New BlackHat tool warning

Jul 10, 2009 at 3:08 AM

Hey ya'all, just got a Google alert about this tool for auto posting comments against the BlogEngine system.  Thought I would let you all know so we can start thinking about a way to thwart this early.

http://www.blackhatworld.com/blackhat-seo/black-hat-seo-tools/98460-testers-needed-blogengine-comment-poster-posts-instant-do-follow-links-automatically.html

No clue how well it works, nor if anyone really cares.  If it were me, I would start working on a way to bring this down.

Cheers guys!

Wayne
www.waynejohn.com

Jul 10, 2009 at 9:46 AM

Hi Wayne,

well, I was just about to post a new TP-comment about my blog being flooded by comment spam ... then I noticed your post.

The tool seems to do what it says - and someone has been probing my blog lately to see if it works. Quite a lot of the comments have pointed to www.asp.net or www.msdn.com ... which doesn't (in itself) make any sense.

A rough estimate: within the last couple of weeks, I have received well over a houndred spam comments on my blog.

Blog-version: 1.4.5 (www.idippedut.dk)

 

[and 4 more as I was writing this comment]

:o(

Jul 10, 2009 at 4:50 PM
Edited Jul 10, 2009 at 6:53 PM

I just downloaded the app, registered it, pointed it to my blog, and was successful in posting spam...  Looking at the network traffic it appears like any other legitimate post.  So far, as far as I can tell, there is no way to filter/block this traffic... 

Seriously, I will have to disable comments until an alternative way to block spam is made available to BlogEngine...  Mads, this is going to be a huge deal for BlogEngine owners!

UPDATE:  I have done some investigation into this application and oulined my findings on this post:  http://www.dscoduc.com/post/2009/07/10/BecPoster-Automated-Spam-Tool.aspx

Developer
Jul 10, 2009 at 7:10 PM

The problem is obviously serious, I got more than 200 spam comments this day! Chris, I read you post on this,really interesting. Although I moderate comments, it's really annoying to have hundreds of spam comments each day. It's hard to find real comment in the sea of spam.

Jul 10, 2009 at 7:25 PM
Edited Jul 11, 2009 at 8:24 AM

I've downloaded the tool and tested too.

I use Rtur's Commentor extension with Waegis.

Run a few tests, from 11 comments at a run, usually 3-4 were approved by Waegis. That's not very good.

The other problem is the number of emails received as the result of the spam comments(even if they do not get approved and they await moderation).

Update: over last night my blog was probed with the tool, and Waegis approved some of the spam comments.
On the other side Akismet seems more efficient during my tests, so I've switched to Akismet for now(and wait to see the results).

Jul 10, 2009 at 11:15 PM

 http://www.dscoduc.com/post/2009/07/10/BecPoster-Automated-Spam-Tool.aspx

Nice write up, but i disagree with your statement at the end that we cant stop this attack.

All we need to do is change the name of the submit button from "btnSaveAjax" to something else that this tool doesnt know. maybe even change the button name dynamically so its different each time the page loads..

 

Jul 11, 2009 at 8:39 AM

Would going back to a "traditional captcha control" work in defeating them - as opposed to the "invisible" control that BlogEngine uses - when should we expect some comment from the BE.NET development team?

Jul 11, 2009 at 1:51 PM

his site is open to SQL injection... we could alway just shut him down ;)

 

Jul 11, 2009 at 5:17 PM
Edited Jul 11, 2009 at 5:17 PM

Changing the input fields and submit buttons won't solve the problem.  We end up in a cat-n-mouse game that doesn't really solve anything.  This guy plans on selling this tool so we will need a new way to verify human form submission...  That's a BlogEngine Core change, not a simple fix...

I haven't had good luck with Weagis blocking this tool either, though I can hardley blame Weigis since these posts are basically legitimate they way this attack tool has been designed...

Attempting to shut him down could lead to a DOS attack on your site - remember, this guy knows how to program code attacks against .NET websites...  So no, that's probably not a good idea either...

One other thing... I switched to Moderate Comments but found BlogEngine lacked a simple way to review all pending comments...  so it would only be by chance that I would see a post comment waiting to be approved...  in the end I just turned off comments until we figure out a better way to control this thing...  I wonder if having OpenID verified comments like DasBLOG would eliminate this issue... 

Jul 11, 2009 at 5:19 PM

It would be extra nice if Mads and/or Al would comment on this subject, as it probably effects most everyone using BlogEngine.NET...  Calling Mads, you out there?  Any ideas?

