, new bots rendered current anti spam techniques for blogs
> > almost useless. Here is a short write-up on the subject of comment spam,
> > referrer spam and what's currently happening in that area.
>
>
> Nice summary of what is going on with blog attacks. I havent done much
> with blogs due to job reasons.. so hadnt really kept up with what the
> latest attacks were. They seem to be parallels with website defacement
> for profit, SMTP spam, and other crimes.
>
> I was wondering about that smart "bot".. at what point does it become
> cheaper to "employ" 1,000 phillipine children with English skills and
> have them run through a bot-net to hide their origins.. than develop
> an auto-bot that posts spam for you.
>
> Doing automated searches through whois for obviously fake entries and
> going from there to  search and verify messages to confirming that
> email addresses are correct. Greylisting/whitelisting software might
> also have some affect (if one can legally share that data). Say in
> this way:
>
> Being goes to blog.
>  Being decides to post to blog.
>  Being is given a EULA which basically says "Here are our posting
> guidelines. You give up your right to anonymity if you wish to post
> here."
>  Being is sent a cookie with certain data in it, and is put in greylist.
>  Server stores data on IP address, post data, and IP addresses in post.
>  Greylisted items are posted on delayed time (or after moderation).
>  Server sends greylisted aggregated data to central server (for
> pattern matching AI that hey this same URL/IP address block was
> embedded into 200 blogs today).
>  Posting X amount of times moves one up/down from greylist to
> whitelist blacklist using a bayesian scoring technique based partially
> on keywords, and partially on non-whitelisted URLs.
>   Client servers poll central server regularly for data to be added to
> black/grey/white keyword-URL lists.
>
> The central server is mainly to help multiple private blogs clear out
> bad nets in a short order.. it would not be needed on a large central
> blog aggregator that could act as the central server itself.

I believe you have the right of it. Still, there is no "magic bullet" 
with spam or pretty much anything else in this world.
:/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.