Comment spam: how does it work?

Any WordPress website that allows comments or implements forum (bbPress or something else) attracts comment spam. If you ever wondered how comment spam finds your website, this is a good place to start.

Dev4Press website received 628.925 spam comments in 2015. Yes, that is over half a million messages received in a period of one year. You can see the chart of monthly spam messages below. The drop in December is a consequence of long downtime caused by the ASmallOrange hosting massive outage. On average, Dev4Press gets about 1800 spam comments each day during 2015, or 1.25 spam comments every minute. In the same year, main Dev4Press blog had 200 real users visits each day. And that makes spam visits making 90% of all visits website received in 2015. This information is for main www.dev4press.com website, it doesn’t include individual plugin websites or other subdomains on Dev4Press network (most of them don’t allow comments at all).

All that spam is not only useless because all the spam was caught and never displayed, but it is taking valuable server resources. So, stopping spambots from visiting your website will improve your server performance, and that is the major reason for fighting spam. Spammers and spambots are effectively using your server power to try and promote themselves, and it is in your best interest to stop them.

What is comment spam?

Where email spam attempts to get some personal information or to trick you into buying something, comment spam attempts to add links that lead to one or more websites and increase the number of backlinks, and in turn that should improve search engine ranking. If someone clicks such link and visits the website, that is added bonus.

There are several types of spam comments:

• Links only in the content: comment is filled with links to various websites. It can contain some other content, but usually, it has links only. Links can be HTML or BBCode formatted.
• Generic comment with single URL with commenter name: this can be some generic message praising the article or your website, and the only link is provided as the URL to the comment author.
• The malicious script in the content: comment can contain some malicious script that will be executed if the comment is displayed in the browser.

Depending on the attacker, you can see one or all types of spam.

Is it effective?

The method of adding hundreds of links into the comment with a goal of providing backlinks to attackers website is not as effective as the attacker might hope. Google and other search engines have many ways to evaluate the quality of backlinks and they can easily devalue such links and in the end, they will not improve the search engine ranking of attackers website. But, search engines are not 100% effective, and with millions of websites targetted with such comments, this method will yield some result for the attacker. Added bonus are website visitors that might get tempted into following these links.

Inserting malicious scripts into WordPress comments is not effective because WordPress is running series of filters to clean up the comment fields from such code.

The most effective technique is a generic comment with a single link in a form of the comment author URL. WordPress will not mark such comment a spam because it doesn’t contain URL’s in the comment. And, since it includes single link only, search engines will give such URL higher backlink value.

In the end, all these have very, very ineffective, but if you take into account massive number of comments posted on millions of websites, the sheer volume of spam will provide some value to the attacker and that is enough to keep using the spam to promote various services or products.

How is spam delivered?

In mot cases, spam is delivered by automated spambots. Spambots are very sophisticated programs that can solve captchas, protections questions, register accounts… These programs are constantly updated to improve and find ways around different protection methods. But, the large amount of spam is delivered by humans also. In many parts of the world, human labor is cheap, and humans can either deliver spam, or they can update spambot database with information about comment and registration forms.

Spambots either use own or public search engines. They attempt to find popular websites based on the set of keywords, and they build the list of targets. Using various techniques, spambots (or humans working as spambots) are trying to determine how the comments delivery works, the requirement for the user account to post comments, type of software used… Based on all that, spambots are configured to target WordPress, Joomla or other CMS systems, to target custom built websites, forums or something else. Programs like Xrumer are extremely effective and constantly updated, capable of solving captchas, answer questions, recognize all sorts of forms for sending comments. And these programs are very fast.

Spambots can be dedicated machines that are used to post spam only. But, they can also be programs that have infected individual computers or servers and they can run in the background without computer owner knowing that they are even there.

Can you stop spam?

Well, no. But, that doesn’t mean you should give up and allow spam into your website. It is essential to protect your website. When it comes to WordPress, there are many plugins that can help you with detecting and minimizing number of spam messages delivered. No method is 100% effective, but the combination of different protection methods is usually the best solution that can effectively stop all spam messages.

Over the next few weeks, I will be writing about spam fighting and that will include more statistics illustrating how different techniques can be effective. For all data gathering and spam fighting, I will be using my own brand new security plugin GD Security Toolbox Pro.