An’ Anuddah T’ing

If you’re coming to this message from a Google search, you’re probably investigating comment spam on your blog. Read on, MacDuff.

This is an addendum to yesterday’s post, wherein I bemoaned spam commenting on blogs (on mine, in particular). I now have an excellent example of a comment whose authenticity took me awhile to discern. Here it is in its entirety:

My spouse and i felt so delighted that Michael managed to conclude his studies through the precious recommendations he obtained through your weblog. It’s not at all simplistic to simply possibly be releasing tips which usually some other people may have been trying to sell. We keep in mind we’ve got you to appreciate because of that. These illustrations you have made, the easy website menu, the relationships you make it easier to create – it’s mostly sensational, and it is helping our son and us recognize that this topic is fun, which is certainly particularly vital. Thanks for the whole thing!

On the surface, it looks like a genuine comment; it carries no obvious agenda, doesn’t appear to be selling anything, brings up the obvious family benefits of my site, is gushing with praise . . .

. . . and that’s where things got suspicious. So, off to Google. I searched for the first sentence and got no hits. Could it be? Could this be an actual, spamless, written-by-a-breathing-human-being comment?

The link entered when the comment was posted was for a blog page on JukeBoxAlive.com . . . an unusual link, given the supposed message poster (a presumably middle-aged woman). But not beyond the realm of possibility. I wasn’t going to click it to find out, however.

The most confusing bit, however, was that the comment was tied to ‘Poker for the Broke’ . . . a post on how to play poker on the cheap. Not the sort of thing that ‘Michael’ could benefit academically from, ‘precious recommendations’ or no. A closer look was clearly indicated.

Ordinarily, a peek at Google is sufficient to discern spam from communication of value; no spammer hits one blog — they carpet-bomb every blog for which they’ve a listing. As some misguided, hacked or badly-set-up blogs allow comment posts through without  editorial approval, there’s an excellent chance that you can find it by searching. As Google initially appeared to fail me, I chose another section of the comment. In this case,

mostly sensational, and it is helping our son and us recognize

At last, our investigation can be wrapped up. No, none of the returned text was precisely the same, but I wasn’t looking for the exact text.

I mentioned scripts in yesterday’s post. The more clever spam comments these days are composed on the fly by infected computers. In this case, the script it ran would read something like this (judging by the Google results from the above search):

mostly {sensational|overwhelming}, and {it is|it's} {really|} {helping|aiding|assisting|making} our son {and |in addition to} {us|the family} recognize

The pipe character “|” acts as an ‘or’ . . . when the script sees it, it randomly selects one of the provided choices. Each blog the script visits gets a contextually-similar message, but in slightly different words.

I’ve collected  a list exceeding a hundred current spammer IPs in the past few days . . . leave me an actual comment if you’d like to play with it.