Ho John Lee’s Weblog

The past couple of days I’ve received a few hundred comment spams from “Kelly Ronald”, “John Reed”, “Nicholas Truman”, “Peter Back”, and “Alexander Kolt”, from IP addresses in Mexico, Taiwan, France, Australia, and California, among others. Most of them are tagged by the stopword list, but it’s a reminder that I should revisit the antispam implementation while I’m reworking the site. For now, I’m making good use of the bulk comment edit feature in Wordpress.

Jeff Clavier appears to have gotten the same treatment:

If you are like me, you got blasted by “friendly” comments from Alexander Kolt, Nicolas Trumen, John Reed, Peter Back, and Kelly Ronald – all praising your blog, your posts and yourself.
This new generation of comment spam is more clever than previous but for one thing - the fact that spammers are picking old posts that are not commented upon anymore. Otherwise they use legit blogs/blog posts and in a few cases, it is not even clear which web site they are “pimping”

Jeff also turned up a security blog with additional info:

We have experienced a “massive attack” of SPAM on our blogging system from various hosts all pointing to two websites:
http://www.cosmicbuddha.com/blog/archives/ 001169.html (I have broken the URL intentionally)
And
http://anthony.ianniciello.net/blog/archives/ 000079.html (I have again broken the URL intentionally)
The comments contained very brief sentences and links to the above web sites.
From what it looks like it was an act of an attack against automatic blacklisting and un-moderated comments, probably not conducted by authors’ of the above blogs.

The author of at least one of the sites linked to in this spam run doesn’t seem to be responsible, he’s got a comment on the post linked above, and one of his posts has effectively been taken over by the discussion about how he ended up as one of the two target links in the posted spam comments.

This batch of spam seems a bit random. The typical spam postings I see here try to link to spamblogs and commercial sites. None of the linked sites in this set appear to benefit from the spam. So perhaps this is a test run for something in development. Wonderful thought.

Separately, I’ve also seen a number of attempts to send spam e-mail through a hard coded PHP mail form. Bill Lazar mentions seeing some similar traffic on his site:

In the last few days, though, somebody or someone’s script has found the form and is filling it out repeatedly. I guess the idea is that a useful percentage of web forms will trigger an automated response that’s of interest to the programmer though just what isn’t clear to me. The script fills in the form fields with the same data, an email address of a four or five character random group of letters (such as xtpku) at this domain.

The bad formmail posts are originating from 213.114.195.37 and 66.166.127.226, among others. I don’t think it’s actually succeeding in getting mail sent anywhere, but it’s clogging up the administrative mailbox with failure messages.

Update 09-14-2005 16:20 PDT: Updating to WP-Contact Form 1.3 seems to help. Still seeing attempted spam from new IP addresses, including 62.93.34.155, 67.169.28.125, 146.83.216.207, 206.206.126.44, and 210.0.200.2. Hopefully they’ll figure out that it’s not working and move on.

This entry was posted on Saturday, September 10th, 2005 at 10:44 pm and is filed under Web Site Development, Front Page. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.