May 28, 2004

'Communique' Hit By Prolonged Comment Spam Attack

Apologies for the sudden and unannounced downtime. Approximately one hour ago, this site became the target of the single most sophisticated and concerted attack of comment spam we've ever seen.

It's not unusual for promoters of various commercial websites -- most often of the "adult" variety -- to post fake comments to sites such as this one. But in this case, the spammers engaged in what was a 45-minute assault on old posts here, trying to post comments which referred people to a number of websites all devoted to a particularly loathesome act of sexual violence.

All told, about eleven of these comments got through before we realized how extensive the attack was and took the site down temporarily to prevent them from getting through. We then sat and watched our server logs in real-time as they continued to try, as we said, for a total of 45 minutes.

As near as we can tell, one of two things was happening. Either each of these attacks was coming from a single machine which was spoofing its IP address, or each of these attacks was coming from a different machine operating as part of a distributed network. It's unclear to us, at this point, which is the truth. We do know that the attacker(s) claimed to have come from machines ranging from .br (Brazil) to .pl (Poland) to .mil (the U.S. military). We also know that each attack presented "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" as its user-agent.

Just about once every minute, each of these allegedly-different machines would hit the same old post, each incoming IP address in turn, very rapidly one right after the other. Then the attack would pause. And then each allegedly-different machine would hit a different old post, each incoming IP address in turn, very rapidly one right after the other.

Prior to migrating to MT 3.0D, we would have utilized MT-Blacklist to halt this attack based upon the relevant keyword(s) from the spam itself. Until that tool is ported to MT 3.0, it is unavailable to us, and since the attack was coming from (or pretending to come from) countless different IP addresses, banning the commenters via IP address wasn't going to work.

Which is why we simply took the site down altogether and kept an eye on the logs to see if it ever subsided.

That does appear to be the case at this point. However, there of course is no guarantee that it will not start up again, and so it is entirely possible that this site will go offline again without notice -- although if that occurs, we will have an appropriate "site down" message in its place.

Again, apologies for the inconvenience, and we now return you to your regularly-scheduled site.

Posted at 05:57 PM | PermalinkComments (9) | TrackBacks (0)
More In Meta-Communique

« Previous Next »

Comments (9)

  1. John Hays on 28 May 2004

    There is a "closed comment" script at http://backlog.geeksblog.com/topic/php/
    that you can use to close all your comments at once or you can adjust it so it will automatically close comments after "x" period of time.

  2. Apathy on 28 May 2004

    comments which referred people to a number of websites all devoted to a particularly loathesome act of sexual violence.

    For some of us, masturbation might qualify. :P

    I'm sorry to hear about these jackasses. Hopefully it'll be motivation for taking more preventative measures here. I've had to do that at my own site for years because of ignorant twits getting off spamming their unwanted bile.

    I'd gladly create a user account if that became a necessary step for this site. I disagree with a good portion of people's viewpoints on here, but the site and the forum overall is such a great value to the city.

    Keep up the good work and don't take attacks personally. As someone who has undergone technological attacks in the past, I know it's only a sign that you're a success.

  3. The One True b!X on 28 May 2004

    Hopefully it'll be motivation for taking more preventative measures here.

    Well, I had preventative measures in place before upgrading to MT 3.0D, that being MT-Blacklist. Until that's ported to MT 3.0D, the only real option here is comment authentication -- but that currently requires going through Typekey, am I'm loathe to force people to use a third-party system so I was waiting for someone to code a locally-hosted comment authentication system for MT 3.0D.

    Anyway, I'm pondering all the options.

  4. Jay Allen on 29 May 2004

    But, you could use TypeKey sparingly. For instance, normally, just accept both TypeKey and non-TypeKey registered users. If another attack comes, simply choose to moderate non-registered users. That way the comments will never appear on the site and rebuilds won't take place, keeping the site available during the attack.

    Sorry to hear about the attack. I'm working on MT 2.0. It will be ready but not soon enough for you, unfortunately.

  5. Jack Bog on 29 May 2004

    cheaXp Viagr*a! Sorry, coudn't resist.

    I got 130-some of those while I wasn't paying attention the other day. And they were too new (at the time) for Mt-Blacklist to catch.

    At least Blacklist automates removing them, to some extent.

    The IP spoofing is very scary.

  6. The One True b!X on 29 May 2004

    It was deeply weird to watch. I've always simply assumed that some portion of comment spammers are spoofing their IPs anyway, but I'd never seen such a focused and extended attempt before.

    Anyway, I'm still semi-perplexed on the setup to allow both Typekey and non-Typekey comments on the same site -- mostly in terms of the templates and tags that make this happen.

    I suppose I should perhaps sit down and figure that part out at this point.

  7. pdxkona on 29 May 2004

    Man, that whole thing made me think of a new job optential niche: Blogger Sysadmins. You want your own webpage with your blog, but don't know anything technical, don't want to know anything technical, and just want to post every day? Hire a contract blogger sysadmin to build your page for you. (basically a designer working with a content management system for the nontechnical.)

    Hmmm...sounds like a nice homebased business to me.

  8. Elaine of Kalilily on 30 May 2004

    Heh. b!X already does the blogger sysadmin for me, but I'm his mom.

  9. Nate on 30 May 2004

    No, they weren't spoofing the IP addresses. I've been involved in an anti-spam organization for a while, and I can tell you that spammers, whether the e-mail or blog variety, control large numbers of virus-infected "zombies". Currently Brazil an South Korea seem to harbor a lot of them (China used to be a zombie haven but it seems to be getting better). If the posting gets rejected from one address, the spammer's software will try again from a different IP address.

    IP-based blocklists such as DSBL are widely used in e-mail servers. They could block comment spam too, if there were an MT plugin to use the blocklists.