John, my personal spammer!

With apologies to anyone named John. Spammers are getting more clever at spreading their links. Now legitimate website owners are using software tools that allow them to enter keywords of their choice to a create a list of related blogs with comment forms. Many of these applications list blogs that pass Google Rank to the websites of visitors. That’s why I stopped doing the “dofollow” thing several months ago. Since then the number of spam comments has gone down slightly. Cookie for Comments stops the spam bots dead but the human spammer scum still get through.

Next time Akismet marks a legitimate looking comment as spam (or you get a comment from someone who was supposedly christened Austin Texas Photographer by his parents), check your logs. Look up the IP address of the visitor. You may find something like this. Note the lack of a referrer, an old Firefox user agent and then “bsalsa.com” is in the UA of the next request for a post. Bsalsa make a Windows toolkit that this software obviously uses. They’re fans of Borland Delphi apparently!

"GET /2006/11/04/cork-cinema-listings/ HTTP/1.0" 200 43366 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12"

"GET /feed/ HTTP/1.0" 302 84 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"

"GET /2006/11/04/cork-cinema-listings/ HTTP/1.1" 200 12089 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) (Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11); .NET CLR 2.0.50727)"

When my blogs were dofollowing, I’d get loads of spam comments every day. The tools used fire off a request to the blog to examine the links on that page. They highlight dofollow links so the user knows their spam comment will generate Google Juice for their site.

I was getting so sick and tired of them I contacted several spammers. Lindsay who commented on inphotos.org replied:

Hi Lindsay,

As a photographer, I’m always looking for other blogs to comment on but it’s hard to find interesting photoblogs that post anything other than photos. How did you find my blog? I didn’t see a Google search in my logs. Is it a special program?

Thanks,
Donncha

She was really helpful, even replying twice when I didn’t reply again:

I actually have a program called G-force fast blog finder. Basically, i put in some keywords and it searches ALL blogs with those keywords. THEN it tells me if those blogs do or do not have the “uComment iFollow” addon. Blogs that allow the “follow” tag are good for search engines if i post a comment with a link to my site.. SO basically, i get to look at photography blogs and comment on them while i help my website obtain some more links.

Basically, search engines rank your page based on a few things, one of them is link backs. Basically, a link from a site to my site is like a vote for my site saying it is good. So the more other websites link to my site, the better.. HOWEVER, some blogs and websites have the NOFOLLOW tag in them which does not let the search engines see it. Your site does allow the uComment iFollow.

We also created a link exchange program on our website. if you’re interested, it helps you too also have links for your site on other people’s site. If you go to my site here:
http://__________.com/catalog/links.php
You can submit your link and even a small picture to be displayed.
Let me know if you have any other questions

Lindsay

Yea. I Down loaded a program called fast blogger. They have a free trial and basically you add in search term and it searches all blogs for that term. It gives you lists of links to them and tells you if they are no follow or Ufollow IConment blogs. Basically, by findig blogs related to my webstie and blog and posting comments, it helps my website with the search engines when I post a link. It’s a win win situation. You get blog views and comments and the post gets a link back to third site.

If you are interested, I also have a blog. It’s at http://_____________.com/blog

Feel free to comment away and leave a link back to your blog.

We also have a link exchange. Basically you go to Http://____________.com/catalog/links.php

Click submit link and then we will add another link to our website. All we ask is you link back to us in return.

It’s basically everyone helping each other in order to get good page ranking for thief keywords

If you have any questions , Id be happy to answer.

Lindsay

Very helpful wasn’t she? Unfortunately it was the final straw. All links in comments are nofollowed again. Bloody spammers.

The spam comments continue but recently I’ve taken to changing the name of the person to “John”, removing their email and url and then allowing through the comment.

john the spammer

john the spammer

Thanks John!

Guinness, say hi to the Data Protection Commissioner

This morning, Diageo Ireland (the company behind Guiness) spammed me again, despite my repeated attempts to remove myself from their mailing list.

Thanks to Damien who pointed me in the direction of the Data Protection Commissioner I filled out the complaint form with the following. The Commissioner’s Guidelines for marketing by electronic mail are quite clear and Diageo obviously ignore them. Hopefully something positive will come of this.

On the 8th of April, 2007 Diageo Ireland sent me an unsolicited email regarding a “poker nights” promotion. It appears that someone signed me up, but Diageo never confirmed the invitation. I did not opt in to receive any mailings from them. I also unsubscribed using their subscription page. More details, including commentary about the unsubscribe process are here: http://ocaoimh.ie/2008/02/07/a-pint-of-guinness-flavoured-spam/

Unfortunately, on June 20th 2008, I was spammed by them again. http://twitter.com/donncha/statuses/839602319
I unsubscribed again.

