Think simple. Spam different.
I have to say, I’m really impressed by the results of the comment spam campaign apparently being run by the loser lowlives at macinstruct.NET. Though sleazeballs who would sell their own mothers for ten page views, they seem to have done a very good job of figuring out how to successfully place comment spam, and have it stick. They’ve got a very impressive roster of placements to stick long enough for Google to find them: JD Lasica, Les Orchard, Dean Peters, Peter Merholz, Molly Holzschlag, Charles Miller, Morgaine LeFaye…
Oops, that one was a mistake. I thought Alexander Morozov was more cunning than that. On that entry, he left both a macinstruct.NET comment spam, and a Rod Kratochwill fake linking to his radio.wblogs.com-without-the-e spamsite. Despite having been suspicious of the very first of the “Think simple. Learn different.” comments I saw, it wasn’t until then that I viewed source on macinstruct.NET and saw that it was just another of Alexander Morozov’s stolen content Javascript-cloaked porn spam sites, like wblogs.com-without-the-e.
Alexander Morozov, whatever your real name is, I’m impressed. That was very well done: using the Mac-love of bloggers to calm their fears, stealing content from a site that cluelessly delivers their HTML as text/plain so it doesn’t display in Firefox, and thus lots of blogger will have never seen it, putting your link in the comment body on sites where HTML is allowed but the link from comment names is redirected: you did good. Shame you went to the well a bit too often, so I saw it more than once, and started searching, and double shame about that one with both the Rod K and MacInstruct spams.
Jay, are you listening, or do I have to submit this one (which, of course, I don’t have myself :) ).
Also: linuxwaves dot COM = Linux portal, linuxwaves dot NET = Alexander Morozov spams for his porn.
Nice double-shot: Joi Ito post linking to both bllogspot dot com with a double l and to macinstruct dot net.
I wonder how many TypeKey accounts ”Alexander” already has?
And that took how long?
Anyone who thought TypeKey registration was going to be some sort of barrier to comment spammers needed to have his head examined.
What is really cool about Sacha’s work (I feel it’s only right to use the Russian diminutive in this case) is the emphasis on quality over quantity: find a way to plant links on A-list blogs and have them persist for a long time, instead of randomly planting a much-larger number of quickly deleted links.
I’d be honoured to be spammed by someone of such discernment.
Well, in all fairness to TypeKey’s remaining virginal status (Mark says he’s already getting TypeKey spammed), I didn’t actually see any of Sacha’s spam on TypeKey-required weblogs. Just wondering how many he had at the ready, given how much thought he puts into comment spamming.
That comment was only left on May 7, too. Google’s fast.
The spam itself wasn’t that subtle: I remember mentally marking it as ”to be deleted” when it appeared in my inbox, but because its so damned awkward to delete comments from inside MT that I tend to leave them to be deleted in batches. As such, sometimes I miss them.
I’m really not happy with SixApart, though. They dropped the ball on Movable Type support right when we needed real improvements to comment-handling. Being asked to wait for 3.0 just wasn’t good enough.
Actually, what concerns me more about 6A is TypePad, not MT. I’ve thought of MT as a platform as much as a program since before I even started using it: I hacked at it first, then decided to use it. The 6A throttle was incredibly naive, sure, but with a little help from my friends I have a useful throttle. Same with deleting comments: even if you don’t want to blacklist anything, or only want to blacklist things you’ve been personally spammed by, MT-Blacklist makes it quick and painless to delete them. We’ll see whether 3.0 really is a move to being a platform (the fact that they didn’t go out of their way to be sure existing plugin developers were all in on the alpha, or even until late in the beta, doesn’t inspire a whole lot of hope), but for all but the really big sweeping changes I’ve already long since given up on them saving me.
But, TypePad? That’s supposed to be the thing for the people who don’t like the sound of that at all, who want someone else to run the program for them. Since I know that 6A knew about wblogs dot com in February, if I were a TypePad customer I wouldn’t be at all happy about getting spam comments linking to it a couple of months later.
Phil,
Thanks for letting me know about this. Cleaning up as I write this. While I love Jay’s blacklist, I’m getting more and more frustrated by comment spammers - as if spamming my inbox weren’t enough, you know?
Anyway, I appreciate your pointing to this problem, and I even more appreciate the great work you do. Thanks so much!
