Blog Comment Spam Goes Pro
While moderating comments this weekend, I came across an usual spam comment. This was unlike any other spam comment I get. It was an advertisement for software that automatically submit blog comments. Here’s a quote of the comment:
This comment was posted automatically using Blog Comment Poster software. Would you like to make serious money in this way of advertising too? So start today!
Sure enough, just before and just after, there were two more comments from the same IP address and same email address; both promoting a related product. One was particularly clever:
Do you know how to make money from AdSense automatically? You don’t!? I’ll teach you how!…
Since the poster decided to leave their calling card in the website field, I bit and checked out the site. Quite honestly, I was a bit surprised by what I found. Here was a decently designed site with a PR3 and a measurable amount of traffic that’s been around at least since September.
Ironic sidenote: A site selling software designed specifically to spam other sites gets a PR3 yet bloggers who are just trying to keep their sites self-supportive by selling a few text links get their PR slapped down to 0. Am I the only one who sees something wrong with this picture?
Digging further into the site, I find that most of the mentions of the site come from download repositories; however, there are a couple mentions of the site on higher ranking sites like Digital Point Forums. I even found a few comments that had slipped under the radar at some higher ranking blogs like ShoeMoney.com.
After doing a little snooping around on the site, I started getting real curious about how this software could automatically post comments on my site. After all, I’m running JS SpamBlock, a plugin that requires that the poster accept Javascript. JS SpamBlock has been highly effective in catching automated spam, but somehow, the spam promoting this software slipped right through.
To verify that these comments were automated and not manually submitted, I turned to my server logs. Here are the logs from the spammer:
64.22.110.2 – - [09/Dec/2007:18:07:42 -0500] “GET /wordpress/10-plugins-that-help-you-do-more-with-wordpress/ HTTP/1.1″ 200 34548 “http://www.google.com/search?q=Free+Myspace+Backroud+Blogs” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)”
64.22.110.2 – - [09/Dec/2007:18:07:51 -0500] “POST /wp-comments-post.php HTTP/1.1″ 200 663 “http://jmorris.name/blog/wordpress/10-plugins-that-help-you-do-more-with-wordpress/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)”
64.22.110.2 – - [09/Dec/2007:18:08:56 -0500] “GET /wordpress/increase-your-rss-subscriptions-automatically/ HTTP/1.1″ 200 38719 “http://www.google.com/search?q=Free+Myspace+Backroud+Blogs” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)”
64.22.110.2 – - [09/Dec/2007:18:08:57 -0500] “POST /wp-comments-post.php HTTP/1.1″ 200 663 “http://jmorris.name/blog/wordpress/increase-your-rss-subscriptions-automatically/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)”
At first glance, these footprints in my access logs look perfectly benign, until you consider how few lines their are. Specifically, where are the GET requests for the images and scripts? To illustrate, here’s a normal access footprint. (I’ve truncated the IP to protect a valued visitor)
76.84.x.x – - [09/Dec/2007:21:28:33 -0500] “GET /search-industry/use-relnofollow-only-when-needed/ HTTP/1.1″ 200 44489 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:34 -0500] “GET /wp-content/plugins/lightbox/lightbox.css HTTP/1.1″ 200 1631 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:34 -0500] “GET /wp-content/themes/bloggingpro_mt/style.css HTTP/1.1″ 200 18532 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:34 -0500] “GET /wp-content/plugins/adman/modules/conversation/images/help.gif HTTP/1.1″ 200 1058 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:35 -0500] “GET /wp-content/themes/bloggingpro_mt/images/transparent.gif HTTP/1.1″ 200 72 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:35 -0500] “GET /wp-content/plugins/adman/modules/conversation/images/help.gif HTTP/1.1″ 200 1058 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:35 -0500] “GET /wp-content/plugins/adman/modules/conversation/images/feed.gif HTTP/1.1″ 200 1091 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:35 -0500] “GET /wp-content/plugins/adman/modules/conversation/images/feed.gif HTTP/1.1″ 200 1091 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:35 -0500] “GET /wp-includes/images/smilies/icon_smile.gif HTTP/1.1″ 200 174 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:35 -0500] “GET /wp-content/themes/bloggingpro_mt/images/ButtonTransparent.png HTTP/1.1″ 200 153 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:35 -0500] “GET /wp-includes/images/smilies/icon_smile.gif HTTP/1.1″ 