A New Breed Of Comment Spam

I’ve been bom­bard­ed (about 50 a day) by a new kind of spam com­ment late­ly. It’s been slip­ping through my MT-Blacklist fil­ters, because it cre­ates intel­li­gi­ble sen­tences by vary­ing verbs (like “check” and “vis­it”) and nouns (like “site” and “pages”). Sometimes, when I’m brows­ing through oth­er sites I see the same spam com­ments, so I fig­ured I would post the reg­u­lar expres­sion I wrote to block it in case any­one hap­pens to be search­ing for one, like the one I wrote a few months ago.

(check|visit)[\w\-_.]*(pages|sites|information|info)[\w\-_. ]*

This has been the most dif­fi­cult spam vari­a­tion I’ve had to deal with. The one weak­ness of most com­ment spam is that it’s bound to a sta­t­ic web­site address. Since spam is usu­al­ly gen­er­at­ed through robots, there are pat­terns that can be matched in order to block it. The key is fig­ur­ing out what the pat­tern is, whether it may be a reoc­cur­ring IP address (very unlike­ly and unre­li­able), or a reoc­cur­ring web­site address (most like­ly). This one is dif­fer­ent though, because the adver­tised web­sites keep chang­ing. Not only that, but the sen­tences used to present the site are also incon­sis­tent. The pat­tern, as a result, is more com­plex.

One comment

  1. My prob­lem with MT Blacklist was that I had to have the plu­g­in itself rec­og­nize the spam in order to delete, instead of the oth­er way around. I found out about MTCloseComments, which does exact­ly what the name entails– it clos­es com­ments on old entries and you get to decide how old is too old. My option to close the entry is after 7 days and I’ve had no spam since. I’m not going to unin­stall Blacklist because it’s good to have a back­up.

    The MTCloseComments plu­g­in is locat­ed here: http://mt-plugins.org/archives/entry/closecomments.php

Leave a Reply