Comment Spam Attack

Of late, the blog has been getting 500 hits per day, with 60-ish on the main page and 30-ish on the post of the day. The “Hot Topics” posts (over in the right column, down a bit) account for a scant hundred more hits, with the remaining 300 hits distributed in onesies and twosies along the very, very long tail of 4200 posts.

Then this happened:

Spam Attack - Page Hits
Spam Attack – Page Hits

It seems a spammer noticed my posting activity and unleashed either a script or, more dismally, a stable of low-wage third-world workers to make a comment on every single post in the blog.

The Akismet scanner flagged three dozen comments made on the most recent posts, with the remaining 4500 (!) page views producing zero comments, because, some years back, I had disabled comments on posts older than a few dozen days. I disliked doing so, because I value comments from folks who contribute to the discussion, but …

The IP addresses seem to point back to compromised servers and pwned Windows boxes in the US, with very few foreign sources. The comments themselves consist of the usual gibberish, often run through a thesaurus (known as “spinning”) to improve the odds of evading the detectors. The payload seems to be the URLs attached to the random user names, all pointing to sites touting Vietnamese (!) scams, Russian pharmaceutical sources, online gambling dens, and the like.

And then, after two days, it was over.

Which is why I really really do not want to manage my own blog infrastructure, infuriating as WordPress-dot-com’s editor might be.

8 thoughts on “Comment Spam Attack

  1. Ah, the WordPress Two Days o’ Spam. It happens to me almost every time that Akismet launches an update, then a couple of days later they make an x.y.1 release that makes the problem go away.

    But yeah, you don’t want to be handling this yourself. A few weeks ago the Akismet credentials expired on Catherine’s blog. Until we resolved it, we were getting spam comments every 45 seconds on just one post — a eulogy to a late friend that contained a word that’s a high-value pharma spam keyword.

    1. Yick.

      I absolutely cannot follow the money, but it must be substantial to justify the effort they keep expending. Either that or there’s no money involved; could go either way.

  2. A few years back I was getting over 200 spam comments a day and I am also hosted here with Akismet – took them quite a while for WordPress to address the issue – and my site is modest

    1. Even with the old posts closed to comments, Akismet was fielding 1600 spam comments a month early this year! It’s down to a few dozen a month, which makes the spike even more noticeable, and they seem to have the situation well in hand.

      It’d be nice if filtering weren’t necessary, but we don’t live in that universe any more.

  3. Telephone spamming is alive and (excuse the expression) well. We get a fair number of calls from “Not Provided” as well as some entity claiming to be “NRA”. Not sure how many of these might be polls or interactive robocalls; with only the default answering machine pickup, they don’t leave a message.

    Then there’s the Ashland, OR number (so they say) that wants us to use them for better visibility on Google advertising. If I had a business to advertise, they’d be the last ones to use… They’ll try a couple times a week. Schmucks!

    We’re incredibly happy to have added Caller ID to the landline a while ago. My cell phone is usually turned off (one of the perks of being retired), so spam cell calls are minimal. Of course, there was the poor appliance guy who was given my cell number as the only contact for some installations. Finally called him back; somebody west of the Cascades goofed when they gave him a number.

    1. A few weeks ago I set our VOIP landline phone to “whitelist” mode, wherein all calls go to voicemail unless the number is in the contacts list.

      Shazam: it’s now dead silent except for folks we actually want to talk with.

      Automated callbacks and first-time callers require some tinkering, but it’s an overall win: when the phone don’t ring, we know it’s a spammer. [nasty grin]

  4. The reason they spam is SEO – they don’t care about you and your blog. It’s the old Google Search Engine model of back in the day of, “whomever has the most links to their site, gets ranked higher.”

    Which, of course, is not the primary thing these days with Google search (but, it still is a factor).

    So for SEO, if they can get a few 1000 or more wikis and blogs pointing to their site, they surely will get ranked higher. At least, that’s the thought the spammers pitch to their clients that pays them the shady cash to “get ranked higher.”

    I switched over to a static blog about 7 years go and host everything for free on GitHub Pages. For comments, I currently run Disqus. This does three things:

    It keeps all infrastructure on GitHub, with no “code” to hack or support.
    It keeps comments on a 3rd party, again I don’t have to manage. I’ve had several “spam” get caught for moderation, but never had any get through filters (I get an email for every comment).
    Since Discus is javascript, it does not get rendered to search engines to index. Effectively making my blog INOP to any SEO spammers.

    That last one is difficult though: back when I did run my own infrastructure, the comments were some of the key search engine hits I had on the site. Getting rid of that did drop my traffic flow and keyword hits.

    Discus has an API that allows you to pull down comments. I always had this grand idea that I’d automate a daily dump of comments and write them into the static pages. However, not having the SEO spam has kept that away for now.

    At this time though, I don’t care any longer (for traffic, nor page views, nor SEO for actual content, etc). The best version of my static site is dropping Javascript completely from it (or at least the Tor versions). Dropping Google Analytics as well, I just don’t use it, and I have no ads.

    I see 9 “Ads and other creepy stuff” blocked on this page as I write this comment. My new site will aim to have no blocks.

    For the record, I’m switching over to Hugo static site generator.

    1. You’ve definitely confirmed my suspicion: given my minimal blog traffic, the simple existence of a link must be how I can best “support” the spam economy.

      I’m approaching WordPress-dot-com’s 3 GB limit on media files, whereupon I’ll pay for their Personal plan. As a pleasant side effect, WP will then remove their ad traffic; if the cut I get from their ads is any indication, I won’t be losing much income. [grin]

      Thanks for the insight!

Comments are closed.