200 174 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:35 -0500] “GET /images/feed_add.png HTTP/1.1″ 200 763 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:35 -0500] “GET /images/feed_add.png HTTP/1.1″ 200 763 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:35 -0500] “GET /images/email_add.png HTTP/1.1″ 200 761 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:35 -0500] “GET /images/seobook.gif HTTP/1.1″ 200 5702 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:36 -0500] “GET /images/seobook.gif HTTP/1.1″ 200 5702 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:35 -0500] “GET /images/linkworth.gif HTTP/1.1″ 200 14778 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:36 -0500] “GET /images/articlemarketer.gif HTTP/1.1″ 200 10546 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:36 -0500] “GET /images/linkworth.gif HTTP/1.1″ 200 14778 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:36 -0500] “GET /images/articlemarketer.gif HTTP/1.1″ 200 10546 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:36 -0500] “GET /images/advertise.png HTTP/1.1″ 200 17789 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:36 -0500] “GET /images/ifollow.gif HTTP/1.1″ 200 2815 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:36 -0500] “GET /images/advertise.png HTTP/1.1″ 200 17789 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:37 -0500] “GET /images/mybloglog.jpg HTTP/1.1″ 200 3810 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:37 -0500] “GET /images/mybloglog.jpg HTTP/1.1″ 200 3810 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:37 -0500] “GET /images/faveit.jpg HTTP/1.1″ 200 2945 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:37 -0500] “GET /images/faveit.jpg HTTP/1.1″ 200 2945 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:37 -0500] “GET /images/mybloglog.png HTTP/1.1″ 200 795 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:37 -0500] “GET /images/imyspace.png HTTP/1.1″ 200 1050 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:37 -0500] “GET /images/mybloglog.png HTTP/1.1″ 200 795 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:37 -0500] “GET /images/idigg.png HTTP/1.1″ 200 396 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:37 -0500] “GET /images/ilinkedin.png HTTP/1.1″ 200 655 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:38 -0500] “GET /images/ilinkedin.png HTTP/1.1″ 200 655 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:38 -0500] “GET /images/idelicious.png HTTP/1.1″ 200 165 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:38 -0500] “GET /images/idelicious.png HTTP/1.1″ 200 165 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:38 -0500] “GET /images/itechnorati.png HTTP/1.1″ 200 475 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:38 -0500] “GET /images/itechnorati.png HTTP/1.1″ 200 475 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:38 -0500] “GET /images/iyoutube.png HTTP/1.1″ 200 594 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:38 -0500] “GET /images/istumbleupon.png HTTP/1.1″ 200 839 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:39 -0500] “GET /images/iyoutube.png HTTP/1.1″ 200 594 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:39 -0500] “GET /wp-includes/images/rss.png HTTP/1.1″ 200 3341 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:39 -0500] “GET /wp-includes/images/rss.png HTTP/1.1″ 200 3341 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:39 -0500] “GET /wp-content/themes/bloggingpro_mt/images/bkg_body.png HTTP/1.1″ 200 142 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:39 -0500] “GET /wp-content/themes/bloggingpro_mt/javascript/imghover.js HTTP/1.1″ 200 186 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:39 -0500] “GET /wp-content/themes/bloggingpro_mt/images/SearchBkg.png HTTP/1.1″ 200 1454 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:40 -0500] “GET /wp-content/plugins/audio-player/audio-player.js HTTP/1.1″ 200 791 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:40 -0500] “GET /wp-content/themes/bloggingpro_mt/images/SearchButton.png HTTP/1.1″ 200 749 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:39 -0500] “GET /wp-content/themes/bloggingpro_mt/images/bkg_bgcontain.png HTTP/1.1″ 404 19804 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:40 -0500] “GET /wp-content/themes/bloggingpro_mt/images/CommentsFormEndBkg.gif HTTP/1.1″ 200 159 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:40 -0500] “GET /wp-content/themes/bloggingpro_mt/images/SubmitComment.png HTTP/1.1″ 200 2079 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:40 -0500] “GET /wp-content/themes/bloggingpro_mt/images/SRBkg.gif HTTP/1.1″ 200 111 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:40 -0500] “GET /wp-content/themes/bloggingpro_mt/images/CategIco.png HTTP/1.1″ 200 170 