Re: Comment Spam: new trends, failing counter-measures and why it's a big deal

[Michael Silk <michaelslists () gmail com>]

I just think it's hypocritical for blogs to complain about spam; they
are in themselves spam. You spam the internet, the internet spams you
back. It's soviet russia!

-- Michael

On 2/13/06, Gadi Evron <ge () linuxbox org> wrote:
> Recently, new bots rendered current anti spam techniques for blogs
> almost useless. Here is a short write-up on the subject of comment spam,
> referrer spam and what's currently happening in that area.
>
> I have given a lot of thought and have done a lot of checking into the
> subject of comment spam. I came up with a few interesting findings.
>
> If you don't run a blog (which will make you an expert) or read about
> this subject in the past, just Google it. You are all smart people. :)
>
> Basically though, comment spam is regular spam only posted in blogs and
> other web pages where comments are possible, both for simple spamming
> economic purposes as well as to help improve ratings of different sites
> in Google and other search engines. The latter is often done by
> publicized commercial companies.
>
> I hope by the end of this post to demonstrate how serious blog spam is
> or at the very least that it deserves some extra attention if you
> dismissed it in the past.
>
> First off, comment spam is abuse. Abuse isn't new and as soon as a
> system shows up it will be abused. If not today, than 10 years from now.
>
> It has long been an established yet not widely-known fact that if there
> are mistakes that can happen, they will happen. Leaving a potential
> problem alive just because no one currently exploits it is terrible, and
> yet it keeps happening.
> If the power grid for a significant part of the US can go down once
> every several years, so can any other system (if going down is the worst
> that can happen).
>
> This is only relevant to comment spam in the way it is relevant to every
> other security related issue, and why is that?
> Because comment spam indeed isn't a new thing. Anyone remembers how big
> guest books used to be in the previous century? :)
>
> And what about referrer spam?
>
> Some interesting things noticed about now newly named by me web spam /
> web content poisoning or cspam (for comment spam):
>
> [making a point about how silly it is to give new names to spam when it
> skips a medium.. what's your favorite? spit?]
>
> Automated spam is spam sent by a bulk-poster (taken from bulk-mailer).
> It enters web pages and posts spam.
>
> Recently we see a serious increase in comment spam activities, namely,
> in one web page I recently started to help maintain we get over 1000
> spam comments a day. I won't even start discussing the referrer spam
> poisoning we get.
>
> The spam is no longer sent from just one IP address or even just a few.
> Botnets are indeed blossoming in this field.
>
> Recently, there has been a serious increase in spam, coupled with the
> fact that it passes current spam detection techniques (such as
> black-listing for IP addresses and spammed domains, Javascript Captchas,
> number of URL's in comment, key works - useless anyway, some user
> Captchas, etc.).
>
> Apparently, there is a new bot out there which passes these successful
> defenses. Further, anti spam technology in this realm in is no way
> mature or tried. Mostly it is heroic and very impressive efforts done by
> people because they are annoyed of the spam in their blog.
> So far it has been rather successful though, but that success window is
> running out.
>
> As an example, spammers started posting in a technique which quotes the
> last paragraph of your text, or starts the post with something relevant
> and then adds:
> "Oh, by the way, have you tried Viagra?"
>
> In other occasions we see spam posts that would detail how the guy
> searched the web for law related stuff, but ended up here. BTW, if you
> are also interested in law... check out this page!
>
> My all-time favorites are the posts that say:
> "Great blog! Keep up the good work!"
> "I liked what you've done here, keep it up!"
>
> Etc. Entering the spam URL as their homepage, which is clickable from
> their nickname.
>
> Recently we have even seen one post that had:
> "Where do I find the RSS feed for this blog?"
>
> Sometimes it is very difficult to avoid false positives even with a
> skilled human doing this full-time.
>
> Another type of spam we see, is the manual spam.
> People enter the web page with their actual browser and type the spam
> manually. How much does a skilled illegal alien worker cost per day?
>
> One such spam was recently posted on the site I mentioned (guess which
> one) in a blog entry about Symantec. It talked of Symantec and suddenly
> changed tones and said that their anti spam (of all things), failed
> them. It suggested using a competitor which worked for them.
>
> When looking at the attacking bots, what we mostly find these days are:
> 45% open proxies
> 40% compromised machines
> 10% misc
> 5%  unknown
>
> (I haven't actually calculated the numbers, but that's roughly right)
>
> Misc being anything from a completely open installation of a VNC server
> to.. your guess is as good as mine.
>
> Some examples to captured spam and Google-poisoning attempts are
> abundant, so I won't bore you. Suffice to say every blog gets very
> specific spam surrounding its topic, as well as the usual peaks in this
> or that type of spam. Lately the house special is pharmacy spam.
>
> Referrer spam is still mostly about porn.
>
> Looking at gangs, we managed, as an example, to identify a very big
> eastern European gang (probably one noisy guy or gal), but when they
> noticed our attention they disappeared for a while.
>
> Another important point to make is the domains used. Much like with
> emails spam, these change very frequently and seem to be registered in
> bulk. I don't doubt these are the same people.
>
> I am now talking with many who are active in this field, and we are
> establishing a working group/mailing list to address these issues
> mitigation-wise operationally, as well as research into new trends, bad
> guys, etc.
>
> Some of the already proposed solutions that we are working on are better
> blacklisting services, combining different types of such poisoning in
> web applications from comments to referrers and other things I'd rather
> not discuss right now until they are a bit clearer.
>
> I hope I managed to convince some people of how big this really is. We
> all heard of blog spam, I and many people around me just didn't realize
> the scale until we started working on it.
>
> I figured it's time to let others know as well.
>
> Something can be done about this now to make it less of a threat in
> coming years. I bet most of us would wait until we have to kill it as a
> fire, so that it keeps under-going evolution and come back to haunt us.
>
> If I didn't convince you yet of the risks, there have already been
> successful worms exploiting such techniques, some examples:
> http://blogs.securiteam.com/index.php/archives/180
> http://blogs.securiteam.com/index.php/archives/166
>
> I will update on my (and our) findings on this subject on the SecuriTeam
> Blogs site (http://blogs.securiteam.com/).
>
> This quick & dirty write-up can be found here:
> http://blogs.securiteam.com/index.php/archives/285
>
>         Gadi Evron.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/