Jul 11, 2009 at 5:56 PM

Ok, what about this idea..

Ive not tried the tool yet, but im guesing it posts the comments pretty quickly - probably too fast for a human to type. So if we simply disallow comments to be posted within a few seconds of the page being served, that should at least slow things down...

 

 

 

Jul 11, 2009 at 6:22 PM

I've been traveling so I haven't been able to participate in this thread since starting it.  I've been enjoying the Seattle nightlife mostly, but I've come back to this issue several times in my head.

The tool relies of consistency, and will fail without that consistency being there. 

Changing the input field names or the submit button to be a dynamic name could work, but as stated above, there are issues with that as well.

What about:

  • Adding a dynamic sum verification?  "Answer 4+2 is:" verification, which is really no different than adding a captcha.  This could go so far as to provide the question in the form of an image so as not to be readable through automation.
  • Adding functionality to outright block the calls from known sources running this tool.  I haven't had a chance to dig in, but perhaps there is some identifying information that can be used to block these calls.
  • Speaking of blocking, what about creating a central repository (or building a local one through the normal course of operating the blog) of sources that each comment can be checked against...again, if there is some marker that can be used or some way to ensure real comments make it past
  • Provide a way for blog authors to provide unique names to the comment form elements via the admin panels. (My favorite option).  If everyone changed these items to be unique across all instances of BlogEngine, that just might do the trick, and kill the problem dead.
  • Combination of all or some of these ideas

BlogEngine NEEDS a way to moderate comments, period.  This should be built regardless of this issue.  Moderation could help the issue, but as stated above, it would be terribly time-consuming to wade through 200 comments picking out the good ones.

Thoughts?

Jul 11, 2009 at 9:06 PM
Edited Jul 11, 2009 at 9:22 PM

What about Akismet(or Waegis) + reCAPTCHA ?

Filter it through Akismet(or Waegis), and if it flags it as spam, give it a chance with reCHAPTCHA. So that we don't end up with a big number of comments to manually review.

The comments made by that tool aren't legit comments, even if they look like, or rather said, feel like human posted comments. Obviously, some comments will pass if indeed they look legit, but usually they have certain patterns(author name not really a name, a "common" author URL or a message like "thanks for this bla bla" or get a ... at ... or so).

In theory Waegis or Akismet should offer some level of protection against human generated comment spam(as these days there are a few of them and some of them are pretty poor at their "job" -:) , and they still need to post as much spam comments as they can as quickly as possible). And CAPTCHAs(the "classic" ones) or registration won't really help against those(and instead may frustrate the legit users).

During my quick tests, using "patterns" of real spammers(collected from various places or from past spam comments on my blog) to feed that tool, Akismet did a better job than Waegis in blocking the comments(and recent "real traffic"-likely result of this "infamous" tool- on my blog seems to prove that).

Also, it's likely that a spammer to target with the tool multiple blogs at a time, so the most comments' patterns to be somehow silly and caught by Akismet or Waegis and if they are given a chance with reCAPTCHA, they will not really have a chance. On a "normal" blog(nothing really big), if a few comments pass, it should be easy to deal with them(assuming a decent administration panel is provided).

And, as said above, BlogEngine lacks a simple way to review all pending comments, well, I'm using Rtur's Commentor which kinda helps, but the only problem is that I have right now over 200 comments blocked by Akismet as spam(most of them silly comments) and awaiting moderation(received in a few hours, pretty much for my personal humble blog, the source IP addresses repeat-probably a few fellas testing the tool-) and 200+ emails, -well at least they did not get posted and possible stressed normal users who when posted a comment have checked the notify when new comments are added button- and need to decide if to simply trust Akismet judgment or manually try to find any legit comments that may have been blocked by Akismet.
It would be nice to review/order them somehow(emails used like hotmails, gmail, yahoo may be a start).

I got a few spam comments per day on my blog in the past looking like human generated comment spam as some fellas seem to read the blog posts and make their comments "related", and I can easilly deal with those(they are a "special" category of human spammers), and Waegis blocked most of them.
But with this tool, lately I got "more" spam comments, Waegis blocked some of them, and now I've switched to Akismet to see if it does better(and now sit and count, first results are pormising). The problem is the manual reviewing. 
Personal I won't disable the comments(at least for the moment I have no specific reason to do that), that's a little bit brutal, just stay on Commentor + Akismet(big thanks to Rtur -:) ).

