Comment spammers getting smarter -- user spam
Two disturbing trends are moving upwards in the area of blog comment spam.
You may want to note that I have changed the challenge question for posting comments on this blog. It is no longer my last name.
The first has been taking place for a while -- it's hand-written comment spam. Spammers are paying people, probably low-wage people in 3rd world countries, to write comments on blog posts that are very roughly on-topic. Then those comments will contain a link to the spammer's site, with the keywords the spammer wants. Sometimes the link will just be on the userid.
The spammers do this even though I tell them that all links in comments get the "nofollow" tag which makes Google and other search engines ignore them and not assign rank to them. They are thus wasting their time, other than to get a few clickthroughs from readers here. The people they hire are smart enough to pass the Turing test and write a comment that is roughly on topic, but they either don't understand the nofollow warning or don't worry about it because they are paid by the comment.
Truth be known they don't write very good comments. Any real examination will show they are not really appropriate. And more to the point, unlike the majority of comments, they have links, and of course those links are to commercial sites. Just the existence of links is enough to make the comment worthy of examination. And I now have spam filters that put posts with possible bad links into an approval queue rather that doing immediate posting, unfortunately.
Today I discovered a new type of spam on the blog. A spammer was creating userids, but not posting any comments. They just put a link to their spam pages in their user description. Userid creation does require a challenge question but at least one spammer wrote code to fill it in, since I don't change the question every time as perhaps I should.
The userids would have names like "Brittney nude" and thus they show up in the blog user directory and are parsed by search engines. Since my pagerank is high, people are finding these userid pages for searches, and then perhaps following links to the spammers.
Mostly I want my challenge to be very simple to make it as easy as possible to participate. I don't like image captchas, I find them a pain when I go to other sites. And most of them have been broken on the big, high-value sites. They probably would not get broken for a smaller site like mine. Other options include simple math problems (but those may get broken by code as well.)
My general rule has been that unless you are a high-value target (and perhaps I'm going up in value) you should not have to do very much. The key is not not be the same as other sites, and to not do anything like use a standard module for drupal so you are the same as all other drupal sites. As a collection, drupal sites are a high value target.
I deleted the users of course, but the interesting trick here was that since they did not post, I only noticed them by seeing referer logs coming from search engines.
Update: They are keeping at it, so I decided to put user creation on administrator approval. Truth is, not very many readers here create accounts, and there are only minor reasons to do so. If you create an account it takes away the "Not Verified" after your name and you don't have to enter any parameters again. You can also edit and remove your comments after the fact if you post them with an account.