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:40 -0500] “GET /wp-content/plugins/lightbox/prototype.js HTTP/1.1″ 200 49387 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:41 -0500] “GET /wp-content/plugins/lightbox/scriptaculous.js?load=effects HTTP/1.1″ 200 2196 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:41 -0500] “GET /wp-content/plugins/lightbox/lightbox.js HTTP/1.1″ 200 24669 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:42 -0500] “GET /wp-content/plugins/lightbox/effects.js HTTP/1.1″ 200 32872 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:43 -0500] “GET /?livehit=http%3A//jmorris.name/blog/search-industry/use-relnofollow-only-when-needed/&title=Use%20rel%3Dnofollow%20Only%20When%20Needed%20%3A%3A%20JMorris%20Online&referrer=blockedReferrer HTTP/1.1″ 200 32996 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:43 -0500] “GET /wp-content/themes/bloggingpro_mt/images/bkg_bgcontain.png HTTP/1.1″ 404 19804 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:44 -0500] “GET /wp-content/themes/bloggingpro_mt/images/SearchKeyword.png HTTP/1.1″ 200 220 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:44 -0500] “GET /wp-content/themes/bloggingpro_mt/images/SearchBkgNone.png HTTP/1.1″ 200 187 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:44 -0500] “GET /images/lilrss.gif HTTP/1.1″ 200 316 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:44 -0500] “GET /wp-content/themes/bloggingpro_mt/images/RelatedPostsHeading.png HTTP/1.1″ 200 626 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:44 -0500] “GET /wp-content/themes/bloggingpro_mt/images/CommentsListHeading.png HTTP/1.1″ 200 692 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:44 -0500] “GET /wp-content/themes/bloggingpro_mt/images/CommentsFormHeading.png HTTP/1.1″ 200 562 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:44 -0500] “GET /wp-content/themes/bloggingpro_mt/images/CommentsFormTopBkg.gif HTTP/1.1″ 200 159 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:44 -0500] “GET /wp-content/themes/bloggingpro_mt/images/RelatedPostsLi.png HTTP/1.1″ 404 19804 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:44 -0500] “GET /wp-content/themes/bloggingpro_mt/images/SRRBkg.gif HTTP/1.1″ 200 68 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:44 -0500] “GET /wp-content/themes/bloggingpro_mt/images/SRLBkg.gif HTTP/1.1″ 200 68 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:45 -0500] “GET /wp-content/themes/bloggingpro_mt/images/ExtraIco.png HTTP/1.1″ 200 337 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
76.84.x.x – - [09/Dec/2007:21:28:50 -0500] “GET /wp-content/plugins/lightbox/images/loading.gif HTTP/1.1″ 200 2767 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SU 3.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)”
Huge difference!
Given that I’m not a programmer, I’m not exactly sure how the author of the Blog Comment Poster software does his nefarious deeds, but I do know that my spam blocking solution didn’t stop him for one second. Over the past two days, I’ve received five unique comments from multiple IP addresses all using this software.
Looking at the IP address of the spammer, it’s no surprise that the reverse IP leads to an anonymous hosting service. Furthermore, looking at the screenshots of the application, there is a place to configure a proxy server.
Here are some screenshots from the site’s demo page that clearly illustrate the intent of this application.
From a blogger’s point of view, this concerns me. It’s bad enough when hackers are distributing their wares in shady corners to fellow hackers, but here is a company openly promoting their product, complete with affiliate program. Worse of all is that Google has rewarded this site with a PR that some bloggers would love to have right now.
From a affiliate marketer’s point of view, I see the attraction and potential of this application for those who are comfortable with more aggressive marketing techniques. Personally, I’m not comfortable with techniques that are that aggressive.
Whether you agree with this product being available or not and whether you intend to use it or find ways to block it, it is worthwhile to know about it. In the coming days, as the amount of spam coming from people using this software increases, as I’m sure it will, I’ll be studying how this thing works more closely. Hopefully a pattern can be identified that can be used to block such techniques. For now, I’m impressed with the effectiveness of the application, but grateful that I manually approve comments for first time commenters.
You have read my two cents. Now have your say!
Have you started receiving automated spam from people promoting this product?
If so, what spam blocking measures have you implemented on your blog?
If you’re new here, you may want to subscribe to my RSS feed. Thanks for visiting!