This afternoon I was sent another email from Diageo with the text:
“CONOR,
BECAUSE WE
DON’T WANT YOU TO BE
LEFT IN THE DARK…
Give us a few minutes and we’ll give you so much more
GIVE US A FEW MINUTES
AND WE’LL GIVE YOU
SO MUCH MORE”

Unfortunately I suspect I’ll always get spam emails from them despite the fact that I never signed up for anything, don’t drink Guinness and unsubscribed twice already.

Regards,
Donncha O Caoimh

Anti spam-blog plugin for WordPress MU

The very popular WP Hashcash plugin for WordPress has been modified to work on the WordPress MU signup page.

WP Hashcash is an anti spam plugin that protects blogs from comment spam. It does this with Javascript and is quite successful. I worked on it over the last few days and the plugin now offers the same protection on the WordPress MU signup form!

This is the first release of the code so handle with care. Grab the latest version (version 4.2 as of this moment) from the download page. Unzip it and copy wp-hashcash.php into wp-content/mu-plugins/ and visit “Site Admin” -> “WordPress Hashcash” to confirm it’s working.

Now logout and create a new blog, just to make sure everything is working ok. Occasionally some users will have problems registering, and those that have Javascript turned off won’t be able to create a new blog at all. That’s the downside of using this plugin unfortunately.

Keep an eye on the stats counter on the admin page. I want to hear how well this works on your site!

More ways to stop spammers and unwanted traffic

Comment spammers, trackback spam, stupid bots and AVG linkscanner eating into your bandwidth and server resources? Here’s how to put a dent in their activities with a few mod_rewrite rules.

I hate those blogs that send me fake trackbacks and pingbacks. Unfortunately it’s impossible to stop but this morning I figured out a way of stopping some of them.

Look through the log files of your web server for the string ‘ “-” “-“‘. Lots of requests there aren’t there? I found 914 requests yesterday. Those are requests without a USER_AGENT or HTTP_REFERER and almost all of them are suspicious because they weren’t followed by requests for images, stylesheets. or Javascript files. Unfortunately the WordPress cron server also falls into this category so you need to filter out requests from your own server’s IP address.

This morning I checked up on a spam trackback that came in. This one came from 85.177.33.196:

URL: /xmlrpc.php
HTTP_RAW_POST_DATA: <?xml version=”1.0″?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://7wins. eu/cbprod/detail_10347/cure+your+tight+foreskin.html</string></value>
</param>
<param>
<value><string>http://ocaoimh.ie/2005/03/01/i-am-bored-sites-for-when-youre-bored/all-comments/</string></value>
</param>
</params>
</methodCall>

I looked through my log files for that IP address and discovered the following:

85.177.33.196 – – [03/Jul/2008:06:40:01 +0000] “GET /2005/02/18/10-more-ways-to-make-money-with-your-digital-cameras/ HTTP/1.0” 200 36151 “-” “-”
85.177.33.196 – – [03/Jul/2008:07:04:18 +0000] “GET /2007/06/07/im-not-the-only-one-to-love-the-alfa-147/ HTTP/1.0” 200 44967 “-” “-”
85.177.33.196 – – [03/Jul/2008:08:09:40 +0000] “GET /2005/03/01/i-am-bored-sites-for-when-youre-bored/all-comments/ HTTP/1.0” 200 410423 “-” “-”
85.177.33.196 – – [03/Jul/2008:08:09:44 +0000] “POST /xmlrpc.php HTTP/1.0” 200 249 “-” “XML-RPC for PHP 2.2.1”
85.177.33.196 – – [03/Jul/2008:09:00:09 +0000] “GET /2007/10/28/what-time-is-it-wordpress/ HTTP/1.0” 200 63332 “-” “-“

So, the spammer grabs “/2005/03/01/i-am-bored-sites-for-when-youre-bored/all-comments/” at 8:09am and 4 seconds later sends a trackback spam to the same blog post. Annoying isn’t it?

The following mod_rewrite rules will kill those fake GET requests dead.

# stop requests with no UA or referrer
RewriteCond %{HTTP_REFERER} ^$
Rewritecond %{HTTP_USER_AGENT} ^$
RewriteCond %{REMOTE_ADDR} !^64\.22\.71\.36$
RewriteRule ^(.*) – [F]

Replace “64\.22\.71\.36” with the IP address of your own server. If you don’t know what it is, look through your logs for requests for wp-cron.php, run ifconfig from the command line, or check with your hosting company.
Here are a few of the requests already stopped this morning:

