Site abuse

by Volker Weber

About three weeks ago I told you that attempts to spam my comments was up to 1,000 a day. Now we are at 1,000 an hour, most of them from a host in the Ukraine which spams through numerous proxies. Locked out now:

RewriteCond %{HTTP_FORWARDED} ^195\.225\.176\.87$ [OR]
RewriteCond %{HTTP:X-Forwarded} ^195\.225\.176\.87$ [OR]
RewriteCond %{HTTP:forwarded-for} ^195\.225\.176\.87$ [OR]
RewriteCond %{HTTP:X-forwarded-for} ^195\.225\.176\.87$
RewriteRule (.*) [F,L]

I could see this coming, since this spammer was first deploying a robot spidering the whole site, as described three weeks ago. Beware: If you like to surf the web using an anonymous/open proxy you will be unable to access in a few days from now. This is the next hole I have to close.

Do you remember when people proposed to fight comment spam by placing all comments on a moderation queue? How would you deal with a queue of 25,000 comments a day?

I am receiving about 2,500 legitimate hits an hour. At 1,000 an hour, abusive traffic is now accounting for 30% of the hits. If this goes past 90% it is probably time to close shop.


I'm currently deleting about 200 a day. I put in code to stop any containing the word ringtones and that removed about 200 additional ones a day. The posts on mine are coming from Russia.

Carl Tyler, 2006-07-17

It sucks being on top Vowe ;-)

Bruce Elgort, 2006-07-17

If this goes past 90% it is probably time to close shop.
Are you serious? Then you will punish all your visitors for the spam.

Martin Hiegl, 2006-07-17

@Martin: Let's just hope it doesn't get this far. I'm sure, vowe would love to keep it running, but I can totally understand that this is inacceptable.

My own site really doesn't get many visitors, maybe two or three a week. Well, there's nothing much to see there other than a webcam which a few friends and my girlfriend like to take a peek at every now and then. Nevertheless, I started to receive increasing amounts of spam in my guestbook. I started to check for the referrer to be correct. This was easily implemented and gave me peace for about two or three months. Now it's back up and over 50 spam posts a day. Remember: a website with basically no traffic! I locked the guestbook, but for the fun of it, I left the script processing the posts available, just commented out the file writing code. I still receive an email message (which is moved directly to a special folder so it doesn't bother me much). It's ridicoulous how these punks still submit comments imitating a form that's no longer there.

This brought me to a new idea: If you'd change the name of the script which is processing the posts say every week (frequency to be adapted to individual needs). The UI would of course be updated, so regular users don't notice anything. Spammers though would submit to a script that no longer exists. Of course, it's again a rat race: change the name faster than they notice. I might give this a try (and in my niche case it might actually work).

Ragnar Schierholz, 2006-07-17

@Martin: I cannot follow your logic: A private website like this is a gift to the readers that can be taken away at *any* time without reason. Don't expect any guarantees.

However, let's hope, the spam problem is somehow to be solved, as I would really miss this site. I am in the same situation as Ragnar and am very surprised, my site gets spammed that much, as I am filtering out *any* spam comment. There is no reason for spammers to post spam comments on my site, except for producing work for me. They won't ever gain anything from it: Either no comment is published or the site is taken off the web. So what is it for?

I think the comment spam problem should be viewed from a non-individual point of view: Most weblogs seem not to filter spam comments, and therefore spammers are able to increase the number of links to their sites. One or the other weblog, that filters comment spam does not really count.

As a sidenote, since I use Akismet, I have no problems with comment spam anymore. It seems to work quite nice (well, I don't have many serious comments at all), the real comments get filtered *in* successfully.

Moritz Petersen, 2006-07-17

On the other hand, in the whole time I have been looking at 'blogs' in the sense of short publishing cycles + comments I may have come across 1 or 2 spam comments in total, so it's hard to see what's in it for spammers. Even so, I am probably not a representative internet reader, who knows...

Frank-Leonardo Quednau, 2006-07-17

Yes, it would be a real shame, if Volker succumbed to the Net-terrorists. It would be (on a smaller scale, though) the same as giving in human rights to counter crime and terrorism...
On the technical side:
What about captcha, an everchanging script-name for posting comments or whatever...

Mike Hartmann, 2006-07-17

What did you just enter, when you posted your comment?

Volker Weber, 2006-07-17

I did what Ragnar describes months ago and the Globalsquid spammers keep writing to my non-existant guestbook several times a day - even though their spam never shows up anymore!

I don't get it.

