Recently, new bots rendered current anti spam techniques for blogs almost useless. Here is a short write-up on the subject of comment spam, referrer spam and what's currently happening in that area. I have given a lot of thought and have done a lot of checking into the subject of comment spam. I came up with a few interesting findings. If you don't run a blog (which will make you an expert) or read about this subject in the past, just Google it. You are all smart people. :) Basically though, comment spam is regular spam only posted in blogs and other web pages where comments are possible, both for simple spamming economic purposes as well as to help improve ratings of different sites in Google and other search engines. The latter is often done by publicized commercial companies. I hope by the end of this post to demonstrate how serious blog spam is or at the very least that it deserves some extra attention if you dismissed it in the past. First off, comment spam is abuse. Abuse isn't new and as soon as a system shows up it will be abused. If not today, than 10 years from now. It has long been an established yet not widely-known fact that if there are mistakes that can happen, they will happen. Leaving a potential problem alive just because no one currently exploits it is terrible, and yet it keeps happening. If the power grid for a significant part of the US can go down once every several years, so can any other system (if going down is the worst that can happen). This is only relevant to comment spam in the way it is relevant to every other security related issue, and why is that? Because comment spam indeed isn't a new thing. Anyone remembers how big guest books used to be in the previous century? :) And what about referrer spam? Some interesting things noticed about now newly named by me web spam / web content poisoning or cspam (for comment spam): [making a point about how silly it is to give new names to spam when it skips a medium.. what's your favorite? spit?] Automated spam is spam sent by a bulk-poster (taken from bulk-mailer). It enters web pages and posts spam. Recently we see a serious increase in comment spam activities, namely, in one web page I recently started to help maintain we get over 1000 spam comments a day. I won't even start discussing the referrer spam poisoning we get. The spam is no longer sent from just one IP address or even just a few. Botnets are indeed blossoming in this field. Recently, there has been a serious increase in spam, coupled with the fact that it passes current spam detection techniques (such as black-listing for IP addresses and spammed domains, Javascript Captchas, number of URL's in comment, key works - useless anyway, some user Captchas, etc.). Apparently, there is a new bot out there which passes these successful defenses. Further, anti spam technology in this realm in is no way mature or tried. Mostly it is heroic and very impressive efforts done by people because they are annoyed of the spam in their blog. So far it has been rather successful though, but that success window is running out. As an example, spammers started posting in a technique which quotes the last paragraph of your text, or starts the post with something relevant and then adds: "Oh, by the way, have you tried Viagra?" In other occasions we see spam posts that would detail how the guy searched the web for law related stuff, but ended up here. BTW, if you are also interested in law... check out this page! My all-time favorites are the posts that say: "Great blog! Keep up the good work!" "I liked what you've done here, keep it up!" Etc. Entering the spam URL as their homepage, which is clickable from their nickname. Recently we have even seen one post that had: "Where do I find the RSS feed for this blog?" Sometimes it is very difficult to avoid false positives even with a skilled human doing this full-time. Another type of spam we see, is the manual spam. People enter the web page with their actual browser and type the spam manually. How much does a skilled illegal alien worker cost per day? One such spam was recently posted on the site I mentioned (guess which one) in a blog entry about Symantec. It talked of Symantec and suddenly changed tones and said that their anti spam (of all things), failed them. It suggested using a competitor which worked for them. When looking at the attacking bots, what we mostly find these days are: 45% open proxies 40% compromised machines 10% misc 5% unknown (I haven't actually calculated the numbers, but that's roughly right) Misc being anything from a completely open installation of a VNC server to.. your guess is as good as mine. Some examples to captured spam and Google-poisoning attempts are abundant, so I won't bore you. Suffice to say every blog gets very specific spam surrounding its topic, as well as the usual peaks in this or that type of spam. Lately the house special is pharmacy spam. Referrer spam is still mostly about porn. Looking at gangs, we managed, as an example, to identify a very big eastern European gang (probably one noisy guy or gal), but when they noticed our attention they disappeared for a while. Another important point to make is the domains used. Much like with emails spam, these change very frequently and seem to be registered in bulk. I don't doubt these are the same people. I am now talking with many who are active in this field, and we are establishing a working group/mailing list to address these issues mitigation-wise operationally, as well as research into new trends, bad guys, etc. Some of the already proposed solutions that we are working on are better blacklisting services, combining different types of such poisoning in web applications from comments to referrers and other things I'd rather not discuss right now until they are a bit clearer. I hope I managed to convince some people of how big this really is. We all heard of blog spam, I and many people around me just didn't realize the scale until we started working on it. I figured it's time to let others know as well. Something can be done about this now to make it less of a threat in coming years. I bet most of us would wait until we have to kill it as a fire, so that it keeps under-going evolution and come back to haunt us. If I didn't convince you yet of the risks, there have already been successful worms exploiting such techniques, some examples: http://blogs.securiteam.com/index.php/archives/180 http://blogs.securiteam.com/index.php/archives/166 I will update on my (and our) findings on this subject on the SecuriTeam Blogs site (http://blogs.securiteam.com/). This quick & dirty write-up can be found here: http://blogs.securiteam.com/index.php/archives/285 Gadi Evron. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/