It's interesting to see the spammers "behavior", as that tool offers a logging/stats mechanism and they can view what blogs returned a waiting moderation response, and instead focus on the ones without moderation.

The current invisible CAPTCHA idea is great IMHO, well at least until this tool was posted, as users have a pleasent experience(nobody loves CAPTCHAs) and also requires little configuration(say none) from non technical blog owners(automatically protects them against machine posted comments). It would be nice if it somehow would be adjusted to defeat this spamming tool.

Jul 12, 2009 at 11:36 PM
Edited Jul 13, 2009 at 4:57 PM

I recently got hammered by this with comment spam jumping from a half dozen a day to a couple of dozen. Seeing the progression climb that high scared me. I got frustrated enough that I created an extension to filter comments based on a blacklist (in email, website, IP address, or even a minimum length). I'll blog it in more detail shortly, but I haven't had a single spam get through since turning it on.

Jacob

UPDATE: Cheeky bastard. Got a new one that hadn't hit my blacklist yet. The twist on this one is that the "user" complained about getting lots of spam on their BE.Net site and was asking me if I had a solution to it. The only tip-off that it was the same ole bastard spammer was in the website he left and a templated email address (initial-number-name@yahoo.com type of thing). Oh, and that he left a message on both my blogs. Seriously, these guys need to be hunted into extinction. Defense is all well and good, but these people need to feel some pain up close and personal. Haven't had a spam comment since adding the new website to the blacklist, though. That's nice... :)

Jul 13, 2009 at 5:15 PM
Edited Jul 13, 2009 at 5:16 PM

The point of this attack is that each comment submission is basically a legitimate comment.  The page is loaded, and then the comment data is populated, and then the form is submitted.  The only consistent indicator is the GET and POST are within miliseconds of each other... 

So unless you want to write an extension that keeps track of each request and compares the GET time with the POST time you are going to have a heck of a time preventing this type of attack.  Remember, each page request will contain several GET statements, depending on how many images, pictures, style sheets, and JavaScripts you load, so this is no easy task...

Again, it's going to be a complete change to the hidden captcha model before we can stop this attack...

Jul 13, 2009 at 6:09 PM

I still think that providing a way to create unique control names is the best way to go:

this.WebBrowser1.Document.GetElementById("ctl00_cphBody_CommentView1_txtName").SetAttribute("value", str4);

If I had a control named txtName1 or txtNameThatIsntPredictableAndTheSameForAllInstancesOfBE, this tool would fail. 

Also, by giving the blog author the ability to make their own control names, and even change them whenever they want, seems to me to be the only way to make this tool fail consistently, and never appear again.  Because, they can't predict what those object names are going to be from blog to blog.

If you're a programmer, you can do this today, right now and provide a write-up on which files to modify.  I just don't have time to do this myself, so I'll be happy to cheerlead on this one.  lol

Coordinator
Jul 13, 2009 at 6:58 PM

Hey guys...

I'm not dead yet, just really busy on a few other projects that pay the bills.

I'm not sure on the best way to attack this problem with general BlogEngine patch right now, but we'll try to come up with a patch as quickly as we can. I'd like to talk with a few of the team members before jumping down a particular road to solve the issue.  Regardless, I think we can get a quick resolution.

In the short term, I think the idea of changing the comment button name to something different sounds like the easiest short term fix for people if they are plagued with this problem, but I personally haven't tested to confirm this works.

I'll be sure to post back to this thread when I have more information.

Al

 

Jul 13, 2009 at 9:19 PM

just check this guy(scroll till down to see something familiar):

http://answerspluto.com/

found your blog listed over there, eh ?

Coordinator
Jul 14, 2009 at 5:06 AM

I've been getting loads of comments spam myself the last 5 days or so.  There's some good ideas in this thread.  The BE team is tossing some ideas around now.  Hopefully we'll have a good solution (or combination of solutions) in the near future.

Jul 14, 2009 at 7:40 AM
Edited Jul 14, 2009 at 7:40 AM

Until we get a more pro-active solution, my comment blacklist filter extension is available. It's been up a couple days now and spam is back under pre-asshat levels. It's reactive and sub-ideal, but I can enable comments again and not have dozens to clean up every day...

Jacob

Jul 14, 2009 at 8:05 AM

Proffitt - your link does not work for me - I do agree with your sentiments, at this point any solution is better than sticking to what is currently in place

 

Jul 14, 2009 at 8:12 AM

Huh. Anyone else unable to get to that link? The post is duplicated at my Runtime blog (here), though the link to the extension file will still be the same so if the post link is broken, the file link likely is as well... :(.

