Best way to report blog/guestbook spam?

[blujay]

I have a customized PHP guestbook scri_pt on a site of mine. Back in March it started getting hit by blog/guestbook spammers. Their stupid scripts put fake names and aliases in the name field, and stuff URLs in the comment field, and sometimes the "your web site" field too. Lately they've been making comments like, "Nice site, I like the design. Check out my site: http://...", which is really rude and annoying.

It's easy enough to block; just deny any post that contains "http://" in it, and also put a select box on the form that asks, "Are you a human being? yes/no/blank", which defaults to blank. None of the spammers' scripts are smart enough to answer that question.

I have the scri_pt set to e-mail me when it gets spammed, and I get the date/time, entire post, and the IP address it came from.

What is the best way to deal with this? I've been getting hit by several IPs, but one of them has been going on for months. I've reported it to the ISP at least six times, and they always respond with a message saying that they can't tell me what they do about it...which is, of course, nothing.

It seems to me that we need a "SpamCop" for this. There should be a common format for entering the data, and the "SpamCop" should parse it and report it to the ISP of the origin and the ISP of the site that's being spamvertised. Then it would be simple to have the blog/guestbook scri_pt report the spam posts in a common format that could be forwarded directly to the "SpamCop".

With no "SpamCop" for this type of spam, it seems to me like a nice way for the spammers to avoid getting caught.

Any ideas? I'm tired of manually reporting it every time, but I'm also tired of getting the spam. And I'm really annoyed at this ISP that ignores the ongoing spammer from the same IP address for months.

[Wazoo]

I have a customized PHP guestbook scri_pt on a site of mine. Back in March it started getting hit by blog/guestbook spammers. Their stupid scripts put fake names and aliases in the name field, and stuff URLs in the comment field, and sometimes the "your web site" field too. Lately they've been making comments like, "Nice site, I like the design. Check out my site: http://...", which is really rude and annoying.

Yep, that's the current passion, comment / blog / forum /wiki spamming ... the URL thing is an attempt to feed the search engines garbage also ...

It's easy enough to block; just deny any post that contains "http://" in it, and also put a select box on the form that asks, "Are you a human being? yes/no/blank", which defaults to blank. None of the spammers' scripts are smart enough to answer that question.

If your site is 'famous' enough, just give it time ....

I have the scri_pt set to e-mail me when it gets spammed, and I get the date/time, entire post, and the IP address it came from.

A lot of ISPs would state that this isn't sufficient data ... basically all you've indicated is something someone could simply type up in an editor and send ... hardly 'proof' of anything ...

What is the best way to deal with this? I've been getting hit by several IPs, but one of them has been going on for months. I've reported it to the ISP at least six times, and they always respond with a message saying that they can't tell me what they do about it...which is, of course, nothing.

My report is (at least) a snippet of the server logs and the 'bad' data .... Note the time offset, any other pertinent details .. and just as in spam reporting, the results still depend on the ISP involved ...

It seems to me that we need a "SpamCop" for this. There should be a common format for entering the data, and the "SpamCop" should parse it and report it to the ISP of the origin and the ISP of the site that's being spamvertised. Then it would be simple to have the blog/guestbook scri_pt report the spam posts in a common format that could be forwarded directly to the "SpamCop".

As hinted st, that'd be great, but ... same problems involved ... not all folks have access to the server logs, most wouldn't know how to snag the details, and then getting that data into an "appropriate submittal format" ....

With no "SpamCop" for this type of spam, it seems to me like a nice way for the spammers to avoid getting caught.

Just as with spam, the majority of the problem is that most of the IP addresses involved end up being abused / open proxies .... thousands of new ones every day .... but that gets back to the "problem" of ISP / cutomer relations .. some ISPs just don't have a handle on the cost / impact of allowing one of their customers to continue to remain connected ... and simply don't see the need to advise their customers that they are idiots and deny them service ..... some "abuse" / tech desk folks don't have this kind of stuff in their scri_pt book ....

[blujay]

So basically you're saying that the only thing you recommend is to keep reporting it manually? *sigh* Are we witnessing the beginning of a new era of a new kind of spam, which will take years before people start to seriously regard it as a problem and start to fight it?