-Molly
I’m listening, of course. And watching. And sometimes acting. Two of the spammers domains are already on the master blacklist. The ones that look like weblogs.com and blogspot.com. (Your spam filter works really well, btw! ;-)
Macinstruct is close, but I’m waiting for more spam submissions. Yes, I could just put it on the master, but I have a hard and fast rule about not putting things on unless I get the requisite number of spam reports from unique sources. This is to keep myself from cavorting all over the web looking for spam vigilante-style. I don’t have time for that, so I stick to my rule.
I did rather wonder if that was the case. It’s a shame that I can’t help out with submissions, because I get a ton of comment spam that I stop before it actually gets submitted to me. Another one of those things where I want everyone to have the same experience, but I don’t want to have their experience.
I think one aspect of TypeKey (from what I understand) is that we will all be able to collectively manage the blacklist to some extent. The usefulness of that function should increase as more people are actually using it. Right now, Mark is one of a very few who can be affected by a TypeKey-based spammer.
And I am oh-so-glad to be testing a buggy beta spam prevention system that doesn’t work, let me tell you. Thanks to Phil for that, wink wink nudge nudge know what I mean. Oh wait, you don’t know what I mean. But Phil does.
As far as I can tell, the only benefit to TypeKey is that it keeps out the sort of people who refuse to register with TypeKey. This does not include spammers, but that doesn’t mean it’s entirely useless.
I thought about mentioning the other day that while I get your point, it also keeps out casual passers-by who aren’t so committed to chasing around commenting on blogs that they of course have a TypeKey login. Say you are puzzled by something Pythonish, just can’t seem to figure it out. Do you think Guido has a TypeKey login, or would sign up to comment? (For all I know, he’d just email you instead, but still: I at least sometimes get that sort of ”holy crap, not only did I get my problem solved, I got it solved by __!” comment.)
So far, I’m one of the people who refuses to register with TypeKey.
I may have to revisit that decision if more of the blogs I habitually comment on go over to TypeKey-only comments.
But, for now, I see it, as a matter of principle, that Commenter Registration is an unnecessary evil and I will have none of it.
I like TypeKey much and think you are sad loster for saying such bad things about. Where your solution to network comment spamm problem? Hello Mark? What your name.
I think of Mark’s more of a lobster, really ;)
However, TypeKey is in no way a solution to comment spam. It’s a far too easily gamed solution to comment moderation, where moderation is the supposed solution. Having experienced moderation exactly once now, I no longer like it as a solution. You save a post, with an error, or a question. You get twelve comments with the same notice or answer, while you are away from the computer, all going into the moderation queue. Do you then publish them all, making it look like the twelfth person wasn’t bright enough to see that it had already been answered eleven times? Do you just silently delete the comments from the eleven people who had no way of knowing it was already answered?
The answer is to break the monoculture of script names and form element names, forcing them to incur at least some bandwidth cost to be able to post, to make it utterly trivial to remove a comment and never see spam for that URL again, and to make it possible for search engines to use comment spam reports as the search engine spam reports they are.
You have no idea how much work Mena did to make this spam problem go way. You are a sore loster like Mark. Now go way, you are boring me.
Phil should go away? Last I checked, this was his blog.
Damn! Do I have to View Source to make sure this isn’t another one of those Javascript-cloaked porn-spam operations?
… (checks source) …
Nope. I’m pretty sure this really is Phil’s blog.
I’d very much appreciate it if you would either correct the URL you are using to something that actually exists, or stop using one at all. It’s getting annoying to have to edit your comments to get rid of it. Thank you.
I’m afraid the only way I’ll go away is if you add
127.0.0.1 philringnalda.comto your hosts file.I have a guess on who the Celeste is, and it ain’t a woman. Even if s/he were a woman, she’s no lady.
I give Movable Type one more year on top, max. Probably less. By that time, look for both Wordpress and Textpattern to take the field and share the honors, with perhaps one or two variations on these types of weblogging tools.
As for TypeKey, I sure am glad that you and Jacques are continuing this battle while I’m not playing.
But I do have to say I use moderation on my old posts, and it has been working beautifully–I only ever get a one or two comments on an old post a day, if that, and ever the same post. But it keeps out both the Google kiddies and the spammers. Usually.
As for the new ones, well, I have better comment management and a Wordpress version of Jacques code, and I’m content.
Hmm. Moderation of old posts, where there’s very rarely more than one person commenting per day (or week, or month), or maybe rather than ”old posts” make it automatic on ”(posts a week old|posts not on front page) && (last comment more than x days ago)” maybe along with Paul Freeman’s moderate the URL, not the comment, and I might buy moderation after all.