Hanno Müller, 2006-07-17

Moritz, what logic? I just stated that closing this non-blog would not really hurt the spamers but the real visitors. Does this not sound logical to you? This has nothing to do with expecting guarantees or anything like that - it's just writing down a fact (and maybe a little compliment).

Martin Hiegl, 2006-07-17

Just authenticate all comment posters with a system like this?


Ben Rose, 2006-07-17

Maybe this would confuse the spam robots? At least for a short while.

scode is not safe anymore :-(

Ole Saalmann, 2006-07-17

there is a new captcha engine in town: this could actualy be fun.

Giuseppe Grasso, 2006-07-17

I think a few of you are missing my point.

Currently I am quite able to keep the spambots from posting comments. The captcha is not the only measure. Once in a while a human spammer (or our resident idiot) posts a comment, but that is quickly rectified.

My point is, or better my two points are:

What worries me is the size of the assault. If only ONE bot succeeds, the site is destroyed. I am not going to remove n thousand comments. And I am not going to leave them posted.

What bothers me is the amount of abusive traffic, currently more than 1 in 4 hits are spam attempts. If we get to 9 out of 10, then my tolerance level is reached.

Volker Weber, 2006-07-17

Now I understand! In that case I hope that your legitimate traffic increases more than your abuse traffic, so the 90% level stays out of reach !!! (btw - thanks for a great site)

Richard Hogan, 2006-07-17

Would be a shame to show white flag for Spam. I know that page now for about 7 days and I really enjoy reading it. Although I really can understand you, I wonder if there is no solution for it, you can't stop the robots to visit your site but to post comments :)

Nicolas Kübler, 2006-07-17

Obviously, the cure for the second point is a lot harder to find. Even if you could have anti-spam measures smart enough to filter out enough of the posted spam, it's probably next to impossible to prevent these punks from trying. Let's hope for the best!

Maybe we need a fund to keep vowe alive. From this fund a bigger, better box could be financed and maybe also some work hours to maintain smart protective measures. And to make the effort worth it, the infrastructure is scaled such that anyone who pays into the fund can host their blog on it as well. :-)

Ragnar Schierholz, 2006-07-17

I cannot believe that this is a budget problem, traffic costs next to nothing in Germany.

Henning Heinz, 2006-07-17

Ragnar, this is not about money.

Volker Weber, 2006-07-17

Rule 7 -- Those who say "It's not about the money" mean "It's about the money..."

Long time, no post ;-)

Eric Parsons, 2006-07-18

Whatever you say, Eric.

Volker Weber, 2006-07-18

@Eric - It isn't about money. It's about scale.

Volker has said that very few unwanted comments currently make it past the array of countermeasures he has deployed and those are all from humans and easily dealt with.

BUT... The scale of the robotic attacks is now so big though that should just one attack succeed, tens of thousands of spam comments would be the result and, rather than clean it up, he would just pull the plug on I agree that this would be an appropriate, if regrettable response.

Here's the thing Volker. Around 90% (more at weekends) of attempts to deliver email here are already spam or malware and a few do succeed (always spam, never malware). Does this mean that we should pull the plug on email? No because the few exceptions that make it past the countermeasures are still easily dealt with. If it should come to pass that a significant proportion of spam attempts were successful, then the usefulness of email would have been reduced to the point at which it was no further practical use and we may consider pulling the plug.

The trigger is successful spam, surely? Not the 90% of unsuccessful attempts?

Chris Linfoot, 2006-07-18

Spammers hit cgi. Cgi hits the CPU. Thus spammers hit every user, every other site on the same machine, and thus hurt everyone. It isn't only the dirt they are trying to pour into the site, it is also the banging on the door.

Volker Weber, 2006-07-18

And btw: Every since I started reflecting his attempts back to his own machine, he has either given up, or killed his machine. Maybe it also helped that I blocked Iran and Jordan from accessing

Volker Weber, 2006-07-18

I understand. Can you estmate the amount of CPU wasted in this way? Just curious.

Glad to know you've dealt with this pest but there are plenty of other open proxies outside of Iran and Jordan, sadly.

Chris Linfoot, 2006-07-18

Sure it's not about the money, but still infrastructure and helpful people with extra time could be a cure. And this costs money. Not that would really see this an easily set up solution, but...

Ragnar Schierholz, 2006-07-18

It may also possible that the spammer's machine was recently hit by an Israeli missile ;-) Dough.

Btw: Martin I understand what you mean :-)

Moritz Petersen, 2006-07-18

Spam comments seem to have dropped back to below-normal levels in the last few days, don't they? (Mine have dropped to less than a tenth of what they were last week). Perhaps an Israeli missile really did do the trick ;-)

John Keys, 2006-07-19

Old archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.


Paypal vowe