Give me 31 Days and I’ll Give You a Better Blog… Guaranteed

Check out 31 Days to Build a Better Blog

Give me 31 Days and I’ll Give You a Better Blog

Check it out

A Practical Podcast… to Help You Build a Better Blog

The ProBlogger Podcast

A Practical Podcast…

FREE Problogging tips delivered to your inbox  

Comment Spammers Harvesting Genuine Commenter’s Details

Posted By Darren Rowse 3rd of May 2006 Pro Blogging News 0 Comments

Comment spammers are getting trickier.

Today I had a comment which I thought was from a regular reader of ProBlogger. It had their name, their email, their URL but the comment was a link to a parked domain with just ads on it and the IP address was not the person who the comment claimed to be from.

Spammers are harvesting genuine comment leaver’s details and using them to leave comment spam with them in an attempt to get past bloggers.

So rather than just scanning comments and allowing anything from familiar names you might want to take a closer look at what the comments are actually saying.

About Darren Rowse
Darren Rowse is the founder and editor of ProBlogger Blog Tips and Digital Photography School. Learn more about him here and connect with him on Twitter, Facebook, Google+ and LinkedIn.
  • md

    How would they harvest the commenters real email address?

  • imho, it could be via automated means.


  • Oh, isn’t that great … I just finished and posted a post on the benefits of commenting at other blogs and now I read this.

    I guess there’s nothing the spammers won’t do to deceive their way in.

    In a way, I guess, it’s a form identity theft.

  • Was the comment making any sense with the context or was it rather vague?

    Cause I’m getting at least 100 of those daily heheh.

  • I got so sick of comment spam on a site that I set-up for IT in our organization that I now require a user to register and log-in before leaving spam.

    I can just hope now that the bot programers don’t figure out how to do a login with Drupal to put the spam back in their.

  • As the apparent resident expert on killing comment spam, I have a few words.

    The easiest way to stop comment spam is to require registration, and to mail the user’s password to them. If your blog/CMS platform allows the user to choose his own password, or doesn’t require them to take some action based on received e-mail, then it’s dead simple for the spammers to automate user account creation.

    MediaWiki suffers from this problem, as it not only doesn’t require the user to verify his e-mail address, it lets the user supply their own initial password, which is why Wikipedia and other MediaWiki-based wikis have such a large problem with vandalism and automated wikispam. I’ve been working with the MediaWiki developers and other MediaWiki users on ways to curb this problem, which will be incorporated into Bad Behavior 2.

    The down side to registration is it turns people off. Many people won’t bother to register, even if you leave the nice link prominently displayed and make it as easy as possible for them. So there go many comments you would otherwise have received.

    The problem of automated spam is one I’ve been working on for over a year now. I have a very good solution in Bad Behavior, and Bad Behavior 2 (currently in development; try it out!) promises to be very close to perfect. I don’t attack the comment, I attack the delivery method. In fact, it’s the only anti-spam solution which doesn’t even look at the content of the comments/trackbacks at all. This has allowed me to deliver a solution which will block thousands of spams a day, and over 99.9% of them, with no false positives (unless I make a stupid typo or something).

    Best of all, it’s free. :)

  • I can attest to that — Bad Behavior 2 kicks butt :D

  • Same thing has happened to me last week. I had two comments that were held in moderation and when I checked the name, e-mail and uri of the commentor it was ok, so I thought. But when I read the comment itself, it was littered with spam.

    Looks like anti-spam plugin makers need to come up with some updates pretty soon.

  • Sid

    Are the spammer actually using real commentor’s e-mails or just their names? It would be easy to use their names because they are published, but getting the e-mail addresses seems harder.

    I have noticed this trend too and find it irritating to moderate my comments so much.

  • Hmm..Interesting, I’ve blogged about comspams getting smarter before but this is the first time I get to hear about it. It’s not difficult to code a bot to visit 5-6 posts and find the person who has commented in all of them. Then again for a popular blog like Problogger, easier.