Jacob

Jul 14, 2009 at 3:55 PM

The comment blacklist filter is really a waste of time...  The spam looks legitimate and comes from a random source of IP's and Authors.  Last night I was hit by hundreds of spam posts and Weigis caught a bunch but still others got through...  It seems that this spam attack is escalating as more people learn about the spamming tool...

Can the BE team please move this up in your priority list?  What's good is a blog when you can't let anyone post a comment without getting hammered with spam?

Chris

Jul 14, 2009 at 6:02 PM

The blacklist filter has cut my spam from dozens a day to one. That's not a waste of time in my book. While there are a coupe of authors and websites involved, they aren't random. I have about a dozen entries in my blacklist and that's catching 98% of the spam.

It's not the solution. It's a stop-gap. But it's a useful one that can fill the space while the BE team works on the problem--giving them the space they need to make something longer-term.

Jul 15, 2009 at 12:02 AM

Please help me understand how that's possible...  The Author names is random from a seed file...  The IP address is random from a Proxy server.  The comments are random from a seed file.  The URL attached to the author's name is somewhat random depending on who is running the tool...  So how exactly does your blacklist filter block the multitude of spam messages being sent to the blogs?

Coordinator
Jul 15, 2009 at 12:47 AM

While we're coming up with a solution, on my blog, I changed the name of the Save button control, and this has eliminated this automated comment spam for me.

You can just do a search-and-replace.  I believe it was just the CommentView.ascx file (in the User Controls folder) and the blog.js file (in the root) where the Save button name was being referenced.

Jul 15, 2009 at 6:45 AM

I ignored author names. Those aren't interesting. Email addresses and website might have come from a seed file, but if so, it was a mighty small one. Half the spam comments I was receiving had the same email address. Of those left, they used a very small group of websites as their link-back. Now that those are covered, I get a new one or so a day that I need to add to the filter. I'm up to 13 filter entries and had to delete a total of two comments today. It was beautiful. Much better than the 34 I had on Saturday. Either their interest in my blogs has waned drastically or my filter is doing its job.

Jacob

Coordinator
Jul 15, 2009 at 12:21 PM

Hi all,

We do have a solution being tested right now.  If it works well, we will check it into the project soon.  I'm guessing the official patch won't arrive until sometime this weekend though.  We have a few more things we want to do with it.

Ben or I will post on this thread when the update has been put into the source with some quick instructions for getting it pushed out.

Al

Coordinator
Jul 17, 2009 at 12:11 PM

Hi all,

I checked in a small change to the ~/User Controls/CommentView.ascx.cs file.  This change should help with the spam problem that some of you are having.  We are still planning to release a more official patch soon, but I wanted to let you know this was out there.

If you are using 1.5 or greater, make a backup of your existing ~/User Controls/CommentView.ascx.cs file and than replace it with the one in the more current changeset (#28194).

After switching to the new file, please let us know if you are still having issues with large batches of spam.

Thanks,

Al

Jul 17, 2009 at 3:41 PM

Hey Al, no back porting for v1.4?

Coordinator
Jul 17, 2009 at 6:48 PM

I'm not sure if we'll post a patch for 1.4 or not.

The little update that was just checked in is 4 lines of code at the top of the Page_Load.  I'm sure it wouldn't be too hard to add that the 1.4 page, but I haven't looked at that version for a while.

Jul 19, 2009 at 12:02 PM
Edited Jul 19, 2009 at 12:35 PM

Hi All,

I also receives a lot of spam with BlogEngine 1.5

Now I updated the User Controls/CommentView.ascx.cs and enabled the comments again.

I will come back when it NOT works....with more info

SEO rebel bye bye, go ahead with your Google terror...

 

Update a few hours later more about the DateTime.Now.Ticks.ToString( )

http://www.west-wind.com/WebLog/posts/4741.aspx

Jul 19, 2009 at 3:47 PM

I'm updated my blog with the fix and since it's been all nice and quiet. Seems to work pretty good.
Also tested the "latest" version of the tool against it and now the tool seems to fail in posting comments. 

Thanks,
Adrian 

Jul 19, 2009 at 3:55 PM
Edited Jul 19, 2009 at 3:56 PM

Glad to have found this post...  I've had these four lines of code implemented for about a half-day now, and haven't gotten any spam.  Keeping my fingers crossed!

There are going to be a LOT of people who have not seen this update, and likely never will...so I posted a blog entry and tweeted about it.  I recommend everyone else does the same, or at least re-tweet/blog what I (or others) have posted.  

