Are spammers masking themselves with innocent posts?

Tags:

I had recently been getting increased amounts of spam comments and I was wondering why. You probably hadn’t noticed this, though, thanks to WordPress’ excellent spam detection which has so far made a very good job in detecting suspicious comments.

Up until today.

Today, a single spam comment got through the detection. I had received comments exactly like this one earlier, and they had been flagged automatically. Why did this single comment get through?

A masquerade of innocency

I had recently also got a couple of obviously programmatically sent comments: All had the same author, same link, same email and same message. What made me wonder their purprose was the fact that they were absolutely “innocent” looking:

  • Author was a real name
  • The homepage link was just google
  • The email address looked like something you might type yourself to spare you from writing your real address
  • The comment had absolutely no links or anything. Just a message about liking my site.

Hitting up a google search with the content of the comment confirmed it: It was obviously sent by a program as Google got hundreds of results with exactly the same comment text.

Why would a spammer send seemingly harmless comments?

To mask their future harmful comments.

A guy on IRC told me that he had visited my blog and immediately saw a spam comment. It was the single comment that WordPress hadn’t detected as spam which actually was spam. I started to wonder why hadn’t WP detected it, like it had detected the others. I also mentioned to him the seemingly harmless comments I had received. He told me that perhaps the spammer is establishing a presence on my blog.

I started looking at the IP addresses of the harmless comments and comparing them to the spammy comments I had received.

And indeed, one of the IP’s matched. This leads to the conclusion that the harmless posts are just posted to fool spam detection. If a comment from a specific IP address is accepted once, then it’s very likely that any simple spam detection methods will allow future comments from the same IP address as well, because it’s thought that the comment must be safe because their initial comment was.

Conclusion

Always, always, always delete (or mark as spam if your blog software has the option) any posts that look like they might be programmatically posted.

Two comments which are exactly the same? Delete.

Check the URL which is marked as the users homepage, too. The comment might be real looking but the homepage might be something else.

If you are using WordPress, consider switching on the Akismet plugin. The plugin sends comments to the Akismet web service which performs analysis on the content and determines whether it’s spam or not. I’ve heard a lot of good about this. I haven’t enabled it myself, but if the amount of spam continues to rise, I will.