Comment spammers getting smarter -- user spam

Two disturbing trends are moving upwards in the area of blog comment spam.

You may want to note that I have changed the challenge question for posting comments on this blog. It is no longer my last name.

The first has been taking place for a while -- it's hand-written comment spam. Spammers are paying people, probably low-wage people in 3rd world countries, to write comments on blog posts that are very roughly on-topic. Then those comments will contain a link to the spammer's site, with the keywords the spammer wants. Sometimes the link will just be on the userid.

The spammers do this even though I tell them that all links in comments get the "nofollow" tag which makes Google and other search engines ignore them and not assign rank to them. They are thus wasting their time, other than to get a few clickthroughs from readers here. The people they hire are smart enough to pass the Turing test and write a comment that is roughly on topic, but they either don't understand the nofollow warning or don't worry about it because they are paid by the comment.

Truth be known they don't write very good comments. Any real examination will show they are not really appropriate. And more to the point, unlike the majority of comments, they have links, and of course those links are to commercial sites. Just the existence of links is enough to make the comment worthy of examination. And I now have spam filters that put posts with possible bad links into an approval queue rather that doing immediate posting, unfortunately.

Today I discovered a new type of spam on the blog. A spammer was creating userids, but not posting any comments. They just put a link to their spam pages in their user description. Userid creation does require a challenge question but at least one spammer wrote code to fill it in, since I don't change the question every time as perhaps I should.

The userids would have names like "Brittney nude" and thus they show up in the blog user directory and are parsed by search engines. Since my pagerank is high, people are finding these userid pages for searches, and then perhaps following links to the spammers.

Mostly I want my challenge to be very simple to make it as easy as possible to participate. I don't like image captchas, I find them a pain when I go to other sites. And most of them have been broken on the big, high-value sites. They probably would not get broken for a smaller site like mine. Other options include simple math problems (but those may get broken by code as well.)

My general rule has been that unless you are a high-value target (and perhaps I'm going up in value) you should not have to do very much. The key is not not be the same as other sites, and to not do anything like use a standard module for drupal so you are the same as all other drupal sites. As a collection, drupal sites are a high value target.

I deleted the users of course, but the interesting trick here was that since they did not post, I only noticed them by seeing referer logs coming from search engines.

Update: They are keeping at it, so I decided to put user creation on administrator approval. Truth is, not very many readers here create accounts, and there are only minor reasons to do so. If you create an account it takes away the "Not Verified" after your name and you don't have to enter any parameters again. You can also edit and remove your comments after the fact if you post them with an account.


I understood that the 'nofollow' tag is still ignored by some indexers even if Google respect it, so perhaps it is still worthwhile to keep creating comment spam. I have to kill maybe 5 of these a year, so it's not a huge problem for me, but I am still amazed that it's worth anybody doing this as a business.

The blog has a high Google "pagerank". That makes links from the blog very valuable in that they can increase the pagerank of the page I link to. And they do, if I link to it in text I write. However, links inserted by ordinary users have the nofollow and don't do this. However, if they didn't, it would indeed be worthwhile as a business to do this. In the link selling business, sponsors will pay $100 to $200 per month for good links from a 7 pagerank, $500 to $1000 for an 8 pagerank. So if they can get it by spamming, they are very happy. I delete these, I suppose I should track the IPs to see what country they come from.

I'm simply tempted to see if I figured out your non-riddle on the new comment question... ;)

SPAM comments are astounding things, I keep getting hit by various sexual improvement sites and pay day loan sites that are attempting to use my Page Rank to increase their readership too.

I moderate all my comments, but I don't get a lot of them either.

I used to love fried spam... now I can't stand it.


What if you have the commenter do a simple math problem that is generated automatically? I would think that the code would be easy to deploy and if it is cracked it would be simple to make changes that are based on color of the font or something like that so that automated cracking would be harder.

The paid comment spammers are able to solve the math problems just fine, it just annoys the users I think. It does make it a bit harder for those who want to automate the process but this is manual stuff, no easy answer (except what I am now doing, which is that posts with links need to be approved.)

Add new comment