72.21.40.122 – – [03/Jul/2008:09:59:59 +0000] “GET /2005/04/02/photo-matt-a-response-to-the-noise/ HTTP/1.1” 403 248 “-” “-”
216.32.81.66 – – [03/Jul/2008:10:00:11 +0000] “GET /2006/12/14/bupa-to-leave-irish-market/ HTTP/1.1” 403 240 “-” “-”
66.228.208.166 – – [03/Jul/2008:10:03:18 +0000] “GET /2008/05/23/youre-looking-so-silly-wii-fit HTTP/1.1” 403 212 “-” “-”
216.32.81.74 – – [03/Jul/2008:10:04:52 +0000] “GET /1998/03/22/for-the-next-month-o/ HTTP/1.1” 403 234 “-” “-”
69.46.20.87 – – [03/Jul/2008:10:06:06 +0000] “GET /2006/10/01/killing-off-php/ HTTP/1.1” 403 229 “-” “-”
72.21.58.74 – – [03/Jul/2008:10:07:54 +0000] “GET /2005/08/12/thunderbird-feeds-and-messages-duplicates/ HTTP/1.1” 403 255 “-” “-“

Some spam bots are stupid. They don’t know where your wp-comments-post.php is. That’s the file your comment form feeds when a comment is made. If your blog is installed in the root, “/”, of your domain you can add this one line to stop the 404 requests generated:

RewriteRule ^(.*)/wp-comments-post.php – [F,L]

Trackbacks and pingbacks almost always come from sane looking user agents. They usually have the blog or forum software name to identify them. Look for “/trackback/” POSTs in your logs. Notice how 99% of them have browser names in them? Here’s how to stop them, and this has been documented for a long time:

RewriteCond %{HTTP_USER_AGENT} ^.*(Opera|Mozilla|MSIE).*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteCond %{REQUEST_METHOD} ^POST$
RewriteRule ^(.*)/trackback/ – [F,L]

I’ve been using that chunk of code for ages. It works exceptionally well. This was prompted by a deluge of 40,000 spam trackbacks this site received in one day a few months ago.

If you use my Cookies for Comments plugin. Check your browser for the cookie it leaves and use the following code to block almost all of your comment spam:

RewriteCond %{HTTP_COOKIE} !^.*put_cookie_value_here.*$
RewriteRule ^wp-comments-post.php – [F,L]

That will block the spammers even before they hit any PHP script. Your server will breeze through the worst spam attempts. It blocked 2308 comment spam attempts yesterday. Unfortunately it also stops the occasional human visitor leaving a comment but I think it’s worth it.

Do something different. That’s what you have to do. Place a hurdle before the spammers and they’ll fall. On that note, I shouldn’t really be blogging all this, but almost all these ideas can be found elsewhere already and the spammers still haven’t adapted.

Unwanted traffic? What’s that? Surely all visitors are good? Nope, unfortunately not. Robert alerted me to the fact that AVG anti-virus now includes an AJAX powered browser plugin called “Linkscanner” that scans all the links on search engine result pages for viruses and malicious code. Unfortunately that generates a huge number of requests for pages that are never even seen by the visitor. I counted over 7,000 hits yesterday.

Thankfully Padraig Brady has a solution. I hope he doesn’t mind if I reprint his mod_rewrite rules here (unfortunately WordPress changes the ” character so you’ll have to change them back, or grab the code from Padraig’s page.)

#Here we assume certain MSIE 6.0 agents are from linkscanner
#redirect these requests back to avg in the hope they’ll see their silliness
Rewritecond %{HTTP_USER_AGENT} “.*MSIE 6.0; Windows NT 5.1; SV1.$” [OR]
Rewritecond %{HTTP_USER_AGENT} “.*MSIE 6.0; Windows NT 5.1;1813.$”
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP:Accept-Encoding} ^$
RewriteRule ^.* http://www.avg.com/?LinkScannerSucks [R=307,L]

Are ifoods.tv clueless Web 2.0 spammers?

ifoods.tv

Sorry ifoods.tv, just because you’ve been nominated for best Web 2.0 Start up in Europe is no reason to spam members of the Irish blogosphere.

They didn’t even do it very well, leaving Tom Raftery‘s email address in the To: field and attaching a Word .doc file with the text, “Please Find attached press release” in the body of the text. I mean, come on, Web 2.0 my arse. If you had a clue you’d have built up a following on Twitter just like Pat Phelan or Paul Walsh. You would have got us interested in what you do.

Get thee back to Web 0.1

Edit Michele has blogged about them too. Love this quote,

You may have been nominated for an award, but it obviously wasn’t in marketing or email usage based on the rubbish you sent me today and the way you sent it.

Please sir, can I have more?

A poor urchin goes up to the headmaster, “Please sir, can I have more comments?”
The headmaster looks down from his perch and with a grimace says, “Not before you show me your cookie!”

Well, the poor lad never did get any more comments. He didn’t have the right cookie, but you can. Just grab my Cookies For Comments plugin and anyone who leaves a comment on your blog will need the correct cookie. That will stop quite a bit of comment spam dead in it’s tracks.

