Tuesday, June 26, 2007

Comment spam

I recently noticed a very interesting blog comment spam. This was posted on my article about The moon being made of swiss cheese, posted early in March this year (more than two months old). Go ahead, read the comment at the end...

The spam is interesting for the following reasons:
  1. The comment was made to an old post, so most people wouldn't even notice that they're being spammed. The post was made over two months ago, so the traffic on that post is dead. I only noticed since I get an email every time I get a comment posted on my blog. I don't get so many comments, so I want to know of one through email. This would go completely un-noticed if a person got a lot of comments on their blog.
  2. I have enabled a captcha. So everyone is provided an image with some letters on it, that they have to faithfully type before the comment is made. However, they might have circumvented it. Read on.
  3. They circumvented the captcha by logging into Blogger. Once you are logged in, then you don't have to fill a captcha. This most probably means that they have automated their comment spam.
  4. Their username is EGB Systems & Solutions Inc., and their user-linked website defaults to the spam target. There are a few links in their post that all point to the spam target. They have gone through the trouble of creating a blogger account, even though this particular spam (to my blog) won't help them at all.
  5. The company is an Indian outfit that does web design. Their website is filled with crummy clipart shots. You know, the kind of pictures of a multicultural group, in crisp clothing, completely delighted. You see a photo like that and you can tell it is a generic shot. No company looks like that. They also do Search Engine Optimization (SEO), so you would expect them to know of something called the nofollow directive.
This is a very interesting attack vector. All I have to do is find a way to keep the blog cookie safely, and present it when posting. There are no captchas, so this process can be completely automated. Post only on old posts, which are indexed by search engines already, and already have a decent page rank.

Why won't this spam help them? Because the problem is quite old, and many companies are aware of comment spam. Blogger (and other blog software) automatically adds the rel="nofollow" directive to their outgoing link. This directive make the link have no effect on their Google pagerank. All that effort to post to my blog, and none of the benefits. However, if your blog does not add the nofollow directive, the spammers will benefit from posting on your site.

But wait a second! The spammers need the links, right? So here they are: Comment spammers, Shameful comment spammers, liars and comment spammers, they might be spamming your website, where do I learn about comment spam.