Y’know I had all these really clever ideas for anti-spam games one could play with form elements. I don’t think they’re ever going to get implemented ’cuz my previous anti-spam measures have already reduced my spam load to near zero (13 in 30 weeks). And besides, the really clever spammers seem to be moving into social engineering (quality over quantity).
Jay wrote:
Who wants 1000 comments in their email inbox to sift through?
So … since all the kool kidz have played around with the beta, are the comment/trackback/search throttle(s) fixed in MT 3.0, or are we gonna have a patch-fest when it’s released?
Now that it’s getting rather late in the game, I really need to get some discipline about testing. I’ve just been wandering around: I was testing one of my plugins, and the way I broke it lead me to the entry where you pointed out that MT accepts comments with a GET, so I submitted that as a bug, and meant to come back from that to the throttle, but instead I finished fixing the plugin, and wandered off to spam Jay, and then…
Throttles. Right. Plus, the timezone thing. Throttles and timezones, and that’s all I’m going to look at.
Patch-fest.
All three throttles remain IP-based only. The timezone issue’s fixed for comments, but not (yet) for trackback.
Funny thing I’d never thought about with an IP-based trackback throttle before: say I wanted to write an entry about throttling, and wanted to ping you (or, heaven forbid, autodiscovery-pinged everything I linked to): assuming we are both reasonably quick, with a decent pipe between us, that’ll be one of the few things that triggers the throttle, as I ping more than one of your entries. Anyone with enough skillz to write a malicious Trackback flooder can use anonymous proxies, but sending two genuine pings from one entry requires save, ping, ping, error, pause, worry, resave, ping….
IP based? It’s using IP based?
Has everyone who writes weblogging tools not been paying attention to their customers? You know, webloggers?
This was talked about over a year ago.
Perhaps we need to translate it to Japanese.
Same-old same: pretty much the code from 2.661 (you know, the stuff that you had that whole long post describing how to patch into something that would work, back in the day?), though since there’s some copy-and-paste errors in Trackback.pm calling pings comments I’d guess that they looked it over in Comments.pm, and copied that out to Trackback.pm.
Phil: ”Do you then publish them all, making it look like the twelfth person wasn’t bright enough…”
Is that a conclusion to which you’d actually leap? I’m not big on blanket moderation queues, but that’s got to be one of the last things that would concern me.
Depends. In a world where all weblog comments are moderated, and known to be moderated, I wouldn’t. I’d merely find it yet another nail in their coffin, and be that much less likely to either read them or write them. In a world where most aren’t moderated, and for those that are you only find out that they are by actually submitting one? Yep. My very first thought would be ”this person has a bunch of total morons for readers.”
”Who do I have to blow in this joint to get a damn beta?”
Thanks to Phil for that, wink wink nudge nudge know what I mean. Oh wait, you don’t know what I mean. But Phil does.
No. No, Mark, I think we do… ;-)
By the way, comment moderation (the ignored significant other of TypeKey) is batting 1000 for keeping spam off of my beta site…
Do you need an example of how easy that is to get around, or should we just take it as a given that it will only work until there’s enough of them to make it worth the trouble of gaming it?
I’m stumped as to how one could get around comment moderation (unless you are talking about not using m_t-c_o_m_m_e-n-t-s and instead that OTHER one which is even more wide open now (evading Google search :-))
Crapflooding is still totally possible although there is a hell of a lot less of a CPU hit since the comments would all be moderated and hence not kicking of rebuilds.
So did you have something in mind?
No, but my friend Stephen Smith did ;)
Very clever, indeed. But that’s a whole lot of effort. Why not go for something easier? Something without hardly any protection and yet with all of the same payoff? Something which any idiot who knows how to use curl and a for I in ___ do statement?
You know what I’m talking about, right?
Oh, yeah. I know, I do. In fact, did the rumored ”no GET after January 2003” happen yet? Do I need curl, or can I still just use wget?
Why yes, it looks like I can. Now inline by default, not hidden in a popup, and completely defenseless. Okay, that’s one place where the patch-fest needs to concentrate. There’s limits to how long anyone can remain oblivious.
I suppose you’re talking about old problems, which somehow didn’t get fixed when it should’ve?
Why’d I file all those bug reports? Just search my blog for ”patch”.
Posting in the ”Bugs” section of the MT forum has felt like pissing in the wind for quite a while now, but so far filing bugs against the beta feels a bit better.