This is one of those issues that could push a lot of folks away from BlogEngine unless it's fixed and news about the fix is spread as rampantly as these spammers...  I've done my best to reply to as many folks complaining about BlogEngine spam as I can, used Twitter Search to find a few.

Anyway - good luck, dev team!  (and THANKS A TON)

Cheers,

AL

Blog Post:  http://al.bsharah.com/post/2009/07/18/Controlling-the-Influx-of-SPAM-on-BlogEngineNET.aspx
Re-Tweet:  http://twitter.com/ALBsharah/status/2714997124

 

Jul 21, 2009 at 5:37 AM

Had two spams in the past 24 hours...both from Indonesia.  Waegis caught one, not the other.  Not sure if they're using the tool or not, but I'd say my numbers are down a bit...

Jul 21, 2009 at 11:23 AM

Likely they are "manual" human spammers. The thing is that many blogs use some a form or another to defeat spam bots, so over the time it became efficient to "hire" some folks to manually post spam comments.
Waegis does its best, but if "crafted" accordingly, the comment may appear legit(some of these spammers "employ" a method or so to post "related" comments, maybe reading the blog entries or just some keywords), their links may not necessarily take you to a viagra web site, just to a "normal" web site belonging to a restaurant, singer, etc.

I usually have such comments daily.

http://lorelle.wordpress.com/2006/12/02/battling-comment-spam-human-versus-human/
http://www.commoncraft.com/human-spam-comments-where-draw-line

By the way, did you guys see that TypePad AntiSpam is offered for free(so it may be an alternative to Waegis):
http://antispam.typepad.com/
Anyone had a positive experience with it on another blogging platform ?

Nov 16, 2009 at 8:03 AM

It seems to me that someone has managed to get past the patch. Yesterday I received about 45 comment spam within a few minutes from the same author.

 

One of the comments is available here: http://idippedut.dk/post/2007/08/30/Ja-man-tager-sig-jo-til-hovedet.aspx#id_10ba5851-d3c9-42f9-ac17-6c5a459bfd5c

Coordinator
Nov 16, 2009 at 1:56 PM

If you not using commentor with black list - try it out, it should help. Nothing will guarantee 100% result, but at least it is easy to manage spam even if some gets through. Latest code in repository has a lot of anti-spam features build in, so if upgrade from source is an option for you I would recommend it, it is pretty stable and I use it on my live blog. Occasionally get some spam in, but nothing like 45 comments in a row, that's for sure.

http://rtur.net/blog/post/2009/11/07/Blacklist-added-to-Commentor.aspx

Dec 2, 2009 at 11:47 PM
Edited Dec 3, 2009 at 1:39 AM

Hi rtur

I don't know if i missing any point but "time space requirement between two comment" can be a helper option against "human" spammers? 

For example reader can't send comment without 3 min wait time. (like AjaxControlToolkit NoBot control)

Last night i got 42 spam comment in 5 min from same ip. This was not first time and deleting them is annoying job.

For a quick solution i thinking about put ip in cache (with System.Web.Caching.CacheItemPriority.NotRemovable) for 3 min absolute expiration and check before add comment.

In new built in version of commentor can have this kind of option ?

I use BlogEngine 1.5.1.30 and latest commentor.

Edit & Update :

actually stopforumspam recognize almost all my spammers, so maybe no need what i said above,

in future builtin version there is two option for moderation: manual and automatic (by rules and filters)

Will there be a mix option like i want to moderate comments manual, but comments got records in stopforumspam will be deleting without moderate.(or defined other some rules)

Best Regards,

 

Jan 29, 2010 at 2:32 PM

Anyone has an update against this tool or something similar ?
I'm running the latest source code, and by now I'm getting regularly spammed, meaning: in a ~15 min interval I'me getting 80-100 comments from the same IP.
By now I have ~600 of such comments.

Either the fix was broken, or just zealous spammer/spammers who enjoy the use of the invisible captcha and easily post comments(heh, the browser can remember the user names, web sites, so this requires minimum effort from spammers).

Either ways, it's becoming pointless in dealing with such a situation(at least for me).
Yeah, I have comments set to manual moderation, but since the spammers can add with such ease comments, it only stops spam comments from getting published, but I still a lot to sort and filter in order to approve only good comments, among those hundreds and hundreds of spam comments.

Thanks,
Adrian

Jan 30, 2010 at 12:37 PM

I've taken a look at my web server's logs(not much, as it's on hosting), and this is what I spotted.

