Thursday, November 23, 2006

Defeating the Astroturfing Robot Spiders

Woke up to 30 variations on this today:

"As though I wanted will meet personally the author of clauses articles on your site, and personally to it him will get acquainted. But unfortunately I live in other country and I have no an opportunity to go on the world. Success to you the dear expensive friend. "

It looks like the SpamBots have finally found the comment links on Blog entries.

This one was especially fun, as it started out by simply commenting on a dozen different blogs, praising the author's "clauses" and offering ESL advice on how to better the world.

Then it started including helpful links to Porn.

What to do about it? I didn't want to force my users to create accounts before they could post messages. Most of the comments come from friends and family of our bloggers, and they have no reason to get real accounts for themselves. I also didn't want to put in an annoying CAPTCHA test, since again, our commenters are often just somebody's mom who might just get confused and give up.

So here it is, spammers of the world, the secret to Blogabond's anti-comment spamming engine. When a user pulls up the comment screen, we'll pick a random number and stick it into the ASPX ViewState on the outgoing page. We'll also dump out some javascript that counts to 5 Mississippi before sticking that same number into a hidden variable. Before we'll commit a new comment to the database, we check to make sure that the number in the hidden field matches the number in the ViewState. Done, and Done.

And yeah, it should be easy enough to get around. All a spammer needs to do is pull up the page in a real browser, wait 5 seconds and hit the submit button. He can even write code to do this for him, or go so far as to dissect the base64encoded viewstate in the html and construct his own custom HttpRequest. My bet though, is that he'll simply move on to somebody else's blog and do his spamming there. Maybe when we get BIG, this might turn into a problem. Who knows. But for now, the quick and dirty fix seems to be working pretty well.
Posted by at No comments:
Subscribe to: Posts (Atom)