Thanks for pointing this out I didn’t even realize it existed. I personally have set my askime to require moderation on all comments with 2 or more links in it and have noticed my spam gets cut significantly that way. Not the perfect answer, but it works well enough.
That’s the kicker of this application, there were 0 links in the body. The only link was in the website field, which most spam filtering solutions ignore. This application is counting on that people will click on commenter’s names, that are links.
I’m sure more aggressive spammers will include links in the body, which Akismet and other solutions will catch. However, if you automatically approve comments with 0 links in the body, you could still be letting spammers through.
I have to admit, it’s pretty slick. I don’t like it, but I have to admit that it’s effective.
Thanks for stopping by!
I forgot to mention another tell-tale sign that the spam was automated…
In wp-admin/options-discussion.php, I have “E-mail me whenever:” set to “Anyone posts a comment” and “A comment is held for moderation”. I didn’t receive an email for any of the spam comments posted by that software.
This tells me that, not only is the software circumventing my spam blocking measures, but it’s also bypassing the built-in Wordpress notifications. This could be a trick to get comments past on sites where comments are bulk-moderated.
Evading the Javascript require is quite easy for a Windows desktop based application that automates Internet Explorer. Anyone with a smattering of Visual Basic experience could write a simple program like this in a few hours and a more sophisticated one with full database support and other features in a few 8 hour days.
My strategy has been to auto-moderate any posts with links and to watch for certain words in the post. I’ve only had a few get through on either of my blogs.
That’s good to know and I’m not surprised. I’ve tinkered with a little bit of vbscript doing send keys scripts and I can easily see where such a technique could be used.
What I’m curious about is that this application is 100% server based. This eliminates using VB Script or similar techniques.
I checked out the online demo and it’s all PHP. Now, I don’t know if there is a way in PHP to emulate accepting Javascript. If there is, that would explain that part of the equation.
Thanks for stopping by!
Emulating accepting javascript is fairly easy to do in PHP. After all, all you have to do is send a header to the server saying that javascript is accepted (and perhaps send some feedback to the server).
Hmm, since I’m running out of ideas on me blog, I’ll probably write about it sometime this week
Controlling the header that’s sent is the key. I’ve only dabbled in PHP, mainly from a WordPress perspective, but given it’s server side scripting it’s quite possible to cloak a lot of things.
With .NET, either VB or C#, and a dedicated Windows server you can easily automate browser operations on the server. It goes way beyond what you can do in VBScript. There are a ton of evil things you can do with that combo. I’ve seen several possibilities since I’ve been working on web services for the past two years.
[...] of a well-known trackback submission application has been at it again, this time with comments. The Blog Comment Poster looks to emulate a browser, and completely bypass the Wordpress checks that stop comment spam, [...]
Just a note on that referrer issue we were talking about. Not perfect, but a good start:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Thank you Simon! I’ll try this out and see if it works. I’m now getting up to 20 comments a day using this software. Big surprise. :rolls eyes::
Well, unfortunately, that did not work. I got another spam comment today promoting that software from the same IP and email addy. So, somehow, they are getting around the POST rewrite.
I’m not that good at reading server logs, but it looks like they are spoofing coming from Google, to your post page, then posting a comment. And if that’s the case, then the code I posted would have no effect – the referring page is from your own domain, and they have a valid user agent.
I suppose we had to come to expect software to be able to emulate this kind of behavior eventually. Maybe a more simple solution would be to use something like the TanTan spam-filter plugin, which lets you add patterns / words to look for when a comment is submitted.
Are there any discernable patterns within the comments? Words patterns maybe?
I’ve actually started seeing spam entries on my directory as well, so I did a little research and was able to finally find the program they were using. I have no idea if they are using the same program on you but this might point you in the right direction http://en.wikipedia.org/wiki/XRumer as well as a possible solution to block them. GL
Thanks David. I’ll look into XRunner and see if I can duplicate the log patterns I’m seeing. So far, I’ve drawn a blank.
Thanks for stopping by!
You know once you figure out a solution and post it, you are gonna make some un-friends…in the meantime I will also be looking into it, and when I find it, I’ll cross post between us so we can both enjoy these un-friends together.
As an IT Technician, I’m use to people hating me.