First the rat bastard weasel :) came and did some filtering using the month list widget, and then a few minutes later here we go.

It does a GET after a blog post(OK resp) and precisely 5-6 seconds later it does a POST for the comment to that blog entry.
They are strictly GET and POST requests for the specific posts ids, there no other requests in bewteen, like for images from those blog entries.
Between each GET request is about a 8-10 seconds interval, between the related GET and POST is about a 5-6 seconds interval each time.
The User-agent mimics the one from Firefox 3.5.x on a Windows XP machine.
I've searched for the IP addresses and they are not in the stopforumspam.com database, look like home users DHCP addresses, either the fellas are directly using them, or some poor's guys home PC has been infected/compromised and serves as a sort of a relay.
The only persistence is the country from which they come.
The bunch of spam(50-60, 80-100) comes from the same IP address. The IP address seem to change when a new wave arrives -> perhaps it relates to the DHCP leased time ?

I doubt there is a human with such a consistent behavior, unless the fella is a robot or a dope.
And perhaps this time they keep it quite, to not spoil the party like last time, when the tool was spotted and Blogengine.net devs took care of it.

Any thoughts ?
How to deal with these proactively ?
The problem isn't the comments appearing on the blog, as they are manually moderated, management isn't necessarly such a problem, as the new blogengine version has great support for that.
The thing is that is an unnecesary quantity of spam to deal with, quantity posted in such a short period of time.
Real captcha(I saw some implemented this on their blogs), in case is a manual effort -> make it work a little more ? I've looked at the guide from http://www.sixapart.com/pronet/comment_spam and they do not seem to like the idea of a real captcha.
Throttling -> no more than one/two comments per (x) minute(s) from a host(tell it to back off) compared to the experienced 5-6-7 per minute ?

Thanks,
Adrian

Jan 30, 2010 at 3:35 PM

Depending on your webserver you could use IP filtering with IIS 5, 6, 7 and 7.5 for the bunch, which in your case is hosted some elsewhere thus not possible.

Its rather not the best option...

I have searched my Log files for helping you, I am self hosted Win 2003, IIS 6, with a ISA Firewall in front

I have comments enabled on my BlogEngine site and receive each day a post which is spam... (not that much you have...thanks me)

What I found in my log files is there is always www.baidu.com spider in the neighbour when the post is added !

Some post are with post.aspx?id=523798fqhjcsish984ur23u5yrughgg    total length exactly 36 characters with no GET or POST before the post !  Looks like captured the ID and use them again with requests and responses

For a few days the comments where added from the same IP address... with the Baidu spider around...

Just like the Google attack from days ago you better increase the mime types in your webserver !

I still believe there are hang out people who have no time to do something else better then try to make money with the Google Page Ranking system and add comments by hand... Maybe a very good reason that Google leaves China.  The copied Google anyway...

Will search more to find a solution for the automatic entries...

When you are using IIS for your BlogEngine site you could also use the IIS tracing module to find some more details

Do you have more details about your hosted webserver...

Stay in touch

 

 

 

Jan 30, 2010 at 4:12 PM

Hi, 

My situation is so likely adrianf and mostly from an europe country and  some other middle asia countries. European one, got dynamic ip like home users and can't recognize by stopforumspam.

Just post it for not to focus only some points.

Jan 30, 2010 at 6:35 PM
Edited Jan 30, 2010 at 6:55 PM

hey guys, thanks for your replies.

I'm on a web hosting provider, that's a dead end. And I only have access to limited logs.

If I would have an ISA in front of my web server, I could have set up a deny rule with a redirection(as I've identified the network block from which they come), and say on the redirection page something like "you look like a spammer, contact your ISP bla bla". Yeah, that's a little bit brutal, but it's a not such a big network block, some web sites use such things, once I ended up myself on a page like this connecting from a wireless hot spot. Maybe I'll try to find if the web hosting company can do that for me(I'm not sure this is the right thing to do though, deny an entire network block).

I've contacted the culprit ISP, not heard back from them (yet).

A couple of spam posts per day is regular activity for me, human made spam is very common today, but from time to time a wave of such comments arrives.
Anyway they are dopes, as the comments never get published, and they draw attention on them.
And I'm not annoyed by that, as I can delete the comments without much pain, but obviously, if there is a solution to this, would be nice :), so to not have to delete such comments and potentially delete good comments in the process if I'm distracted by my dog. :)

As a side effect, the blog email address receives a lot of emails(due to the new comments posted).