And searching you is exactly what I did, when I needed a link in one of my bug reports ;)
You can just type in your browser address bar. How convenient!
I see you posted the bug report. Good man. I’ve been meaning to do this but have been too busy and was hoping that they would have it fixed in the next release.
I suppose if they didn’t KNOW about it. But how could the not?!
My very vague memory of the situation is that IIS doesn’t pass on path_info to Perl, so you have to use the old style URLs with the ID in the query string instead of the path, and to interop with old, un-updated installs, MT needs to send a GET whenever it sees a Trackback URI with a query string. However, I don’t see that as meaning that the rest of us need to drop trou and accept GET, just because they need to.
Completely agreed. 6A could make it a config option to allow GETs. Perhaps something like:
AcceptPingGetsCuzMyWebserverSux 1
Do I need to think of everything?
Couldn’t MT::App::Trackback check the SERVER_SOFTWARE environment variable, and accept a GET request if it’s running on bozotic server software, while refusing a GET request when not running on IIS?
Sure one could do it that way, but I rather liked the config option.
Absolutely. Not only is it a clear option name, it’s more MTish than looking (plus it allows for other hypothetical servers that can’t be bothered to give Perl what it needs).
The only downside is that rubes, who would pay good money to be hosted on such servers, would need to know enough to ”set the bozo bit.”
As I remember it, the symptom is that people pinging you get ”Need a TrackBack ID (tb_id).” back, they complain to you, you complain on the forum, and whoever gets to your post first gets to make fun of your server. Using the second person as third person, of course :)
So far as I can tell, that function, which might or might not be a good thing, doesn’t exist. TypeKey just gives your blog an ID string for the TypeKey user, and leaves it up to you whether you block them because you’ve seen that user string before, or not. If you do block them, TypeKey doesn’t even know about it, and certainly doesn’t know that the same person, who still wants to spam the same URL, has another 10,000 TypeKey logins and can still use them on you. To spam the same URL.
I think one aspect of TypeKey (from what I understand) is that we will all be able to collectively manage the blacklist to some extent.
TypeKey is made by Six Apart. MT-Blacklist is made by me. They have nothing (yet) to do with one another.
Further, TypeKey banning is only local. There is no collaboration (nor is there a cabal).
Blacklists are also (currently) only local. Your blacklist is your blacklist. My blacklist is my blacklist. This land was made for you and me.
MT 3.0, Comment spam and miscellany
A lively spirited discussion (and one you should read) is ensuing over at Phil Ringnalda’s blog about fake blogger sites, comment & trackback spam, and MT 3.0. Also an intriguing, yet hard to implement idea: Moderating the URLs…
Ah well. Of the seven original ”Spam different.” posts I linked to, Les, Dean, Molly and Charles have all deleted the spam, Peter and Morgaine (who I didn’t give any comment-hint, just the link-hint) haven’t, and JD deleted my warning comment linking here, while leaving the comment which links to rape-porn. Eh, better than 50% anyway.
Eurhm, yeah. I actually only came across this post after reading your post about the recent MT related uproar. I did delete the spam comment somewhere between May 9 and today, when I found out I didn’t have e-mail notification enabled for comments (for that particular blog). Even without e-mail notification I would have discovered it sooner if only I wouldn’t have been on a blogging hiatus (well, and a blog reading hiatus too I guess)
Still kind of funny to see Jacques Distler talk about planting links on A-list blogs, mine actually are more like Z-list blogs :-)
Why 6A didn’t at least try to incorporate MT-Blacklist and went the Typekey route instead still has me somewhat baffled. MT-Blacklist has proven its value, and from some of the comments on this post it would appear Typekey is already proving not quite so successful ..and it’s not even officially released past beta!
The only thing I can think is that they didn’t want to spend the time in the future maintaining a master list like Jay currently does, but [presumably] wanted to just release Typekey and let it manage itself. The thing is, they’ll likely find themselves busy on a regular basis deleting hundreds of accounts created by spammers on Typekey instead ..either that or they’ll just put a SEP field on it and forget about it and let the bloggers sort it out for themselves, in which case why bother setting it up in the first place (for those ignorant of Douglas Adams genius, an SEP field = somebody else’s problem field).
I think MT is a great content management utility and I will continue to use it, but heck, the majority of related comments I see recently are giving me the impression that 6A has completely lost touch with reality and their faithful MT users.
Well, obviously I don’t know. But that won’t stop me from guessing, anyway.
