Ethical spammers? Anybody seen some of it in the wild? – Manni - 2005-11-25 10:24
I haven't seen that yet, but in the past we have seen some spammers with "sorry for this" type notes. It is pretty nice of the spammer to not destroy things and make it easy to remove, but it would be much better if they quit spamming of course. Until we actually see some of this spammers' work though we don't know how nice he is really being. Most of the others who were sorry had no problem continuing to respam you after you removed their spam. This fits in really well with my recent blog post about how spammers could get away with a lot more if they weren't so annoying. – Joe - 2005-11-25 16:12 UTC
Bad news on the splog front. Seems Blogger is back to ignoring splogs. They are doing better at preventing them, but once they make it past that stage they seem to be safe. Fighting Splog has the details. You can also read my comments on his post at my blog. – Joe - 2005-11-23 18:29 UTC
Seems like our spammer friends currently have a very busy time. Are they perparing for christmas? There are three spammers that caught my attention.
1. There is this moron that doesn't post any links. Just pretty meaningless text. I have no idea what he is trying to achieve. His testing period should be over by now. Is Oddmuse filtering something that he is trying to post? I doubt it, but it just doesn't make any kind of sense.
2. The second one is pretty new. He's posting nicely formatted spam using the correct wiki syntax. Here's an example.
3. This one looks familar. I have a script a couple of month old that can deal with his spam so I can submit it to the database. I had to tweak it a little, though. He's got the link syntax all backwards, but he doesn't seem to care. And he seems to be very busy either registering domains and subdomains or fulfilling the wishes of an enormous amount of clients. Example spam is here.
At the same time, I'm seeing the number of hits for JoesTempSpamHolder3 and JoesTempSpamHolder4 increase dramatically. If you check out the referrer page, you'll see why: baidu.com is listing us for all sorts of smutty searches.
I grepped through the server log, concentrated on November and threw away hits by me. That leaves 1110 hits for JoesTempSpamHolder3 only. Not bad.
Spammer #3 caused a clear pattern in the logs. He's sending valid referrers (he came from Google Canada and Google Russia. He's accessing the style sheet as well as the .htc files I made for IE based browsers. These are clearly manual edits and he doesn't give a damn whether his spam comes out right or not.
Spammer #2 most recently came in through a sify.net host name. Check out http://www.sify.net/ for some fun. The strange thing is that his hostnames are rotating. One access has different host names for the page itself, the css, the favicion, etc. This one is using Firefox and he's using Yahoo to search for spammable wikis.
Unsurprisingly, I can only see POST requests from moron #1. Can't see anything obvious here. This clearly seems to be a bot that's using proxies or zombies.
– Manni - 2005-11-16 09:00
With regards to Spammer #1, I'm pretty sure it is a blog/guestbook spamming bot. The text you see isn't the "payload," it is fluff intended to disguise the spam as a legitimate comment. I think the reason you're not seeing URLs is because it wants to put a URL in a home page field (or equivalent) which doesn't exit on this wiki's edit page form.
– RichardP - 2005-11-16 09:32 UTC
Richard. Are you saying that this bot isn't working on the http level, but is instead a program that directs Internet Explorer (or some other browser) to do stuff? There aren't any 'url' or 'homepage' or whatever cgi parameters coming in. By the way: he has been visiting again. – Manni - 2005-11-16 15:36
I think Richard meant that the URL field the spammer is filling in doesn't exist with wikis, but unless your new implementation is buggy, we should be catching the URL anyway since we look for any strange fields being submitted. – Joe - 2005-11-16 15:31 UTC
Oh, I wasn't aware that you were examining the entire x-www-form-encoded body contents of POSTs. I suppose the spammer could have done a single GET some time in the past to find the field names, matched field names to his spam content and didn't find an appropriate field for his URL, but still went ahead and included the chongqed.org page edit form on his list of POST targets. – RichardP - 2005-11-16 20:06 UTC
Any CGI parameter that oddmuse doesn't expect ends up with Dan. Still, as sick as it may seem to us low-level techies, somebody might really remote-control his browser to spam the world. Heck, there are people who program in Visual Basic out there. – Manni - 2005-11-17 10:43
I just found out about ReferrerCop, a service that might help in the fight against referrer spam. It seems pretty interesting to me and I am now going to find that wiki page where we link to stuff like that. – Manni - 2005-11-11 09:18
I have changed the spam catching module to only look at those parts of a page that were actually changed. Content that existed before the current edit is not considered. This should make it possible to edit pages that already contain spam (for some reason). – Manni