lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 13 Feb 2006 04:17:25 +0200
From: Gadi Evron <ge@...uxbox.org>
To: bugtraq@...urityfocus.com
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Comment Spam: new trends,
 failing counter-measures and why it's a big deal


Recently, new bots rendered current anti spam techniques for blogs 
almost useless. Here is a short write-up on the subject of comment spam, 
referrer spam and what's currently happening in that area.

I have given a lot of thought and have done a lot of checking into the 
subject of comment spam. I came up with a few interesting findings.

If you don't run a blog (which will make you an expert) or read about 
this subject in the past, just Google it. You are all smart people. :)

Basically though, comment spam is regular spam only posted in blogs and 
other web pages where comments are possible, both for simple spamming 
economic purposes as well as to help improve ratings of different sites 
in Google and other search engines. The latter is often done by 
publicized commercial companies.

I hope by the end of this post to demonstrate how serious blog spam is 
or at the very least that it deserves some extra attention if you 
dismissed it in the past.

First off, comment spam is abuse. Abuse isn't new and as soon as a 
system shows up it will be abused. If not today, than 10 years from now.

It has long been an established yet not widely-known fact that if there 
are mistakes that can happen, they will happen. Leaving a potential 
problem alive just because no one currently exploits it is terrible, and 
yet it keeps happening.
If the power grid for a significant part of the US can go down once 
every several years, so can any other system (if going down is the worst 
that can happen).

This is only relevant to comment spam in the way it is relevant to every 
other security related issue, and why is that?
Because comment spam indeed isn't a new thing. Anyone remembers how big 
guest books used to be in the previous century? :)

And what about referrer spam?

Some interesting things noticed about now newly named by me web spam / 
web content poisoning or cspam (for comment spam):

[making a point about how silly it is to give new names to spam when it 
skips a medium.. what's your favorite? spit?]

Automated spam is spam sent by a bulk-poster (taken from bulk-mailer). 
It enters web pages and posts spam.

Recently we see a serious increase in comment spam activities, namely, 
in one web page I recently started to help maintain we get over 1000 
spam comments a day. I won't even start discussing the referrer spam 
poisoning we get.

The spam is no longer sent from just one IP address or even just a few. 
Botnets are indeed blossoming in this field.

Recently, there has been a serious increase in spam, coupled with the 
fact that it passes current spam detection techniques (such as 
black-listing for IP addresses and spammed domains, Javascript Captchas, 
number of URL's in comment, key works - useless anyway, some user 
Captchas, etc.).

Apparently, there is a new bot out there which passes these successful 
defenses. Further, anti spam technology in this realm in is no way 
mature or tried. Mostly it is heroic and very impressive efforts done by 
people because they are annoyed of the spam in their blog.
So far it has been rather successful though, but that success window is 
running out.

As an example, spammers started posting in a technique which quotes the 
last paragraph of your text, or starts the post with something relevant 
and then adds:
"Oh, by the way, have you tried Viagra?"

In other occasions we see spam posts that would detail how the guy 
searched the web for law related stuff, but ended up here. BTW, if you 
are also interested in law... check out this page!

My all-time favorites are the posts that say:
"Great blog! Keep up the good work!"
"I liked what you've done here, keep it up!"

Etc. Entering the spam URL as their homepage, which is clickable from 
their nickname.

Recently we have even seen one post that had:
"Where do I find the RSS feed for this blog?"

Sometimes it is very difficult to avoid false positives even with a 
skilled human doing this full-time.

Another type of spam we see, is the manual spam.
People enter the web page with their actual browser and type the spam 
manually. How much does a skilled illegal alien worker cost per day?

One such spam was recently posted on the site I mentioned (guess which 
one) in a blog entry about Symantec. It talked of Symantec and suddenly 
changed tones and said that their anti spam (of all things), failed 
them. It suggested using a competitor which worked for them.

When looking at the attacking bots, what we mostly find these days are:
45% open proxies
40% compromised machines
10% misc
5%  unknown

(I haven't actually calculated the numbers, but that's roughly right)

Misc being anything from a completely open installation of a VNC server 
to.. your guess is as good as mine.

Some examples to captured spam and Google-poisoning attempts are 
abundant, so I won't bore you. Suffice to say every blog gets very 
specific spam surrounding its topic, as well as the usual peaks in this 
or that type of spam. Lately the house special is pharmacy spam.

Referrer spam is still mostly about porn.

Looking at gangs, we managed, as an example, to identify a very big 
eastern European gang (probably one noisy guy or gal), but when they 
noticed our attention they disappeared for a while.

Another important point to make is the domains used. Much like with 
emails spam, these change very frequently and seem to be registered in 
bulk. I don't doubt these are the same people.

I am now talking with many who are active in this field, and we are 
establishing a working group/mailing list to address these issues 
mitigation-wise operationally, as well as research into new trends, bad 
guys, etc.

Some of the already proposed solutions that we are working on are better 
blacklisting services, combining different types of such poisoning in 
web applications from comments to referrers and other things I'd rather 
not discuss right now until they are a bit clearer.

I hope I managed to convince some people of how big this really is. We 
all heard of blog spam, I and many people around me just didn't realize 
the scale until we started working on it.

I figured it's time to let others know as well.

Something can be done about this now to make it less of a threat in 
coming years. I bet most of us would wait until we have to kill it as a 
fire, so that it keeps under-going evolution and come back to haunt us.

If I didn't convince you yet of the risks, there have already been 
successful worms exploiting such techniques, some examples:
http://blogs.securiteam.com/index.php/archives/180
http://blogs.securiteam.com/index.php/archives/166

I will update on my (and our) findings on this subject on the SecuriTeam 
Blogs site (http://blogs.securiteam.com/).

This quick & dirty write-up can be found here:
http://blogs.securiteam.com/index.php/archives/285

	Gadi Evron.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