Tricky forumspam
Expect forum spam to get more and more tricky. Before soon, you might have to read the source code, or use a Firefox extension that marks links, no matter what they’re hidden behind. Here are two recent attempts to spam a forum I moderate:
This one has the spammy links hidden under the comma and period. It’s a bland enough topic it would fit into any “General discussion” subforum. I found other forums where it had slid through. On some forums, the links aren’t underlined, and would be almost impossible to catch. It’s sparked discussions on some forums, with users thinking it’s a regular post. The mark of a good spam, I suppose, and it’s also why I turn the spotlight on it - users and moderators need to be made aware of how much spam there really is on forums.
This one has the spammy link hidden behind the smiley. It’s the kind of topic you see a lot of on forums, so it would get through most moderator nets. I ran my mousepointer over the whole post, looking for spam links, which is how I found out it was spam.
Since I talked about that spam, I thought I should run it down as well. It’s a blogspot link with a very basic javascript redirect going directly to the affiliate scheme: topadult10 ID: 35875. The comma spammer also had blogspot links with basic redirects, this time going to a keyword on spammy advertising portal tissuepain.com (which was previously spamvertized directly. Google reports 17.800 pages from that domain!), which is on 64.111.207.10. That IP number might hold multiple customers of HaldexHost in Ukraine. But many domains hold the same (fake looking) whois that’s on a similar format as tissuepain. And many domains have similar topics. Not all domains are in use, though. So it’s hard to say…
Whois (probably fake) for tissuepain.com:
Harris Alexander (info@tissuepain.com)
224 East 64th Street
New York
NY,10021
US
Tel. +1.9178056791
Creation Date: 26-Mar-2005
Expiration Date: 26-Mar-2007
Domain servers in listed order:
ns1.333210.com
ns2.333210.com
I also found that the McAfee Siteadvisor was showing links from that site to other sites on adjacent IP numbers:
buy-cheap-zithromax.info - 64.111.207.11
trancemusics.com - 64.111.207.10 - 21,200 results in Google
buy-cheap-bextra.info - 64.111.207.10
zoloftcheap.com - 64.111.207.12 - 17.500 results in Google
buy-cheap-steroids.info - 64.111.207.12
On another note: I’m working on a project these days that monopolizes a lot of my creative energies, so I won’t be posting as much for a few weeks. I’ll be monitoring the site as usual.
October 20th, 2006 at 8:54 am
You should really think about using Opera. It has a “links panel” that lists all the links on the current page. These can easily be sorted and a spammy link will stick out. At least it will stick out more than a link hidden behind a smiley.
October 20th, 2006 at 11:05 am
Wiki spammers were using a similar technique a while back. They were linking existing punctuation on pages to their sites. I think that mostly died out since it isn’t as simple as just filling in blank forms with their spam.
October 24th, 2006 at 6:21 am
This is actually a pretty old trick, and with vbulletin you can prevent it using a mod that restricts new members from posting new links.
Generally, forum spammers aren’t keen to invest time and effort getting around such restrictions.
I’ve posted up a fairly comprehensive guide to forum spam prevention on Security Watch, but as I don’t want to be seen to be spamming links, I’ll just let you follow the link in my name, above.
October 24th, 2006 at 6:24 am
Gosh Brian, I totally forgot I was going to write about your forum!
Could you please post the exact link to that guide?Think I found it:
http://www.securitywatch.co.uk/forum-spam/how-fight-forum-spamming-222.html
October 24th, 2006 at 2:56 pm
Feel free to comment on it - just posted something on blogspam as well in the blogs section.
October 24th, 2006 at 2:57 pm
Whoops - sounded a little short - long day.
What I meant is, if you see anything on SW you want to comment/criticise, either here or there, feel free to do so. Happy to take the input.
October 26th, 2006 at 10:23 am
I had someone post some spam on the proxy2 forums. This person had gone to all the trouble of making the links colour match the background colour. Sad, very sad. I now use UNB for my main sites forum and SMF for the Lazarus forum as both have CAPTCHA for guest posters (SMF CAPTCHA is a mod package). There is also a mod for SMF that stops guests from posting urls.
October 31st, 2006 at 6:58 am
Instead of putting someth…@something.com as a public email address on your web pages, use a unique URL address.
The real email address is always hidden , even to spammers because it is stored in the database behind the URL.
You can keep replying through the revolving email reply system without revealing your real email address.
Because these contact addresses are URL’s , they cannot be harvested by automatic spammers looking to a pick your email address off web sites.
People can get a free email URL on www.morgle.com
November 3rd, 2006 at 5:38 am
To morgleman:
For those who rely on free websites, this might be a wonderful service. However, for those with their own domains, and real servers, I don’t see it as a good idea. Basically, you need to have your own branded e-mail address - using your own domain. And although it’s not all the functionality yours does, essentially, a mailform with the e-mail address encoded into the script, not the form, does the job - better in my opinion.