Catching zombies

We all know that almost all comment spam is coming from virus infected PC’s turned into zombies. For a while I suspected that these zombies work with a list of URIs to attack, since attacks always follow the same pattern: suddenly I receive a lot of comments from various IP addresses, but all using the same referrer and posting more or less the same message. Usually attacks take about two days before the comment spam slows down. Very few of all these comments make it through the Movable Type spam filters, and usually adding the URL to the blacklist takes care of them forever.

Since upgrading to version 3.2 I did not receive any single comment spam. The reason is that I forgot to rename the comment script. One of the first measures I took against comment spam was renaming this script, so bots using Google to find spammable sites would not find me. With the latest update, I forgot to do so. Now, the list with spammable URIs these spambots use, contain hundreds of links to a script that does not exist anymore. So they do not even reach my comment-spam filters!

Even better, they fall into another trap. I catch all request for ‘inapropiate’ files as system files and non-existing scripts (formmail.pl), and automatically put their IP address on a blacklist, which is cleaned up after two weeks. This blacklist has been growing like crazy the last week, due to all these MT-spammers requesting the old location.

Until they refresh their list, I can sit back and relax!

Jeroen Sangers @jeroensangers