[Telarin]

Short answer: Yes, we are seeing a new era of "web spam". I have several bot traps set up on my website. When a bot hits one of them, the IP address is automatically added to the "denied" list of addresses. The bot trap is set up in such a way that a human can't reach it without a lot of effort and knowledge of html, and is excluded in robots.txt so search engines and well behaved bots don't get themselves banned. However, dumn spam bots and email harvesters hit it almost every day. It is located in such a way that it is usually the first page loaded after default.asp to minimize potential damage done by the bot. This has worked extremely well for me and keeps bots from posting in our contact forms.

[Kazung-Q]

I'm having the same problem with my website: my guestbook, contactform & several other form are being ovrrun by spam (serveral 100ds a day). I've managed to solved this quite crappy (at the very beginning I check a few of the POST-variables for forbidden words like "viagra", "v1agra" etc and if so the page gets rederected to my index file. It's crappy, but it works...For now). I also log all those events (for a while to find patterns) but they use several hundreds of IPadresses all over the world. So unless a few of them are being used like a lot I doesn't make sense to block them.

So I'm wondering how you did it Telarin? Your solution seems pretty tight! Could you explain how it's done? (or via email if you'd rather not put it publicly?)

thanks in advance!

[Telarin]

- Edit: Ok, thats wierd the boards ate 3/4 of my post when I hit submit...

Sure! Here are the details of how I did it.

In default.asp (which is the first index/defaut file loaded on the site, I have two hidden links in it to my "bot trap" file). The links are hidden in HTML Comment tags <!-- <a href=hiddenlink.asp>no link here</a> --> so that a human browser can never see the links. Most web harvesters ignore the comment <!-- --> tags completely because they are only looking for href tags, so they go ahead and follow it.

To prevent legitimate robots (Google, Yahoo, etc) from following the link, it is Disallowed in the robots.txt file. If you're not familiar with robots.txt, you can visit robotstxt.org for more detailed info.

The link is placed at both the beginning and end of the default.asp page, because some bots visit links in the order seen, some of them in reverse of the order seen, this way you catch them as quickly as possible.

Once a bot hits the bot trap page, their IP address is logged to a database.

At the top of each of your active asp or php pages, you check your database against the visitors IP. If they are listed, in asp you do the following:

response.status = 403

response.write("Access Denied: Bad Robot detected from this IP")

response.end

simple as that.

You could also use some kind of Captcha test to require the posted to prove themselves human. More info on that here.

[Kazung-Q]

thanx! pretty straight forward too ;o)

I know the captcha-tests, but I find them mainly annoying and I'd rather not bug my visitors with it (unless as a last resort). more captcha at http://www.kittenauth.com/

[luisr]

Hi there! This is my first post here. I found this board while googleing for "guestbook spam". I have a couple of web sites I maintain and there is a custom-made guestbook scri_pt that handles guestbooks for some of the sites. One of them has been attacked very hard by spammers in the order of 10 to 20 attempts per day. After some experimentation I found three things that can be implemented in custom-made scripts that will effectively block more than 97% of all spam attempts.

1. Block unauthorized post attempts not coming from the scri_pt-generated form. My guestbook log shows that 75% of all spam attempts do not have a referer URL. The scri_pt is set to check the HTTP_REFERER variable and if the domain name(s) where the scri_pt resides is not found in this variable the scri_pt will return a 403 Forbidden error code. This can be easily forged but it has proven to be extremely effective since robots do not send the referer URL in the HTTP request. Valid requests made by humans that clicked through the proper links to fill the form and post come with the URL of the scri_pt-generated form as the referer. This URL of course, contains the domain name.

2. Use a word filter. This can be tedious initially but it is very effective. I visited various spammed guestbook and harvested hundreds of keywords used by spammers such as drug names and domain names. If any word used in the post is found in the bad word list the post is rejected. Half of all spam attemtps that managed to get through item 1 above were blocked through the word filter. This has the advantage of getting stronger over time because if any spammer gets through you can always find the keywords used by the spammer than can be subsequently blocked. It is very interesting to note that intentional misspellings as found in e-mail spam are very rare in guestbook spam, so the word filter is very effective.

