I think I’ve been hit with a new kind of insidious comment spam. At about four this morning I got a comment on an old entry that said:
Well, I just wanted to sign a blog on the first time in my life :))
Kind of cute, right? Isn’t that nice that some guy, “James Hatchkinson,” came across my site and was so enamored that he decided to leave a comment, his frist ever. Well, two minutes later the exact same comment, URL, and name was left on the WordPress blog. Clue #1.
The URL he left as his with his comment is
nositeyet.com, which I’m not going to link because this may be this spam’s whole point. I clicked the URL from the comment before realizing it was probably just a newbie way of saying “I don’t have a site yet.” People I know have left similar things for their URL in the past. Well, the link takes you to some sort of web company with a hideous flash intro and an equally mediocre web site. Hmmmmm. Clue #2.
Clue #3, each comment came from radically different IP addresses. Let’s give this guy incredible benefit of the doubt and say just maybe he was a newbie user who just came upon an old entry, left a silly comment with what he thought was a fake website, and then continued browsing to another one of my sites, went to a slightly old entry, and left the same comment. So why did his IP change? The first comment came from
18.104.22.168, which resolves to
anaconda.pacwan.net, and the second from
22.214.171.124, which is a proxy of some sort. Most users, especially the type that would leave this sort of comment, don’t randomly start using proxies mid-browsing. Strike three.
<noscript> tag and images. Time to grep the raw logs. No referrer, none of any of the usual signs you would see in a log entry. Here’s the relevant lines from my photomatt.net logs:
126.96.36.199.proxycache.rima-tde.net - - [18/Sep/2003:04:03:50 -0500] "GET /p644 HTTP/1.0" 301 303 "-" "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
188.8.131.52.proxycache.rima-tde.net - - [18/Sep/2003:04:03:54 -0500] "GET /p644 HTTP/1.0" 200 15796 "-" "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
184.108.40.206.proxycache.rima-tde.net - - [18/Sep/2003:04:03:56 -0500] "POST /b2comments.post.php HTTP/1.1" 302 5 "-" "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
And from wordpress.org:
anaconda.pacwan.net - - [18/Sep/2003:04:01:35 -0500] "GET /development/archives/39 HTTP/1.0" 200 7220 "-" "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
anaconda.pacwan.net - - [18/Sep/2003:04:01:40 -0500] "POST /development/b2comments.post.php HTTP/1.0" 302 0 "-" "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
There’s got to be a good story behind this. If this is indeed malicious comment spam then this is the most clever I’ve seen yet. If I hadn’t been the author of two posts he spammed and gotten the email notification I never would have suspected a thing. Has anyone else seen this?
What’s worrying about this whole thing is IP filtering (reactive) techniques that are usually used to block comment spam or content filtering (proactive) techniques which we’ve been experimenting with on WordPress wouldn’t catch this guy. In fact I can’t think of any good way to preemptively block this sort of thing. If Google didn’t give blogs so much credence we wouldn’t be having this problem. I suppose now we have to watch every comment with an eagle eye, on the lookout for anything suspicious.