Tuesday, September 26, 2006

Forum and comment spammers

A week or so ago, while working on a project for the SlothMUD III website, I came across some comments to a few of the news items on our site that were undoubtedly spam. I went through a moderately laborious effort of deleting all of the comments and then deleting the user accounts under which they were posted. This isn't a big deal to me, but I wanted to find a little bit more secure way of managing the comments, so I went digging on the PostNuke (our CMS) site.

The comment spam always started with something like "Great site love what you've done here." followed by about 50-100 links to random websites. I don't believe this spammer's intent was to ever have anyone purposefully click on these links as they are obviously crap to anyone with enough of a brain to turn on a computer. I do believe that the intent was to bring up those sites in Google Page Rank so that they might be returned in search results. I could be wrong, since I didn't actually click on any of the links to see what was actually on the page. The URLs had long random strings attached to the end of them, so I believe they could be used to track the originating site (even though a web browser usually will tell you that anyway).

He signed up to our site with a Gmail account, and tempting as it is to post it here so he can get spammed himself, it probably isn't worth the effort.

As it turns out the same spammer has hit and posted on an enormous amount of PostNuke-based sites. At the time I checked, there wasn't a feature in the PostNuke core that could be used to prevent machines from easily posting spam, so I disabled posting of comments. I believe that the reason that this is that there is an implied level of trust between hosters of this type of site and their readers.

Since this guy did most of the work to figure out how to post comment spam on PostNuke, I'm sure he's not too far away from doing the same thing on PHPBB-based Forums. My expectation is that the PHPBB guys will do what the PostNuke comments addon modules do in that they require people to type those distorted characters in to supposedly prove you are human (so-called CAPTCHA). This will likely be cracked with a year or so an included in scripts like the one this spammer has used. Despite my statement about how stupid someone would have to be to click on a link in this comment spam, there are spam companies that make a living off of this and they work to defeat spam detection algorithms constantly out of necessity.

Human moderation is, of course, one way to eliminate comment spam as well as keep people on topic and stop flamers. However, it doesn't really work well for a site like ours where we don't want to have nor are able to have people dedicated to this. Perhaps we'll find some non-game administrators when it comes to this to help out. But it also leads to arguments about trust when posts are deleted which aren't spam.

I believe that really the only way to go is to have a community of trust built up that let's people post freely within that environment. It's also a "chicken and egg" in that if you are new it's really hard to join the community since nobody trusts you.

Fortunately, we might have a relatively spam proof way to do this (basically, it wouldn't be worth a spammers effort) if it ever comes to it. We could make people sign up for an account in the game with their player and then have that propogate to the website. It's one extra step for someone who plays the game, which isn't a big deal, but a clearly not worth it for someone who is interested in scaling their spam. It's a long way off (I hope) until we have to do this, but at least we are prepared with an answer within this context anyway.

Feel free to post your comment spam on this blog; I think they use CAPTCHA for now. I haven't been a victim here and had to disable it, but have a feeling I eventually will.

No comments: