The First Comment Spam-Bot has Arrived

Posted by Hans de Ruiter

It was inevitable that eventually someone would post spam as comments to this blog. Today, the first spam-bot that is designed to post comments arrived. The log entries are:

64.92.161.114 - - [15/Aug/2008:18:46:23 -0400] "GET /how-often-can-you-read-the-same-news-but-different HTTP/1.1" 200 23253 "-" "Vycapbwdz ldpeqt vrdfnult"
80.86.201.170 - - [15/Aug/2008:18:46:55 -0400] "POST /how-often-can-you-read-the-same-news-but-different/?executeForm=PageComments.PostCommentForm HTTP/1.1" 302 5 "http://hdrlab.org.nz/how-often-can-you-read-the-same-news-but-different" "Aqogyr uvsp wlbyr"
64.92.161.114 - - [15/Aug/2008:18:47:04 -0400] "GET /how-often-can-you-read-the-same-news-but-different HTTP/1.1" 200 23559 "http://hdrlab.org.nz/how-often-can-you-read-the-same-news-but-different" "Aqogyr uvsp wlbyr"
64.92.161.114 - - [15/Aug/2008:18:47:05 -0400] "GET /how-often-can-you-read-the-same-news-but-different HTTP/1.1" 200 23558 "-" "Fezklo aqvtnl awrh"
201.208.7.84 - - [15/Aug/2008:18:47:09 -0400] "POST /how-often-can-you-read-the-same-news-but-different/?executeForm=PageComments.PostCommentForm HTTP/1.1" 302 5 "http://hdrlab.org.nz/how-often-can-you-read-the-same-news-but-different" "Btgslzimp radyex cqkrybif"
64.92.161.114 - - [15/Aug/2008:18:47:10 -0400] "GET /how-often-can-you-read-the-same-news-but-different HTTP/1.1" 200 23889 "http://hdrlab.org.nz/how-often-can-you-read-the-same-news-but-different" "Btgslzimp radyex cqkrybif"
64.92.161.114 - - [15/Aug/2008:18:47:11 -0400] "GET /how-often-can-you-read-the-same-news-but-different HTTP/1.1" 200 23889 "-" "Mgyavfd jdzlrnip zitxw"
91.192.46.1 - - [15/Aug/2008:18:47:33 -0400] "POST /how-often-can-you-read-the-same-news-but-different/?executeForm=PageComments.PostCommentForm HTTP/1.1" 302 5 "http://hdrlab.org.nz/how-often-can-you-read-the-same-news-but-different" "Uxrd klndqzpj gwvm"
64.92.161.114 - - [15/Aug/2008:18:47:34 -0400] "GET /how-often-can-you-read-the-same-news-but-different HTTP/1.1" 200 24264 "http://hdrlab.org.nz/how-often-can-you-read-the-same-news-but-different" "Uxrd klndqzpj gwvm"
64.92.161.114 - - [15/Aug/2008:18:47:35 -0400] "GET /how-often-can-you-read-the-same-news-but-different HTTP/1.1" 200 24264 "-" "Aqhjmg ibezw ymhwxt"
202.159.220.139 - - [15/Aug/2008:18:47:57 -0400] "POST /how-often-can-you-read-the-same-news-but-different/?executeForm=PageComments.PostCommentForm HTTP/1.1" 302 5 "http://hdrlab.org.nz/how-often-can-you-read-the-same-news-but-different" "Jhqan prbkq rbqhv"
64.92.161.114 - - [15/Aug/2008:18:48:07 -0400] "GET /how-often-can-you-read-the-same-news-but-different HTTP/1.1" 200 24622 "http://hdrlab.org.nz/how-often-can-you-read-the-same-news-but-different" "Jhqan prbkq rbqhv"
64.92.161.114 - - [15/Aug/2008:18:48:08 -0400] "GET /how-often-can-you-read-the-same-news-but-different HTTP/1.1" 200 24622 "-" "Iknhyj kfqid ibxqwk"
8.12.43.98 - - [15/Aug/2008:18:48:34 -0400] "POST /how-often-can-you-read-the-same-news-but-different/?executeForm=PageComments.PostCommentForm HTTP/1.1" 302 5 "http://hdrlab.org.nz/how-often-can-you-read-the-same-news-but-different" "Qadoj urlzxs juvlpedk"
64.92.161.114 - - [15/Aug/2008:18:48:35 -0400] "GET /how-often-can-you-read-the-same-news-but-different HTTP/1.1" 200 24982 "http://hdrlab.org.nz/how-often-can-you-read-the-same-news-but-different" "Qadoj urlzxs juvlpedk"
64.92.161.114 - - [15/Aug/2008:18:48:36 -0400] "GET /how-often-can-you-read-the-same-news-but-different HTTP/1.1" 200 24981 "-" "Wqtgsk fhznqetyv lmatewf"

Note the nonsensical user agent (between the last set of quotes). Another insteresting item is that each comment post is performed by a different IP address, interspersed with reads by a single IP address. Could this be a bot-net? It would seem like a bit of a waste to hack into a set of computers, turn them in to ""zombies" and then simply get them to post five comments to someone's blog. Nevertheless, somehow multiple comments were posted from multiple IP addresses in a coordinated fashion.

I have deleted the comments. However, it is clear that I will probably have to install some kind of anti-spam software into this blog. Akismet is an anti-spam service that is supported by Silverstripe (the CMS used by this website) and looks like it could be up to the task. I have no desire to continually have to delete comments from this website. There are much more interesting things to do in life.

Comments (0) | 15 August 2008