Overall, the volume of spam attempts on my server have been down lately. Oh, I still get a steady stream, I delete over 100 comment spams (caught by my filters) each day. But I’ve seen fewer of the massive, server-squashing spam runs that hammer my web service with too many simultaneous connections, blocking out legitimate users.
On the other hand, I’m seeing a lot more attempts by spammers to poison the well. What I mean by that is that they are submitting bogus comments, full of non-spammy (but more-or-less random) content, and links to legitimate web sites. For example:
Name: Adam Baumann
Hi. Just letting you know that I enjoyed your site. when Soldier Double Game Lose: http://www.newscorp.com/ , to Bet Opponents you should be very Faithful Big Gnome becomes Industrious Plane in final , Superb Opponents becomes Superb Soldier in final Faithful is feature of White Circle
The comment is obviously gibberish, right? And the links are all to perfectly normal — in fact, popular — sites. You might wonder why a spammer would bother posting it. The idea is to poison the well of any sites which use Bayesian techniques to classify content as spam or not. By tricking sites into classifying “good” content as “spam”, they (theoretically) can reduce the effectiveness of the spam filters.
With enough poisoning, your spam filter may start getting false-positives, which are legitimate messages that have incorrectly been tagged as spam. And if you get enough false-positives, you’ll lose faith in your spam filter and disable it. At least, that’s what the spammers are trying to accomplish.
Will their plan work? I guess that depends on your particular spam filters. I’m betting that systems like Akismet, which collect data from a wide variety of sources, will probably be able to defend against Bayes poisoning. How? Well, there’s this thing called an IP address. Even though the spammers submit their garbage via an army of anonymous proxy servers and zombie machines, they still only have access to a finite number of hosts, a limited number of IP addresses. It won’t take long for those IPs to be statistically classified as sources of spam. An IP like 221.3.235.96 will be flagged as a spam indicator far sooner than the words “Industrious” and “Soldier”.
So once again I say, thank you, spammers. We’re learning more about you every day.
I just saw your post about this. I wrote one the other day, dubbing the practice “Whitelist Spamming.”
http://www.iampariah.com/blog/2005/12/whitelist-spam-attacks-threaten-blogs-and-email/
The real problem comes into play when you think about the big picture. It’s not just about whether spam gets to YOUR blog, it’s about whether your domain gets blacklisted by other blogs and e-mail servers.
[...] Edit: a lot of these comments seem to be ‘poison-the-well style comments, which makes their existance all the more pointless. [...]
Getting a load of the poison too! Interesting.
I remember when I first got caught up in a “poisoning the well” attempt. I was running Spam Karma v1 and some clever spammer began flooding me with spam comments that linked to “.com”. Sure enough, Spam Karma eventually added “.com” to its blacklist, and it wasn’t long before every incoming comment was eaten by Spam Karma. I had to flush my entire Spam Karma blacklist just to get rid of that one false entry. So, if you run an “intelligent” spam filter, such as Spam Karma and Akismet, keep a very close eye on your logs.
[...] When I first installed Spam Karma 2, it killed all the spam. Great code, great protection and it’s something I still use. What SK2 didn’t protect against though was spam flooding. A spammer could hit your site with numerous requests and each would be processed. Not good. When Bad-Behaviour was released it took the place of SK2 in it’s spam killing by preventing them getting close enough to do the damage. It stopped the spam flooding. SK2 stayed in the background twiddling it’s thumbs. SK2 literally was redundant but it stayed in place. Increasingly though, SK2 is working because more and more spam is evading BB. I am now clearing between 10 and 20 spams a day using SK2 and I’m even having spam get through (this is comment spam, not pingback / trackback) to the blog. The spam criteria is being poisoned too. The full code for both the above plugins is available to download, check, test against for the spammers though isn’t it ? They have a financial impetus to find holes and by my measure, they are doing that. So, to do something about it. One option is Aksimet from Matt. I have an API key, I had it installed at one point but I have doubts about my blog relying on a remote server outside of my hosting to function correctly. There’s only so much spam that can be held back before a server falls over. Part of the problem with this – from where I stand – is that as good as Matt’s work is, who cares enough to support it financially ? Looking at last year’s poker flood – the companies like it, the stock market likes it, the shops love it. It’s big business pushing this crap so it would take a business just as big to fight back wouldn’t it ? And there is no big business, just lots of little blogs, all with their own tools, all trying to make their target look less attractive than the next blog program … So for now, Akismet is not an option (though having distributed servers would be much better). But one option – which I have always quite liked when using it on other’s blogs – is Eric Meyer’s Gatekeeper. I pose a range of quetions, you answer them. So it is now installed and ready for you if you choose to click the comments link. I’ll admit I have no idea how spammers attack the code and no doubt someone will pop up and tell me that they skip where I’m protecting and that this is no good etc etc but hey – all you need to do IF you want a comment is answer a question. And because I like comments, it’s not even going to be a surreal question – just a boringly normal type job. And the spam ? I’ll let you know in a week. ¤ Read (1) [...]
[...] Poisoning the well – I’m getting (and ignoring) these too. [...]
Hey Dear!
I am new to Wordpress, i just started a week ago
but not sure how to use this blog, when i see my
blog’s left bar, with links called somthing blogrolls
and one of them i clicked and now i am here, but here i
was seeing very bad aspect of online marketing that is Spammers
but hope you make them lesson!, i am here to as you how to use it
means my blog http://www.acmeaims.com/daily i am also not familiar with
terms used there,,blogroll,ping,rss,,,i hope you will help me in this
regard,,,,,wish you good luck!, from MOhsin Rasool MoreLee webmaster
[...] I finally decided to install it after reading lots of success stories in particular, this post by Dougal Campbell titled Poisoning the Well. The type of comments that he mentions are similar to the new batch of comment spam that I’ve noticed lately. These comment spams are becoming a little bit harder to tell apart from those written by people living in countries with really bad English. [...]
I was also plagued by these style comments and showed how wide the problem is in a post a few weeks ago. My initial solution was to block the offending User-Agents at Apache server level – a less than ideal solution.
A friend of mine wrote an interesting solution to the problem using secured time-based-tokens and I have incorporated it into this freshly baked SpamKit Plugin for Wordpress.
Maybe it can help?
So that’s why I was getting spam pointing to websites I sometimes use! Akismet still caught ‘em, however.
Ah I’ve been wondering what the hell those sort of comments were.
I’m getting the same kind of random spam posts, mainly linking to sites like digg, or engadget.
But then again, I use Akismet, and it’s catching all the spam, and so far no false positives!
Good luck..
[...] Read this: Poisoning the well [...]
those wacky spammers
I’ve been getting a lot of weird spam comments lately (which you never see thanks to Akismet), that are completely nonsensical, but have links to legitimate websites. I never knew why, until I read this post by Dougal Campbell, which I recommen…
What works the best for me is keeping my spam word list fresh… I do get an occasional false positive. Spammers are just the bottom feeders, they will not be exterminated any time soon.
I’ve been getting a minor flood of the poisoning-the-well variety lately too (in fact, just deleted about a dozen of them out of my moderation queue). Not a big deal so far.
What I find interesting is that they’re the first wave of comment spam, as opposed to trackback spam, I’ve gotten in a dog’s age. I was under the impression that the proliferation of comment moderation/filtering had done in comment-delivered spam in favor of track/pingbacks. In fact, I shut off my comment auto-close plugin because of this, and sure enough, I didn’t get any spam bits via comments (at least, none that weren’t automatically blocked by my existing blacklist). This might represent a large-scale return to the comment form.