It’s the first release and fairly simplistic, but it should give some comment spammers a headache for at least 10 minutes. It’s about time they upgraded their spamming tools anyway. According to my log file, it had stopped over 18,600 spam comments in the last week or so. The rest got handed to Akismet and it stopped several thousand more. They’ve been busy haven’t they?

So, should you use this instead of Akismet? Not a chance. This will only stop the brain dead comment spammers who use automated bots to post to the comment form. Trackback and pingback spam and spammers who either use poorly paid human slaves or browser based user agents will defeat this.

If you use a caching plugin such as WP Super Cache make sure you clear the cache after enabling this plugin. Also, I’m not sure what will happen with those plugins that merge CSS files together.

Thanks Dan for the idea!

A right tool

Scanning Gmail’s spam folder (815 emails after 2 days) is much more entertaining when I remember that all those messages about a longer tool refer to a completely different thing in Cork.

Sort of. 9 pages of spam.

I need to scan them because Gmail catches an alarming number of legitimate email, despite all my training. Sheesh.

A pint of Guinness flavoured spam

It seems that someone signed me up for “Guinness Poker Nights” and Guinness, God bless their black hearts, saw that as an invitation to spam me in the future.

I don’t know how to play poker, I have no interest in it, I don’t like the taste of Guinness. Why didn’t Guinness ask me to confirm the invite? That would seem like the most polite thing to do. Who the hell is Conor Wiley? I bet he knows the other Donncha who told all his friends and colleagues that my gmail address was his address. I was CCed on a few very personal emails for a day or two going back a bit ..

Since that time I’ve received a couple of spam emails from Diageo, the owners of Guinness. The first one gave me a start. I wondered if Guinness had started spamming people, but then I had things to do and never investigated. Here’s the latest email from Guinness:

There is a “Privacy Policy” link but that brings you to this page where I’m asked for my location and date of birth. The form has to be filled out before reading the policy. *sigh*

The “unsubscribe” link goes to http://trc1.emv2.com/I?a=A9X7CquNqKyt8QHHs6FEYtzjJX which the redirects to www.diageobrandsunsubscribe.ie. Finally, I thought I was getting somewhere, but no. To stop them sending me more spam I must fill out my name, address and email, despite the fact that I clicked on an identifying URL in the email.

Thankfully, entering, Mr. Blah Blah of 131215 and my email address into the unsubscribe form worked. I hope.

Diageo – please learn from your mistake. You should confirm invitations and registrations by email, especially when you send out marketing material.
Here’s what the Data Protection Commission says about spam. I certainly didn’t opt-in anywhere to be spammed. What do I do next?

Net in China domain spam

Early this morning I received the following email from Chinese domain registrar, “Net in China” regarding the camera club I’m a member of, Mallow Camera Club. It looks suspicious, but harmless. The worst they could do is tempt me to buy those domains through them, or could they have squatted on the domains and extracted a higher price?

Curious, I went searching, and found this post from a few days ago. It seems I’m not the only one receiving these emails. Either they’re trying to scam people, or business is going very well for Net in China!

I don’t have any interest in those domains, but I did finally register mallowcameraclub.org through Namecheap so some good came of this domain scam email!

Dear CEO,

We are the domain name registration organization in Asia, which mainly deal with international company’s in china. We have something important need to confirm with your company.

On the Dec 10, 2007, we received an application formally. One company named “Xingye Company” wanted to register following
Domain names:
mallowcameraclub.biz
mallowcameraclub.info
mallowcameraclub.cn
mallowcameraclub.com.cn
mallowcameraclub.net.cn
mallowcameraclub.org.cn
mallowcameraclub.tw
mallowcameraclub.com.tw
mallowcameraclub.hk
mallowcameraclub.mobi

Internet brand keyword:
Mallowcameraclub

Through our body.

After our initial examination, we found that the keywords and domain names applied for registration are as same as your company’s name and trademark. These days we are dealing with it. If you do not know this company, we doubt that they have other aims to buy these domain names. Now we have not finished the registration of Xingye Company yet, in order to deal with this issue better, Please contact us by telephone or email as soon as possible.

Best Regards,

Zoey Wu
——————————————————-

Sponsoring Registrar: China Net Technology Limited
Tel:00852-30593099
Fax:00852-31771520
Website: www.netinchina.com.hk
Website: www.china-net.hk

Oh wow! Bon Jovi LIVE!

Oh yeah baby! Bon Jovi are playing live at the Punchestown Racecourse on Saturday 7th June, 2008! I can’t wait! I’m so going there! Thank you MCD for spamming me! Bloody idiots.

Anyway, why spend an outrageous €76.50 when I can sit here cocooned in my nice little office away from those horrid fans and watch the videos on Youtube? Ain’t the Internet great?

Tongue firmly planted in cheek.. except the bit about MCD spamming me.