3. Less obvious but DO NOT use standard names in form fields if possible. Robots seem to look for field names such as "name", "email", "url", "comments". I found this by chance after noticing that one of my guestbooks seemed to be immune to guestbook spam as it never even gets attacked by spammers. That particular guestbook has form field names in Spanish (site is in Spanish). Another site also in Spanish but with guestbook form field names in English (standard names) got attacked every now and then. This may be impractical to implement in existing guestbooks, though.

Items 1 and 2 can be implemented without a lot of work in custom-made scripts or in ready-made scripts if you have the source code and are proficient in the language used.

Another less effective way is to block the IP address but these guys only use a certain address for a few days and then move on.

I do not consider renaming the guestbook a good solution because the spammers will eventually find it again.

The measures I discussed here have the advantage of being completely invisible to legitimate users.

Hope this information is helpful as I have found that implementing these controls are extremely effective, blocking 97% of all spam attempts in one guestbook and completely eliminating spam in the other which was getting ocassional spam posts.

[Telarin]

Good ideas, however, you may want to be careful with #1. A number of "Internet Security" packages, most notably Norton Internet Security block the HTTP_REFFERER variable by default. I'm not sure what the value in that is from a security standpoint, but I've seen a number of instances over my years of doing computer support where people can't use websites because the site is ussing the HTTP_REFFERER data for security checking like you suggest.

[btech]

I used to get A LOT of those on a freebie guestbook I had.. I used to manually report them... then I got rid of the guestbook.

For my blog, I use verification codes that are built into the program ( http://boastology.com/ BTW) Never had any spam *knock on wood* as of yet. I also have word filters and IP blocking available, but I honestly never need them with the image verification system.

[luisr]

Good ideas, however, you may want to be careful with #1. A number of "Internet Security" packages, most notably Norton Internet Security block the HTTP_REFFERER variable by default.

Well, I chose to make that the price of not having spam. I tried turning off the referrer verification to see if it made any difference and boy!!! in a matter of minutes a spammer posted twice slipping right through the word filter. Needless to say, the referrer verification was turned on again. Also the spammer provided me with more words for the filter.

If I get complaints from people not being able to post I might look for alternatives.

Funny thing with this particular spammer. Both messages started with this:

Hi friends! Sorry for it, but I very need money!

It appeared to come from Russia.

[sandy@spaspecialist.com]

We have a message forum on our website and are getting numerous "postings" by spammers. I have to delete them one at a time. It's getting very time consuming but I don't know how to stop it. I sent a list to spamcop and they couldn't help.

[Wazoo]

The How to ... Forum section here is for instructions and tutorials on How to Use things here ....

Moved this to the Lounge area .. then Merged it into an existing discussion on the same subject .....

spaspecialist.com' post='44643' date='Jul 2 2006, 07:58 PM']We have a message forum on our website and are getting numerous "postings" by spammers. I have to delete them one at a time. It's getting very time consuming but I don't know how to stop it.

Blog, Forum, Board, etc. spam is definitely a problem these days. Yes there are idiots that arrempt to drop their loads here also. However, having a great and active Moderating staff involved with that most folks will never see it.

I sent a list to spamcop and they couldn't help.

This is not within the 'charter' of the SpamCop.net tool-set. As stated in another discussion, the next problem would also then involve the actual data to be captured, provided, and even accepted bu someone else "as proof" of anything ....

In the specific case of the website mentioned (and I'll also refer you to Spammers love Forum name = e-mail address ) there does seem to be a lot of options available that have not been tapped into ....

http://awsd.com/scripts/faqs/webbbs.shtml

(3) How can I prevent certain individuals from posting on my BBS?

Unfortunately, you can't. There is no way to identify visitors to your Web site unless they voluntarily provide you with their identities, so there's no way to prevent certain specific visitors from posting. The best you could do would be to ban particular IP numbers. However, since most systems use dynamic IP addressing, a given user won't always have the same number; thus, in order to keep the visitor away, you'd have to ban everyone from his ISP. Obviously, in the case of larger ISPs such as AOL, that's not even remotely practical. As well, if an individual has more than one access account, even banning an entire ISP won't necessarily get rid of him.

The only practical way to keep unwanted visitors from posting is to only allow certain visitors to post.