Sounds like a winner! The more eyes we have looking into this, the sooner we can resolve it and stop getting bugged with all this useless spam.
Problem is, once you post a solution, they will then just circumnavigate. Oh well, just the nature of spam I guess!
“To do this [find pages that allow comments], cyber-crooks usually use Hrefer, a tool that uses Internet search engines to find these types of pages.”
Just to add, what about simply cloaking the comment form from search engines? Ok, Google may say it is wrong, but quite frankly this is one case where cloaking could be entirely justified!
I’d just like to mention, I’m getting the same spam and Akismet picked it up.
Askimet adapting to it possibly? If there is any kind of pattern, and enough people mark it as spam, then I guess Askimet would start filtering it?
Good to know, anyway!
Thanks for the head’s up Ryan. That is very good to know. Well, looks like I’m finally going to have to give in and install Akismet.
I’ve installed Akismet so we’ll see if it can pick up a pattern.
Apparently, the author of this application thinks it’s funny that I posted this article and has linked directly to it as a form of *testimonial* of *good* his application is. That really pisses me off.
One way or another, a reliable method of blocking this application needs found. Whether using an existing plugin or another method.
He probably has Google alerts set up, and as soon as you posted he saw it and linked back right away. The worse part is it will give him a couple of backlinks and a PR increase as a result…whoever it was that said, “ignorance is bliss” may just have been right, because as soon a we talk about these apps online, they find out, and we basically promote it by being blog/directory owners that are annoyed. I like the above cloaking suggestion however.
I did see where referrals from Google search were coming in for the app title. I didn’t link to the programmer’s site though. Still, you are correct, just mentioning it gives it some publicity. How does the saying go? “Bad publicity is better than no publicity”
If Akismet doesn’t pick up the pattern and block the spam, then I’ll have another look at that cloaking method. With the amount of spam from users of this app that I’m getting, I can just imagine how much spam bigger blogs are getting.
EDIT: Akismet did just block one of the attempts from this app, however, the attempt came from the same IP with the same email and website URL as the initial attempts I marked as spam. This is good because it will save me a few comments to flag a week, but I’m still eager to see if Akismet will be able to handle new spam from other users of this app.
Well, I have a different point of view. While you are complaining about this tool, I’m using it to promote my websites and it works great.
How I found it? My blogs were spammed by this tool too, and I even sent emails with some bad words to software developer asking him to stop selling it. Later I realized it can be useful and bought it. After 3 weeks of use, I can say it really works.
I hate spam too (when my sites get spammed), but if this tool helps to make me more money, why not to use it?
I hate spam too (when my sites get spammed), but if this tool helps to make me more money, why not to use it?
I hate these automatic tools, they destroy all the hard work of quality link building and dilute many a good blog!
What I find particularly humorous is that the author of this application is directly linking to this post as "proof" of the effectiveness of the application even though I've stated that, since implementing Akismet, I no longer get spam from people using that app.
I've received comments like this too. But at some point they stopped. I guess spam-blocking got more effective or just nobody wanted to use this kind of program.
It's not like those automatic comments were very creative.
He may sell the program to some 'lazy' people, but after being sent here, he has just lost me. I can't stand spam comments. The lazy ones waste the busy ones time!
Thanks for the great explanation.
64.22.110.2 aka Daniel is a legend on my blog – I often get upwards of 50 spam comments a day from that ip address. Strangely, even though I have never approved a single one of them, he perseveres ad infinitum.
From my personal point of view, this software can be used in 2 ways:
1. As black SEO software to build thousnads of backlinks per day and get traffic really fast.
2. As white SEO software which can SLOWLY build links on blogs and increase your search engine rankings little by little.
I'm using this tool to promote my whitehat websites and results are great, but I also heard Blog Comment Poster can be used as enormously powerful black SEO tool spamming thousands of blogs per day. But the only clear thing is that Blog Comment Poster does its job VERY WELL. So you can hate it or love it….
@Scam,
I feel your pain. He tried targeting this site for a few months, but Akismet has stopped him and his software in its tracks.
good resourse Anyway by sight very much it is pleasant to me
Nice post. Have added you on RSS to keep myself updated.
Akismet software has stopped this, these software i guess can’t be blamed always after all coders have spent time finding the potholes in blogging platform and exploited it.
I guess nowadays those methods are useless because G. has spotted those tools.