    But then again, Darren, you have Akismet right? It really pwns you good!

  • This is so sad… whenever there is a little money to be made the spammers have to ruin it for everyone else.

  • Pretty detestable but then the spammers are…

    My spam measures usually look at context, links etc. – I don’t (unfortunately) even just let previously approved commenters through.

    I do agree though, that it shouldn’t be possible to harvest the real email address.

  • I haven’t seen this at my site yet, but I don’t get nearly as many comments.

  • Even though my blog doesn’t generate a lot of traffic (mostly real life friends), I still get about 5-10 attempted spam comments per day, more on weekends. Using WordPress, it defaults to sending any comment with more than two URLs in the message to moderation. Unfortunately, it doesn’t take a spammer too long to figure that out.

    A lot of my spam was originating from a handfull of IP addresses. I set the spam filter for those, and reported a couple of them to their ISP after tracking them down. I have got confirmation on one of them having their access terminated.

    The address harvesting is a little creepy, but I have yet to experience that.

  • jim

    There are a lot of sites that publish the email address and I bet that if you comment on a lot of sites, the spammers are going to find a site where that info is published (unlike here). I think that email addresses should never be published openly because scrapers will always get it.

  • Pingback: CT Biz Blogs » Blog Archive » Tricks for detecting comment spam()

  • Comment spam sucks, but luckily most blog software has the tools to prevent it. I use 3 plugins for my blog (powered by nuclues, I know WP has the same basic plugins).

    1. Blacklist. Uses a global blacklist which you can add phrases, ip’s and domains to.

    2. Comment Control. Anything older than 2 weeks or that contains a URL has to be validated first. You can set the time, but 2 weeks seems about right.

    3. Silly Logic Question. Simply ask something like “how do you spell blue” or “what is 2 + 2”. This method is like CAPTCHA accept it’s also friendly to people with visual disabilities too.

    I went from 15,000 spam messages a week across my network to just about zero (a couple slip through now and then).

  • Joe

    Hey Darren,

    Just out of curiosity, did you E-mail your regular reader to let them know that they were hijacked?

    I know I would want to know if someone was posing as me.


  • i did Joe.

  • Pingback: MaxPower review: plagarisim, poets, and spam. at MaxPower()

  • This is why no blog should ever publish a commenter’s email address — not even in “spam proof” form.

    Why should readers know the email address of commenters? It makes no sense. Associating a URL with a commenter’s name is fine; associating their email address is foolish.

  • I am really tired of these spammers, it happens all to frequently because it’s getting very easy for them to build automatic systems to do these jobs for them. Our blog website has been targeted many times since it opened. Most of the spammer domains that did this were from russia or the ukraine.
    The last time they didn’t even bother to comment spam, they simply opened 4 accounts and tried to insert some spam e-mail.
    You can find the details of this attempt at the website , it is really baffling how quick and well planned these attacks take place.
    Fortunately it wasn’t a quite succesfull attempt.
    But from now on i just block entire countries or ipranges from our blog, why should i bother, it justs cost’s me to much valuable time !
    I am still busy with implementing some form of prevention for this comment spam in the meanwhile i disbled comments and manually check every account wich is opened….a lot of wasted time if you ask me!
    PS crispian, I’m also thinking about making a captcha system wich isn’t hackable for our blog, i must say that i must agree on this silly logic idea, but as long as the questions are really unique for your site and not widely available. I guess your example questions posted here here most likely will be/ are integrated in the bots that need the answers to circumvent the captcha’s .

  • I just started receiveing comment spam about a week or so ago. Fortunately it was all quite obvious and I have my installation of WordPress configured to hold it for me to moderate so it didn’t get through.

    The funny thing about is that as annoying as it is (It’s been coming through often) I took it as a sign that my blog is finally arriving in some way. I mean if I caught the spammers attention maybe I’m doing something right.

    I know, I know, doesn’t really mean a thing. I’m just looking for the positives..

  • Pingback: MJR's slef-reflection()