One thing you always have to keep in mind while thinking about things-MT is that we are users. The people who use TypePad are customers. When you want to eat, and pay your employees, and show your investors some hope of return, you have to keep that in mind all the time. So, it may be that while MT-Blacklist is the absolute perfect solution for those of us who want our own thing (I use Jay’s updates, but I’d be perfectly happy if he never updated again, since I’m more interested in not being fooled twice than in perfection the first time), it isn’t right for TypePad, or TypeKey is somehow better, or will work for something else that they want to do with TypePad. I can’t make any sense of it, frankly, but I do know that if it doesn’t make sense for MT, that probably means it isn’t really entirely for us.
My other theory is that as part of their plan to make MT a platform, they want Jay to have MT-Blacklist as an income producer, one way or another (I don’t think I’d pay for the plugin, but I might pay for blacklist updates. Not sure.).
Or, more likely, they could have either spent their time reproducing or integrating what I already had or they could spend that time making another line of defense. It’s a matter of time best spent.
For the record, they contacted me back in October and asked me if I would like to contract with them (presumably in order to integrate Blacklist). At the time I was really busy and sent them an email saying ”yes, but not for a few weeks”.
After I got free, I sent them back and email. Then another. Then another. And another. All in all, probably 10-15 emails to which exactly none generated a response.
I honestly didn’t know what happened? Had I pissed them off? It was very odd because I consider Ben and Mena friends, so I really didn’t know what to make of it.
About a month and a half ago, I forced the issue and asked about it. Mena says that they ”got busy”. So I just have to assume what I wrote above is true and that they simply got so busy that they failed to let me in on that strategy. Not that they HAD to tell me about it, but I would have expected them to considering our past history and my work against comment spam. Hell, it would have been nice if they had even asked my opinion once…
BTW, this is the first time I’ve written about this publically. You have an exclusive, Phil.
While I think the platform part is absolutely true (and smart on their part), I’m not all that confident that their strategy included me getting paid… In any case…
Leech! ;-)
Well, sure. But also, that’s the part that might make me open my wallet. A few hundred lines of Perl? Not so much. I’d be more likely to tell myself I’d write my own (and not actually do it). A promise to aggressively feed me new spamming domains, fast enough that I might get them before the first round ends? That seems worth paying for.
While I agree with you as a user, on being willing to pay for constant updates, I have to tell you that for my own part, I will NEVER charge for either MT-Blacklist or the master blacklist updates.
The main reason is that in order to thwart comment spam at least a very large proportion of users need to be protected from it. Once the spammers realize that website comments aren’t exactly a fertile or easy ground for sewing their seed, they’ll move onto greener pastures.
If I charge for the software or the updates, less people will be protected. That is why I stick to the donation thing. Yeah, it doesn’t bring in as much perhaps as ”going commercial” might, but I’m in this for more than money.
hmm.. so what we’re seeing is evolution. MT was the route taken to create a robust (hmm ..nice albeit slightly dated buzzword) system which has given them the experience and reputation to launch into something they can actually turn into a business (in this case, business being defined as something that turns a profit), namely; TypePad. In which case what you say makes a lot of sense Phil: ”if it doesn’t make sense for MT, that probably means it isn’t really entirely for us.”
The species known as MT-Bloggerus (namely us) has therefore also evolved (relative to 6a) from useful lab rats into an as yet unspecified species that are kinda handy to have around for those mad scientist ideas, but we don’t butter the bread so perhaps our significance is somewhat diminishing. As you so clearly pointed out, users versus paying customers.
In a nutshell, their motivators have altered.
Regarding your post above Jay, it almost sounds like a case of ”hey, if you won’t come play when we invite you, we’re going to play a different game instead so :P nyah nyah nyah” kinda thing, so they went ahead with TypeKey. Well, not really :P nyah nyah, that’s just me taking the piss, but you know.. it’s such an effective tool (MT-Blacklist), why would they not incorporate it? Then again, if there’s the possibility of having MT-Blacklist developed further down the line as an income driver, then that’s all good for you Jay (and well deserved).. even if it’s a free plugin with a small subscription (or royalty to Jay) for automatic updates, which would kind of make sense now I think of it; it would fall in line with what it seems they intend TypePad to be - a low/no maintenance (for the subscribers) reliable and complete blog service. hmm.
Maaaaaaan, you MT users sure like complaining about it. I’d’ve switched to something else by now. :)
GFM
hehe don’t get me wrong, I really like MT :)
just trying to speculate what their current direction really is..