Social engineering in comment spam

A comment made on a previous posting:

“I googled for something completely different, but found your page… and have to say thanks. nice read.”

Wouldn’t you immediately hit the “approve” button?

In this case, the comment poster’s url pointed to http://otaro.co.uk/, a page full of “cheap car hire” ads and links. Ironically, the poster’s email was the confidence-building “please.no.spam@otaro.co.uk”. But the best part of course was the combination “I googled for something completely different” (so you don’t expect me to write anything relevant) and “have to say thanks, nice read” (so you approve in a wink). The blogger’s ego… the weakest spot in comment spam protection.

Now this was a simple one, because the hurried spammer left his link load on the first script run. A more patient strategy would have been to build confidence in the targeted blogs by not giving away his intentions immediately. Lots of (at least WordPress blogs) hold comments from unknown posters (ip’s, mail addresses…) in moderation by default. Once a comment is approved, the poster is whitelisted. The technique would work on the level of individual blogs, and, when smart enough to fool lots of users, maybe even for systems using the kind of collaborative filtering such as used in Akismet.

So you better think twice before approving another vague “thank-you” or “great reading” post….

BTW: Seo BlackHat is an interesting (and entertaining!) resource on all kinds of web spam – he hasn’t written on this yet, so maybe it was his? :-)

16 Responses to “Social engineering in comment spam”

  1. quadszilla Says:

    I googled for something completely different, but found your page… and have to say thanks. nice read.

    ;)

    Wasn’t me, but I’ll trackback to this article in the next few days.

    -q

  2. SEO Black Hat: Black Hat SEO BlogSocial Engineering in Comment Spam Says:

    […] m SEO Black Hat Homepage I went over to pascal vanhecke’s weblog to read Social Engineering in Comment Spam: “I Googled for something comple […]

  3. Otaro Says:

    No it wasn’t him. But impressive that you think of him. Pretty good branding I would say.

    Sorry for spamming you, I see you’re using nofollow anyway – so it made absolutely no sense to spam you. I think I have to fix the script a little bit… it’s not easy to recognize this automatically. But I’ll try hard.

  4. Pascal Says:

    The summum of social engineering: apologising for spam!
    I couldn’t but approve this last comment :-)

    The ip addresses of the original deleted comment (84.159.231.250) and this last one (84.159.205.96) come from the same (dial-in) network, so I assume it is the same person… you can still add them to your comment blacklist!

  5. Greg Says:

    I googled for “I googled for something completely different” and found this page ;)

    I get a lot of those spam comments in my moderation, and don’t bother to approve them. Interesting that Mr. Otaro stopped by here to say hi.

  6. Jeremiah Zabal Says:

    I Googled for “i googled for something completely different” because i got the same fishy comment:

    i googled for something completely different, but found your page… and have to say thanks. i like your site.

    Then i found your page, which confirmed my hunch… and have to say thanks.
    Mine linked to a similiar site with travel links, but it was in German.

  7. Ed Kohler Says:

    Clearly, spammers don’t have to be too sophisticated with their spamming tactics because the average blog owner will easily approve such comments. They obviously put some thought into getting inside the mind of a blog owner, which probably has increased their approval rate, but taking the time to build credibility with blog owners simply isn’t necessarily for achieving the results they’re after.

  8. Vit Brunner Says:

    Oh… what a nice idea… can I try it here? ;-)

  9. Jonathan Says:

    “The blogger’s ego… the weakest spot in comment spam protection.”

    Wow, you said a mouthful.

  10. D00d Says:

    I googled for something completely different, but found your page… and have to say thanks. nice read.

  11. Pascal Says:

    Very funny Mr Lowerdown, but not really original :-)

  12. Adam Pierce » Adam Brody - dirty spammer ? Says:

    […] While reading up on this a little, I found another theory from Pascal van Hecke that these spams are to try and manipulate my blog’s whitelist so future spams can evade detection. […]

  13. Adam Pierce Says:

    I got a few of these lately on my blog. I’d approved two of them before I realised what was going on. I like your theory of whitelist manipulation, I put a link to this article on my blog I hope you don’t mind.

  14. Nice read at Kesämaan päiväkirja Says:

    […] ja päädyin lopulta Notes, links and conversation -nimiseen blogiin. Merkinnässään “Social engineering in comment spam” kirjoittaja analysoi tismalleen samanlaista kommenttia. Ja nähtävästi miljoonat muutkin […]

  15. goldpreise.biz Says:

    Hello I like your post so well that I like to ask you whether I should translate and linking back. Please give me an answer. Your Goldpreis

  16. CrystalsQuest Says:

    I got a lot of those inane comments on my guestbook – and that was my first thought too. Even the ones that don’t have a direct link payload except for the one (and I check them) are usually left unmoderated for a while to think it over.

    Interestingly, though, I’ve also got a reverse issue – anyone who comments in russian gets picked up by the spam filter automatically. I’ve had a fair few russian commenters on one of my posts about wordpress 2.7 and the admin interface, and with a bit of google translate assistance, found they were legit – checking back to some of their sites I found they had comments that also bemoaned the fact that anything they commented with an .ru email or site got blocked automatically from any non ru domain. I have to say so far I’ve found they’re right, although now I’ve approved a few (I tend to paste the translation into the comment, except on that post which seems to be mostly getting traffic from those speakers anyway) I’m now getting a lot more interest from the russian speaking community.

    Thank heavens for Google Translate, is all I can say.