Coordinator
Jan 30, 2010 at 7:22 PM

Most if not all of these spam comments are driven by advertisers trying to push their products/services. Instead of relying on spammers IP as StopForumSpam doing, I would suggest a service that keeps track of businesses that hire that black hat guys to spam. Then it would be trivial to create a custom filter that uses this service and, if comment has any reference to black listed site/business, simply block that comment. Also not sending email if comment marked as spam would be more appropriate, should be really easy to change.

 

Jan 30, 2010 at 7:49 PM

I still get a couple spam comments a day or so, but they're all manually entered and since I implemented my filter extension, they don't repeat...

Jacob

Coordinator
Jan 30, 2010 at 8:11 PM

For the case where new spam is coming in as a POST within 5-6 seconds after the GET, I think a fairly easy and effective strategy is to keep track of the time for when the page was delivered, and then don't allow comments to be left that quickly.  The person could make changes and spread out the time between the GET and POST, but we don't know if the person's automated software is capable of doing that.

The time can be tracked a few different ways ... via cookie, Session State, or a more involved way would be to record the time (maybe encrypted) in a JavaScript variable that the addComment() JS function passes back to the server when a comment is posted.  The server side code can check this value passed back in and make sure enough time has elapsed.

Jan 30, 2010 at 9:27 PM

Adrian,

Believe me, with a ISA Server in front, its not always easy to configure.  I am working now more then 5 years with ISA and I can tell you... Like other software firewall's there is always something going on.

If you want to create exceptions rules then there comes a day that you can't see the holes between the rules.  Still ISA is one of the best software Firewalls.  Not many particular used, but that is where you find mostly the BlogEngine websites !  I have one...

Comments added by finger typing, we will never stop them (and I don't want also)

But when it comes to automatic adding comments then the solution is for the developer. Restrictions based on IP addressing !, maybe one comment a day !  Someone could easily create that piece software for us.... post.aspx ?

Some SPAM is even so nice in comment that I sometimes doubt about deleting !

Dynamic IP !  There is a lot stuff on the Internet that will hide your IP easily.....and transform you to someone else...but not in seconds between postings

 

RTUR  The service you mentioned sounds like a worldwide block list from SPAM companies !  There is mostly on business level several possiblities to avoid spam.  Confirming emails etc etc
There where also Internet companies who serve you with spam blok lists, even paid

Like ISA, you have to see and catch the thief before it comes into the bank.  When the thief is in the bank your probably to late...

Yeh, your rights on access from the Log Files at your webhosting company is a legal issue, ask for them. You could see the patterns in the logfiles

The block on the Wireless Hotspot is not based on IP address, you probably didn't pay ! and therefore no access, they redirect you....as I believe not to the payment gateway page ?  Did you ever sleep in a 5 star hotel, they transfer you (if internet is a paid service then increase with 2 stars) to a payment gateway...

 

Jan 30, 2010 at 9:33 PM

Increase with 2 stars !  Decrease with 2 stars...

 

Jan 30, 2010 at 9:45 PM

The idea about URLs rather than IPs sounds interesting, but what that service would be ?
And the timing between '"view" and post comment one too, however they might adjust this to say 30 seconds or so if this is a tool.

In my case the URLs are something like(name and email address change very often, so I think they are irelevant):

h--p://direct-payday-cash-advance.com/
h--p://fastloansus.com/
h--p://fastloansus.com/'something'
h--p://superpaydayloan.com
h--p://superpaydayloan.com/loans/'US state'
h--p://cashusloans.com/
h--p://www.usapaydayloan.net/

The thing is that they are different for each wave, but somehow related judging by the domain name. I can't manually filter them by URLs unless I know them in advanced.

I google about, and they seem to be used a lot for spamming(including manual (human made) one), just look at this poor guy :(  , if you do a 'loan' search within the browser on the below page, they flooded him with similar junk some time ago(september last year, one minute interval on his web site according to the dates -> could be just human made, not sure if he patched his blog or not):
http://www.tonytestasworld.com/post/2009/09/04/Which-version-of-SQL-Server-am-I-running.aspx

Look like sort of scam domains to me, not sure if they are for real(better disable scripting when visting them), I've tried Microsoft Reputation Services to see in which category they fit, and it came empty:
http://www.microsoft.com/security/portal/mrs/