One way to do this is to password-protect your BBS. This can be done by placing the scri_pt files within a password-protected directory, and controlling access to that directory via any of the multitude of programs available for the purpose.

A slightly less "secure" but somewhat simpler method of controlling access is to set WebBBS to require profiles and e-mail addresses. No one will be able to post without first creating a profile, and valid e-mail addresses will be required with those profiles. So while you won't necessarily be able to prevent someone from posting (at least not the first time), you will be able to track down exactly who you're dealing with.

Short of limiting who can post, your only real alternative -- shared by all of us -- is to simply ignore the occasional twits and hope they go away quickly.

http://awsd.com/scripts/webbbs/docs.txt

$Moderated: If you set this variable to 1, any new posts will be put

"on hold" until approved by the administrator, rather than being

posted publicly immediately. Note that in order to run a moderated

board, you *must* have the administrative scri_pt, as without it,

you'd have no way of approving the posts!

$RequireProfile: If you set this variable to 1, visitors will only be

able to post to the forum if they first create a user profile. By

itself, this setting isn't of much use, though it can be of use, for

example, to help limit extraneous postings to a forum intended for

use only by "regular" posters on your other forums. But if used in

conjunction with the $RequireEmail option below, it can serve as a

sort of simple access protection. More on that below.

$RequireEmail: If you set this variable to 1, anyone attempting to

create a profile will be required to provide a valid e-mail address.

(The scri_pt will generate a random password, and e-mail it to the

address provided.) Users will not be able to change the address

later or delete the profile, and of course won't be able to post

messages under the user name attached to the profile without the

password provided by the scri_pt. By itself, this option isn't

terribly useful, though it might allow you at least to keep tabs

on some of your more prolific posters. But if used in conjunction

with the $RequireProfile option, it can serve as a sort of simple

access protection. Anyone who wants to will still be able to post

on your forum, but in order to do so, a visitor will have to create

a profile with a valid e-mail address. Since he won't be able to

change the address or delete the profile later, you'll be able to

identify anyone posting "offensive" material. Of course, the mere

fact that a real e-mail address is required will probably prevent

most such posts from being made in the first place.

$NaughtyWordsFile: You can, if you like, define here the path of a file

in which "naughty" language (words or phrases you don't want included

in posts on your forum) will be stored. The file can be edited with

the administrative scri_pt.

$CensorPosts: If this variable is set to 1, any words (or character

strings) matching the contents of the "naughty words" file will be

replaced by a string of hash marks in the actual post. For example,

if you defined $NaughtyWords as "this that" and someone attempted to

post the message, "This is one thing, that is another," the actual

post would appear as "##### is one thing, ##### is another." If you

leave this variable set to 0, a message containing forbidden words

will not be posted at all; instead, the poster will be shown a message

stating that his message was rejected for content, and will be given

the option to go back and "clean up" the post himself. If you set

this variable to 2, posts containing "naughty words" will be accepted

but not displayed until approved by the administrator (just as if

you were running a moderated forum).

$BannedIPsFile: You can, if you like, define here the path of a file

in which the IP addresses or domain names of any individuals you want

banned from your forum will be stored. The file can be edited with

the administrative scri_pt.

$BanLevel: If this variable is set to 0, anyone whose IP address or

domain name matches an entry in the "banned users" file will simply

be unable to post messages to your forum. If it is set to 1, such

visitors *will* be able to submit posts, but those posts will only

appear on the forum if and when an administrator approves them. (In

other words, they'll be treated as if you were running a moderated

forum.) If the $BanLevel variable is set to 2, on the other hand,

such visitors will not only be unable to post, but will not even be

able to read messages posted by others. They won't have any access

to the forum whatsoever.

$BanUnresolved: If this variable is set to 1, anyone whose IP address

cannot be resolved to a domain name will be banned, just as if they

were posting from a specifically-banned address.

[Adriaan]

I am member and moderator of bsdforums.org, a discussion forum for BSD Unix-like operating systems, and during the last months we see a huge increase in spam posted by what appear to be bots.

It would be nice to have if Spamcop could provide a way to report this type of spam.

