Most of you probably already know. Let me say it again anyway:

Project Honeypot is now tracking comment spammers and (here's the really interesting part) offers a IP-based RBL that can be used to fight link spam. Simply check your visitors' IP addresses against the http:BL and send away any matching addresses.

You have to have an active honeypot on one of your sites to be able to participate, but anyone should have one anyway.

Although I cannot find any official figures, it seems to me that the list of comment spammers is growing very fast. I didn't catch many spammers with the http:BL in the first couple of days after implementing it on the chongqed.org wiki, but now I am seeing many many more being caught by a simple IP-lookup.

You can check out our CaughtSpam page to see the effect.

¶ 12:10   0 comments

Another update, if you will. blogspot.com is notorious for its splogs.

The chongqed.org database currently lists 2101 splogs on blogspot.com. I hacked a little perl script that would query them all to see which ones now return a 404 (which unfortunately does not mean that they are no longer spamvertized).

Here are the results: 1082 of those 2101 splogs no longer exist.

That's not as bad as I had expected, but 1019 splogs that are in our database and yet still active aren't very reassuring either.

¶ 11:48   0 comments

Here's an update on the spam flood we've been seeing on .edu domains.

Although the rate of new spamvertized .edu domains has somewhat slowed down, we are still seeing new spam. Much, if not all, of it is sent through botnets, but the spamming characteristics differ a bit:

• There's the moderate html spam which you can see on the spammy revisions of this wiki page. The spam is formatted in html with a-href tags and is sent out with a moderate frequency.
• There's the brutal html spam which uses different form elements for the pay load, which is still html-formatted (Example).
• And finally, we have the massive forum spam: this one is formatted to create valid links on web forums and the spammer seems to be posting each link he owns with each spammy post.

And here's a list of the .edu domains I could find among all the crap.

• abbc.edu
• academics.smcvt.edu
• applyforit.ucsd.edu
• bbs.cuesta.edu
• bio.research.ucsc.edu
• boole.cs.iastate.edu
• cahn.mnsu.edu
• chaucer.umuc.edu
• ctl.csudh.edu
• cosmicray.umd.edu
• courses.csusm.edu
• cscserver.cc.edu
• dental.gulfcoast.edu
• discussions.csbsju.edu
• ecomm1.csug.rochester.edu
• edonline.ua.edu
• education.beta.edgewood.edu
• education.uncc.edu
• escher.isis.vanderbilt.edu
• faculty.deanza.fhda.edu
• faculty.etsu.edu
• faculty.hope.edu
• faculty.oxy.edu
• faculty.ugf.edu
• faculty.whatcom.ctc.edu
• facweb.cs.depaul.edu
• forum.kharkiv.edu
• groups.ku.edu
• hal.engr.smu.edu
• hcgs.unh.edu
• intra.som.umass.edu
• intranet.education.umn.edu
• itp.nyu.edu
• journal.eepis-its.edu
• kelley.iu.edu
• kybele.psych.cornell.edu
• lincweb.cacs.louisiana.edu
• list.eng.utah.edu
• lists.gatech.edu
• main.g2.bx.psu.edu
• manila.tntech.edu
• meweb.ecn.purdue.edu
• modlang.boisestate.edu
• nsstc.uah.edu
• orgs.indianatech.edu
• pec1.jun.alaska.edu
• people.msoe.edu
• reshall.iweb.bsu.edu
• scripts-cert.mit.edu
• sensorscity.marshall.edu
• seo.ohsu.edu
• sg.wilkes.edu
• socsci.mccneb.edu
• staff.jccc.edu
• sts.ucsd.edu
• sudanportal.mrcc.aast.edu
• uwacadweb.uwyo.edu
• vets.appliedphysics.swri.edu
• vue.uit.tufts.edu
• web.missouri.edu
• web.scc.losrios.edu
• web.skku.edu
• wsuonline.weber.edu
• wuconweb.wustl.edu
• www2.cs.washington.edu
• www4.vjc.edu
• www.aet.cup.edu
• www.ags.uci.edu
• www.chaco.gov.ar
• www.coe.ohio-state.edu
• www.csulb.edu
• www.cucsur.udg.mx
• www.depts.ttu.edu
• www.grad.english.ttu.edu
• www.hcs.harvard.edu
• www.imperial.edu
• www.isis.vanderbilt.edu
• www.jhu.edu
• www.leal-alfa.upc.edu
• www.ns.ui.edu
• www.oswego.edu
• www.oznet.ksu.edu
• www.polisci.berkeley.edu
• www.rit.edu
• www.rso.cmich.edu
• www.sccs.swarthmore.edu
• www.tamug.edu
• www.ug.it.usyd.edu.au
• www.uky.edu
• www.wvup.edu
• xnews.soad.umich.edu

If you know anyone working as an admin in one of those institutions, please contact him or her. Tell them to secure their crappy forums and webinars. Please.

¶ 11:19   0 comments

I don't remember exactly when it started, somewhen in late April, I guess. But we are currently seeing a flood of wiki spam where the links all point to .edu domains.

It seems to me like the spammer was specifically looking for a certain message board software that is very popular in the .edu world. He then posted spammy articles on those boards and then went on to spam the hell out of wikis, blogs and every other web form he could find.

Here's one example, hosted on tesl.tcnj.edu. New .edu sites turn up every day, this one is one of the older ones thus the spam has already been indexed by Google.

I've sent a good number of abuse complaints to the contact addresses of those .edu domains, but I've received very few replies. I have the impression that many of those discussion boards were set up by university staff that has since moved on to other jobs. Their email accounts are now dead and nobody bothers to clean up their old web space.

Since the spam is so aggressive and mostly points at subdomains, I decided to add those domains to our blacklist.

If you are looking for more examples, take a look at this revision history of a page on our wiki that doesn't even exist. Pretty shocking.

¶ 14:04   0 comments