Arrgh! I was link-spammed!!

If you notice any minor strangeness about this site, it’s probably due to a very hasty upgrade to a new version of the Geeklog software, without taking the time to track down and redo all the little tweaks I’d made to the old installation. The reason for the haste is that I was hit by a couple of link-spam attacks over the weekend. I’d heard about this recent addition to the spammers’ bag o’ tricks, but I thought I was safe. I wasn’t. Now I think I am.

Link-spamming, for the blissfully unaware, is the tactic of finding sites which allow public update (bulletin boards, blogs, etc), and adding links that refer to one’s own site, which is usually hawking pharmaceuticals or pornography. Blogs are a popular target of this technique, because there are so many of them, and most of them run are driven by one of a few popular software packages. Once a spammer figures out how to automate a comment-insertion script for a particular piece of blogware, he can launch a mass attack on any blog he can find that uses the targeted software.

Link-spam has a double advantage for the spammer. The obvious, but probably less significant, result is some additional traffic from readers of the sites that he spams. But the real payback is the boost in Google ranking. One of the factors Google uses in ranking a site is the number of links to that site from others. When a spammer spews millions of links to his site throughout the blogosphere, he can get a significant bump in ranking.

I thought I was fairly safe from this kind of attack because I don’t allow comments from anonymous posters. Anybody who wants to comment has to register, get their password, and sign in before he can add comments. A determined spammer could go through that process, but it’s simpler for them to just target the sites that have less stringent posting requirements.

Recently, I’d seen some strange patterns in my access logs that confused me at first, and then I realized it was probably some kind of automated comment generator. I didn’t pay much attention to it because I didn’t think it was going to work.

Then on Sunday afternoon, I noticed another shotgun blast of attacks. When I took a look at the blog, I found that I had over a hundred recently added “comments”, scattered over a random assortment of articles. Each one consisted of a bunch of keywords with links back to a spam site. There were two distinct batches, one for a drug site and one for a porn site.

I was a little bum-fuzzled at first, especially after I double-checked the restriction against anonymous posting. Then it dawned on me that it might be possible, if someone knew how the internals worked, to construct a link that would insert a comment as if it had been generated via the comment page, without being able to display that page.

I checked out the Geeklog site and found that my deduction was correct. There was some discussion there from other victims of link-spam attacks, some of whom had been hit much harder than I had. Somebody had done a search for the website being spamvertised, and found that most of the visible links to it were in comments on Geeklog sites, suggesting that maybe a weakness in Geeklog was being targeted.

The Geeklog authors took a quick look and figured out where the weakness was, and provided a patch to block the attacks. Unfortunately, the patch was only functional for a version of the software newer than the one I was running. After reading about the panic some of the other victims were experiencing, I decided it would be prudent to get my system up to date ASAP, and worry about petty details later.

Although I don’t know any words nasty enough to express how I feel about the spammers who polluted my site, I do have to admire their technical skill and effort. They must have done a very detailed analysis of the Geeklog code, looking for a way around barriers that looked impenetrable. Then, when they launched their attack, they distributed it through hundreds of different machines, probably all hijacked. Looking at my logs, each “comment” that was added came from a different machine. This tactic would prevent webmasters from taking the quick simple protective tactic of blocking the offending IP address.

I guess this cloud did have a silver lining; it forced me to upgrade Geeklog, which I’d been too lazy to do. Supposedly the new version has some new features to play with; so far I haven’t figured out what they are. Maybe that will keep me busy for a while.

Leave a Reply

Your email address will not be published. Required fields are marked *