The following google links will give you an impression of this type of spam posted to our and other forums

354 google hits for sport shoes spam :

http://www.google.nl/search?hl=nl&q=1s...oeken&meta=

A new kid on the block with 43 google hits:

http://www.google.nl/search?q=davidfoxson%...tart=0&sa=N

WARNING: the following is for adult 18+ X-rated material

15.500 google hits for this porno spam : http://www.google.nl/search?hl=nl&q=+%...oeken&meta=

As some of these spams, already may have been removed, you will have to use the page cached by google.

And please don't click on the links of the spamvertised sites.That will show up in their webserver logs and you don't want to give them the impression that their spam is successful

It would be nice if Spamcop could provide a way to report this type of spam because the current reporiting system is only suitable for email spam.

=Adriaan=

[StevenUnderwood]

It would be nice if Spamcop could provide a way to report this type of spam because the current reporiting system is only suitable for email spam.

That is all spamcop was designed for. What is stopping you from making your own reports on these bots? You can even use spamcop to determine the reporting address by entering only the IP address you want to report.

[Farelf]

Supporting Steven's comment, also thinking you might have a look at Spamhuntress who is something of a specialist in forum spam, comment spam, guestbook spam and such stuff that SpamCop is not specifically devoted to in the elimination thereof. I also suspect she is prettier than Wazoo while confessing I lack evidence for this.

[Wazoo]

I am member and moderator of bsdforums.org, a discussion forum for BSD Unix-like operating systems, and during the last months we see a huge increase in spam posted by what appear to be bots.

It would be nice to have if Spamcop could provide a way to report this type of spam.

as previously remarked in several other previous posts on the same subject (moderator action?) the primary issue is that the data required is not available an a 'standard' format. Some folks don't even have access to the required logs to pull up the 'evidence'

It is so much easier (in general) to work towards preventing the bots from doing the posting in the first place ....

I also suspect she is prettier than Wazoo while confessing I lack evidence for this.

Although it does seem to me that I saw her pic somewhere in the past, no sense gretting about it ... Wazoo has little issue about being pretty nasty looking <g> Actually, he has 'used' that appearance factor to resolve some issues <G>

[Farelf]

as previously remarked in several other previous posts on the same subject (moderator action?) tyhe primary issue is that the data required is not available an a 'standard' format. Some folks don't even have access to the required logs to pull up the 'evidence'

It is so much easier (in general) to work towards preventing the bots from doing the posting in the first place ....

Okay, a wink is as good as a nod to a blind horse, moved with this post. PM to Adriaan next to advise. Lots of good information in the preceding posts and there seems little chance of incorporating forum (etc.) spam into the SpamCop service, hence this is a better home than the original New Feature Request area.

[Wazoo]

Okay, a wink is as good as a nod to a blind horse, moved with this post. PM to Adriaan next to advise. Lots of good information in the preceding posts and there seems little chance of incorporating forum (etc.) spam into the SpamCop service, hence this is a better home than the original New Feature Request area.

And an excellent place to once again repeat ... with a great and active Moderator team .... <g>

[Adriaan]

as previously remarked in several other previous posts on the same subject (moderator action?) tyhe primary issue is that the data required is not available an a 'standard' format. Some folks don't even have access to the required logs to pull up the 'evidence'

That only would be an issue if it is your priorty to report the sender,. For reporting the spamvertized websites it is not..

In email spam the sending IP can be found by parsing the email header. This header has been standardized and is separated from the email body by an empty line.

However, the spamvertized websites have to extracted from the email body, which is a free undefined format, just like forum messages. And although it seems not be be Spamcop's priority, it still scans this free format for URLs.

RE: logs as 'evidence'

The email logs provide kind of proof. But for forum spam messages the messages which made it to other boards, and which have been cached by Coogle can provide this proof.

For forum spam, I would forget about the sender. Just focus on the spamvertised websites and report them to the domain name registrar.

I do that manually now, using the whois from the OpenBSD command line.

It is so much easier (in general) to work towards preventing the bots from doing the posting in the first place ....

Seems like the ultimate solution to stop email spam

We are moving to approve/moderate the first 5 posts of all newly joined members. That will stop spam from being publicly viewable.But I think the dissapproved spam posts could be a great resource for data-mining anti-spam intelligence.