Skip to content

WordPress comment spam is entertaining

August 15, 2012

I have to confess I find WordPress comment spam entertaining. When I set up this blog I decided to enable comments but moderate them, expecting that most comments would be spam attempts rather than anything actually germane (because, let’s face it, it’s so much easier to dash off a quick reply or comment in Twitter instead of going to the trouble to post a comment). But as a consequence, I do occasionally have to go in and check my comment spam to see if a real comment was miscategorized. And as a result, I occasionally get a glimpse in the latest start-of-the-art for comment spam.

My comment spam these days falls into two categories. The first is rather uninteresting; it essentially throws a bag of words into the comment and hopes that it’ll sneak past the spam detector. News flash to spammers attempting this route: the detection routines aren’t fooled.

I find the second category more interesting. I’d label this category “attempted spam through ego-stroking”. It generally takes the form of a short comment along the lines of “thanks for posting, I found this really insightful”, hopefully that the blog author is so desperate for praise that they won’t look closer and will let the comment through. The spam authors will sometimes sneak a link in, other times they’ll try to put the spam in the author link, and in some cases they’ll avoid anything overt at all in the initial comment (doubtlessly hoping that the blog author will have configured the system to automatically allow subsequent posts from authors with approved comments, so that the spammer can then go crazy with spam comments.

The first category is essentially a technological approach: the spammers are trying to get spam through by guessing how the spam detection algorithm works. In general that seems like a losing approach, as evidenced by the fact that spam in the category always ends up marked as spam. The second category, however, is much more clever. Spam in that category anticipates that it will be flagged as spam, and applies social engineering to try to get the blog author to pull the comment out of the spam folder and approve it. I suspect the hit rate is still rather low, but I bet it’s higher than for spam in the first category. And in general I think social engineering is a more promising line of attack; I’m curious what the spammers will come up with next.

From → Musings

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: