The majority of comment spam comes from just a small percentage of attackers but can be effectively combatted if they are identified and blocked early on, according to a new report from Imperva.
The datacenter security firm’s Anatomy of Comment Spam report, released today, deals with the growing problem of unwanted comments left on forums, blogs, websites, guest books and other platforms.
The primary motivation on the part of the spammers is SEO, so that they can lift a promoted site higher in the search rankings by generating a large volume of back links.
These sites can then be used for advertising or malware distribution.
Comment spam is also sometimes used for click fraud, Imperva said.
The firm said it monitored over 60 applications over a two week period in September last year. It found that the majority of comment spam was generated by just 17% of spammers, with 58% remaining active for “long periods”.
Imperva revealed three main stages to a typical comment spam campaign – which are automated thanks to a variety of readily available tools.
The first is target acquisition, which involves “URL harvesting” to identify “quality vulnerable websites” on which to post comments.
Next up comes the posting of comments themselves, using tools like “Comment Blaster” for generating text, then ScrapeBox or similar to solve Captcha challenges.
Finally comes verification of whether a comment has been posted or not.
There are various mitigation techniques web owners can use to reduce the risk of comment spam, including content inspection, source reputation, manual inspection and “anti-automation”. The latter involves using either Captcha or regularly changing the HTTP field name for the check box used to indicate a user wants to post a comment.
Imperva also pointed to “demotivation”, a technique designed to make comment spam useless.
“This can be achieved by the follow/nofollow value that can be assigned to the ‘rel’ attribute of an HTML anchor (<A>) element which defines a hyperlink8,” the report explained.
“It specifies whether a link should be followed by the search engine’s indexing algorithm. Setting the ‘nofollow’ value for posted comments decreases the comment spam motivation.”
Imperva advised web owners to identify comment spam as early on as possible and block requests, using IP reputation as one technique, to prevent the majority of malicious activity.
However, the report also warned that spammers are bypassing reputation controls based on IP address by creating web proxies on Google App Engine – thus ensuring they are whitelisted.