By the way, whe logs look something like(I masked the spammers IP address, if the fellas are watching this topic):

time s-sitename cs-method cs-uri-stem cs-uri-query s-port c-ip cs(User-Agent) cs(Referer) sc-status sc-bytes cs-bytes
21:28:25 'xxx' GET /blog/post.aspx id='xxx' 80 'spammer IP addr' Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.4)+Gecko/20091016+Firefox/3.5.4 - 200 12734 668
21:28:31 'xxx' POST /blog/post.aspx id='xxx' 80 'spammer IP addr' Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.4)+Gecko/20091016+Firefox/3.5.4 'blog post URL' 200 2282 3177

Ocasionally the logs look different, for the same blog entry, like(a misfire ?):

time s-sitename cs-method cs-uri-stem cs-uri-query s-port c-ip cs(User-Agent) cs(Referer) sc-status sc-bytes cs-bytes
21:37:29 'xxx' GET /blog/post.aspx id='xxx' 80 'spammer IP addr' Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.4)+Gecko/20091016+Firefox/3.5.4 - 200 23226 618
21:37:35 'xxx' POST /blog/post.aspx id='xxx' 80 'spammer IP addr' Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.4)+Gecko/20091016+Firefox/3.5.4 'blog post URL' 200 2258 3046
21:37:58 'xxx' POST /blog/post.aspx id='xxx' 80 'spammer IP addr' Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.4)+Gecko/20091016+Firefox/3.5.4 'blog post URL' 200 2369 3190
21:38:23 'xxx' POST /blog/post.aspx id='xxx' 80 'spammer IP addr' Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.4)+Gecko/20091016+Firefox/3.5.4 'blog post URL' 200 2302 3112
21:38:46 'xxx' POST /blog/post.aspx id='xxx' 80 'spammer IP addr' Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.4)+Gecko/20091016+Firefox/3.5.4 'blog post URL' 200 2307 3111

Jan 30, 2010 at 9:48 PM
Edited Jan 30, 2010 at 9:51 PM

@Hermsen

Nope, it was a free hot spot, and the web site was a security related one(dudes deep in the hackers related stuff), everything else was working fine. And I did not try anything funny, just browsing. :)

Coordinator
Jan 30, 2010 at 9:50 PM

I think if you use the Akismet filter, BE will pass all the pieces of information to Akismet -- including the website.  I would imagine Akismet evaluates all these pieces of information (content, name, email address, website address, ip address) when making a determination whether the comment is spam.

I'm not using the Akismet filter and don't know much about it, but this is how I would imagine it works...

Jan 30, 2010 at 9:54 PM

You could, but then the post comment goes into the inbox for being aproved -> same situation, unless we reject it. This is not quite an option, heh, I've used Akismet and it labeled me as a spammer and could not post on my own blog, got to approve my owm comment(I was not logged in). :)
If we just reject based on Akismet's judgment we might reject legit comments.

Jan 31, 2010 at 8:40 AM

I was just thinking, Blogengine.net has manual rules to filter comments.
In addition to this, either is set to manual or automatic or no moderation, have rules to reject comments based on keywords/patterns, similar to Proffitt's extension.
Reject by entire URL is not a good idea, as can be small variations.

Areas of interest are the spammers' web sites and names.
Patterns can be viagra, loans, sex, vagina, etc.

We can build a txt file(I can come up with one and try to update it periodically) with one keyword/pattern per row that can be integrated by default into Blogengine. And users can modify and update it as desired.
It's not like a service(as Rtur mentioned above) you can query to get results(I'm not aware of one), but still should cut a lot of regular spam.
Actually can be more txt files, one for very common patterns(to minimize false positives), and another one with a more aggressive approach. Users can choose the one they want to use.

Google a little, and this is what I've found(useful to build that txt file, in addition I can use Google and find blogs spam comments, especially the ones targeting Blogengine users):
http://projecthoneypot.org/comment_spammer_keywords.php
http://www.snoitulosten.com/2009-list-of-spam-keywords/
http://www.technologyevangelist.com/2006/03/our_comment_spam_pre.html
http://www.technologyevangelist.com/2006/09/additions_to_our_com.html
http://www.articlesbase.com/computers-articles/suggested-keywords-for-spam-filters-781148.html
http://blog.taragana.com/index.php/archive/nginx-how-to-stop-referrer-spam-with-keyword-filtering/
http://en.wikipedia.org/wiki/Spam_in_blogs#Blocking_by_keyword

Jan 31, 2010 at 2:08 PM

Solution

http://www.codecapers.com/post/How-to-Block-Spam-Comments-in-BlogEngineNET.aspx