[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <43EFEC35.8070407@linuxbox.org>
Date: Mon, 13 Feb 2006 04:17:25 +0200
From: Gadi Evron <ge@...uxbox.org>
To: bugtraq@...urityfocus.com
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Comment Spam: new trends,
failing counter-measures and why it's a big deal
Recently, new bots rendered current anti spam techniques for blogs
almost useless. Here is a short write-up on the subject of comment spam,
referrer spam and what's currently happening in that area.
I have given a lot of thought and have done a lot of checking into the
subject of comment spam. I came up with a few interesting findings.
If you don't run a blog (which will make you an expert) or read about
this subject in the past, just Google it. You are all smart people. :)
Basically though, comment spam is regular spam only posted in blogs and
other web pages where comments are possible, both for simple spamming
economic purposes as well as to help improve ratings of different sites
in Google and other search engines. The latter is often done by
publicized commercial companies.
I hope by the end of this post to demonstrate how serious blog spam is
or at the very least that it deserves some extra attention if you
dismissed it in the past.
First off, comment spam is abuse. Abuse isn't new and as soon as a
system shows up it will be abused. If not today, than 10 years from now.
It has long been an established yet not widely-known fact that if there
are mistakes that can happen, they will happen. Leaving a potential
problem alive just because no one currently exploits it is terrible, and
yet it keeps happening.
If the power grid for a significant part of the US can go down once
every several years, so can any other system (if going down is the worst
that can happen).
This is only relevant to comment spam in the way it is relevant to every
other security related issue, and why is that?
Because comment spam indeed isn't a new thing. Anyone remembers how big
guest books used to be in the previous century? :)
And what about referrer spam?
Some interesting things noticed about now newly named by me web spam /
web content poisoning or cspam (for comment spam):
[making a point about how silly it is to give new names to spam when it
skips a medium.. what's your favorite? spit?]
Automated spam is spam sent by a bulk-poster (taken from bulk-mailer).
It enters web pages and posts spam.
Recently we see a serious increase in comment spam activities, namely,
in one web page I recently started to help maintain we get over 1000
spam comments a day. I won't even start discussing the referrer spam
poisoning we get.
The spam is no longer sent from just one IP address or even just a few.
Botnets are indeed blossoming in this field.
Recently, there has been a serious increase in spam, coupled with the
fact that it passes current spam detection techniques (such as
black-listing for IP addresses and spammed domains, Javascript Captchas,
number of URL's in comment, key works - useless anyway, some user
Captchas, etc.).
Apparently, there is a new bot out there which passes these successful
defenses. Further, anti spam technology in this realm in is no way
mature or tried. Mostly it is heroic and very impressive efforts done by
people because they are annoyed of the spam in their blog.
So far it has been rather successful though, but that success window is
running out.
As an example, spammers started posting in a technique which quotes the
last paragraph of your text, or starts the post with something relevant
and then adds:
"Oh, by the way, have you tried Viagra?"
In other occasions we see spam posts that would detail how the guy
searched the web for law related stuff, but ended up here. BTW, if you
are also interested in law... check out this page!
My all-time favorites are the posts that say:
"Great blog! Keep up the good work!"
"I liked what you've done here, keep it up!"
Etc. Entering the spam URL as their homepage, which is clickable from
their nickname.
Recently we have even seen one post that had:
"Where do I find the RSS feed for this blog?"
Sometimes it is very difficult to avoid false positives even with a
skilled human doing this full-time.
Another type of spam we see, is the manual spam.
People enter the web page with their actual browser and type the spam
manually. How much does a skilled illegal alien worker cost per day?
One such spam was recently posted on the site I mentioned (guess which
one) in a blog entry about Symantec. It talked of Symantec and suddenly
changed tones and said that their anti spam (of all things), failed
them. It suggested using a competitor which worked for them.
When looking at the attacking bots, what we mostly find these days are:
45% open proxies
40% compromised machines
10% misc
5% unknown
(I haven't actually calculated the numbers, but that's roughly right)
Misc being anything from a completely open installation of a VNC server
to.. your guess is as good as mine.
Some examples to captured spam and Google-poisoning attempts are
abundant, so I won't bore you. Suffice to say every blog gets very
specific spam surrounding its topic, as well as the usual peaks in this
or that type of spam. Lately the house special is pharmacy spam.
Referrer spam is still mostly about porn.
Looking at gangs, we managed, as an example, to identify a very big
eastern European gang (probably one noisy guy or gal), but when they
noticed our attention they disappeared for a while.
Another important point to make is the domains used. Much like with
emails spam, these change very frequently and seem to be registered in
bulk. I don't doubt these are the same people.
I am now talking with many who are active in this field, and we are
establishing a working group/mailing list to address these issues
mitigation-wise operationally, as well as research into new trends, bad
guys, etc.
Some of the already proposed solutions that we are working on are better
blacklisting services, combining different types of such poisoning in
web applications from comments to referrers and other things I'd rather
not discuss right now until they are a bit clearer.
I hope I managed to convince some people of how big this really is. We
all heard of blog spam, I and many people around me just didn't realize
the scale until we started working on it.
I figured it's time to let others know as well.
Something can be done about this now to make it less of a threat in
coming years. I bet most of us would wait until we have to kill it as a
fire, so that it keeps under-going evolution and come back to haunt us.
If I didn't convince you yet of the risks, there have already been
successful worms exploiting such techniques, some examples:
http://blogs.securiteam.com/index.php/archives/180
http://blogs.securiteam.com/index.php/archives/166
I will update on my (and our) findings on this subject on the SecuriTeam
Blogs site (http://blogs.securiteam.com/).
This quick & dirty write-up can be found here:
http://blogs.securiteam.com/index.php/archives/285
Gadi Evron.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists