Comment Spam

Steven Roddis

The Geek Guys

Presentation contains content which may be deemed inappropriate for some viewers.
This content has been included in such context where it’s solely for an educational purpose.
Statistics are valid as of 1st March 2007, and should not be relied upon.
Viewer Discretion is Advised.

What You’ll Learn

Glossary
Statistics of Comment Spam
What is Spam
What is not Spam
[Some] Spam bots are extremely smart
Methods of Prevention
Importance of Validation
Pros and Cons CAPTCHAs
Breaking CAPTCHAs

Stuff that Wouldn’t Fit on the Last Page

Remember Accessibility
Filtering
HashCash
Getting near that magic 0α & 0β

Some Terms You Should Know

False Positive (α): –noun in the context of spam, it is marking something as spam when it is not.

False Negative (β): –noun in the context of spam, it is not marking something as spam when it is.

CAPTCHA –initialism Completely Automated Public Turing test to tell Computers and Humans Apart

Ham –adjective a non-spam message.

Statistics of Comment Spam

97% of all comments are spam
5,500,000 Spam comments every day
130,000 Ham comments every day

What is Spam

Unsolicited bulk messages.

eg._email: Lower Abdominal Enlargement Ads. :: rolls eyes ::

eg._comment: 20 posts made in the space of 2 minutes from 58.65.232.169( Hong Kong

), that contain crap such as: “Britney Spears Naked…”

What is not Spam

Something that you do not want to receive, but asked for.

eg._email: That newsletter you signed up for last month and no longer want to receive.

eg._comment: A comment that you [arbitrarily] don’t like.

[Some] Spam Bots are Extremely Smart

Most are stupid
<input type="text" name="email" />
Few Support JavaScript
Most CAPTCHAs are very easy.
Simple Math Based ones are u3br easy

Methods of Prevention

Uniqueness can help
CAPTCHA
Obfuscation
Even something simple such as “what is my first name (Steven) [INPUT]”
Filters (Like in email)
Validation

Importance of Validation

Email address that isn't valid, don't accept.
Names that contain ':', '/' etc.

What are CAPTCHAs?

Image Based: Image of a CAPTCHA

Audio:

Math: 1 + 6 = ?
ASCII:

                                *   -       ;:        /        .;
   -                                        +#`    ,           ;;
   :@@@@@@@@@@@@@;,         -              `@@@@@@@@@@@@@@@@@@@@; <               #     .;@@@+: \       \    \   #                     +`
      ,+@@;    ,;@@+`         \            ,@@:     :@@;      ;@;                      :@@@@@@@;       \               >         |    .@;
       ;@@:      .@@+                    , ;@:      :@@; .   \ +;                     ,@;`  :#@@.          /              >           ;@#`
       ;@@:       ;@@:            .        +;    =  :@@;  =    :;                    `#.     .@@,                                    `,#@:
     < ;@@:       ,@@'  >  #     \   ,     +        :@@;       .:                    :,       #@`   >                         -      : ;@+
       ;@@:  /    .@@+                              :@@;                                      #:   \                                `: .@@`
       ;@@:       :@@;           ,    >             ,@@;            _                        ;:  /                       /          :`  #@;
       ;@@:      `#@@`     \ _                      .@@; \                                  ,.                                      :   :@#
       ;@@:      '@@, /               |      +      .@@; \                                 ;@@+,          >                 -      ,.   .@@:
       :@@:   `:+@+.                                .@@;  >   \            <             `+@@@@@;        >                     |   '     +@+
       :@@@@@@@@@@:                    +            .@@'                   =            `+,  :@@@:              >                 .;     :@@`
       :@@:     :;@@;`             \                .@@+                   * +                ,@@#                  #             ;.  \  .@@;
       :@@:       .#@#`        \                    .@@+                       *          .    '@@.                              `@@@@@@@@@@#
       :@@:        :@@+                    /        .@@+                      _  -             ,@@.        -                     :;       :@@,
       :@@:         #@@,                            .@@'          >     /                      .@@.   .                         `#.   |   `@@+
  =    :@@:         '@@:    ,    /              - . .@@;                           \           .@@.                             :+         '@@`
       :@@:         '@@:                            .@@;                                 - = , :@#             *                #:         .@@:
       :@@:         #@@`  <    .                    .@@;  ,                           \        '@:                      *      ,#`          #@#
       :@@;        :@@;                             ,@@;          ,                \  #     - .@+        |            \        +;           :@@.
       ;@@+       :@@+                              :@@'    ,    +              /   :@;`     .#+`                     /       :@.           `@@;
     .:#@@@;`   :'@@:                        /    .:@@@@;:                |         :@@#:  `;@'`                             .##. |          #@@:
   .@@@@@@@@@@@@#::                             :@@@@@@@@@@+                  =   +  ,;@@@@#:.                         <  .@@@@@@@@;     :@@@@@@@@+

Pros and Cons of CAPTCHAs

Pros

Gets extremely close to the magic 0α & 0β
Well, the above really deserves two dot points.
If implemented correctly can be an annoyance that is well worth it.

Cons

Some image based ones are hard to read.
Most require relatively high cpu.
Needs alternative for text-based browsers and the vision impaired.
Just plain annoying.

Breaking CAPTCHAs

Free Porn
Session Reuse / Absence of Sessions.
Lack of Randomness
Lack of Obfusticaion

Remember Accessibility

Dude, what about me?
Audio Based
I can't read this one, and I have 20/20!
Screen Readers

Filtering

Akismet

0.2%α & 3%β
Statistics Analysis of comments around the world.

SK2 (Spam Karma 2)

0.4%α & 3%β
Uses request data to try to determine spam bots.

HashCash

Micro-payment System in the form of CPU Time
Moore’s Law (Inflation of CPU Speed)
Users without JavaScript get the short straw!
Wordpress Plugin

rel="nofollow"

For:

Creates a no-vote for the link, which stops spam links from gaining a higher rank in search engines
Blogs such as Blogger, Wordpress already have it

Against:

Spammers will continue to spam, just to try and reach sites without nofollow
Spammers will continue to spam, so that surfers will click links.

rel="nofollow" Howto

<a href="http://anne.messageboard.null/23339">discount viagra</a>

Becomes:

<a href="http://anne.messageboard.null/23339" rel="nofollow">discount viagra</a>

Few Other Tips

Display: none; Textarea
Moderate Comments with 2+ Links
Limit IPs to a certain audience(s).

Getting near that magic 0α & 0β

Spam bots are getting smarter all the time

Shameless Plugs

stevenroddis.com.au
whatsthetide.com

bye

Copyright © 2007 Steven Roddis

Comment Spam

Comment Spam

Steven Roddis

The Geek Guys

What You’ll Learn

Stuff that Wouldn’t Fit on the Last Page

Some Terms You Should Know

Statistics of Comment Spam

What is Spam

What is not Spam

[Some] Spam Bots are Extremely Smart

Methods of Prevention

Importance of Validation

What are CAPTCHAs?

Pros and Cons of CAPTCHAs

Pros

Cons

Breaking CAPTCHAs

Remember Accessibility

Filtering

Akismet

SK2 (Spam Karma 2)

HashCash

rel="nofollow"

For:

Against:

rel="nofollow" Howto

Few Other Tips

Getting near that magic 0α & 0β

Shameless Plugs