Well... it had to happen! Shortly after I enabled comments, the spam started pouring in, or rather, trying to.

Distributed, automated

I am seeing regular attempts to post URLs relating to pharmaceuticals on the comment system. The attempts are coming from a range of IP addresses and are using an MSIE 6.0 user agent string. Interestingly, they also try both HTTP/1.0 and HTTP/1.1. The timing of attempts seems to be coordinated between the different IP addresses that are participating in the attack - a group will often attack in quick succession.

This is a total waste of time for the spammers because not a single attempt has got past Recaptcha.

Additionally, various other limits I set simply for the sake of defensive programming are also flagging up the posts as bad. The posts are so blatantly spammy and attempt to include HTML that any reasonably well written comment system should easily reject them even without a captcha.

There aught to be a law....

Seeing as the spammers are not smart enough to write spambots that know when they are beat and concentrate on high yield targets, this is now just becoming annoying and skewing stats significantly on the least popular articles.

I have taken the step of adding a very simple spam detection and banning mechanism to the site. Any IP address which trips these simple checks gets banned (they get 403s returned) for a pre-set time, and this includes detection of proxies so that the proxy and client combination gets banned.

Within minutes of adding this, the first two addresses got banned, and now that it's been running a few days there is very few attempts happening that aren't already blacklisted.

All together there are 25 blacklisted IPs now which is very small as botnets go. What I find interesting is that now that these IPs are being 403'd away, they have now started trying what appears to be exploiting a security flaw in Wordpress with all sorts of different user agents. Fortunately this ain't Wordpress!

Distributed defence

For email spam there are plenty of blacklisting services that agregate spamming IPs, but there seems to be very limited use of this in blogging.

Blog Spam Blacklist seems to be one of the few around, and provides a simple DNS based solution, but only was getting around two thirds of the worst spamming IPs hitting this blog. This seems to be the only DNS based solution I can find. All the rest seem to have HTTP and/or XML APIs.

I might well add this in as an optional additional spam defence to the code. I should be able to also get this doing caching to reduce latency and load on upstream servers.

Update 16/2/2010

Yesterday I was hit by an enormous barrage of spamming attempts quite different to what I have seen to date. The spamming attempts counted for about 4 times the typical daily traffic, but not one got past Recaptcha. The surprising thing for me is that someone thinks that such crude attempts at blog spamming are actually worthwhile.

I have added some more blacklisting checks, as well as added Blog Spam Blacklist as an initial check when I get a post that fails. I am not blacklisting IPs in quantity again, and the blacklist has shot up to 38 IPs. It would have been much higher if I had these checks in before yesterdays barrage.