Anatomy of comment spam 26 July, 2006 — Stuart Brown

From where does it come?

Posted in Web Design, Spam
Tagged with: , , , ,

If you have a blog, or website of your own and you have some degree of interactivity with your visitors (such as comments), then you've no doubt experienced the scourge of spam on your pages. Comment spam is now an intrinsic tool in the blackhat marketer's repertoire, and can give an edge in competitive markets. But where on earth does it come from?

Of course, there are probably some of you out there with a smug look on your face - a lot of modern blogging software (notably Movable Type) but for many, the sight of a swathe of new spam comments touting Viagra, Cialis et al or similar pharmacy products is a familiar one.

In fact, for one of my sites in particular, it's a very common phenomenon - so I recently implemented IP blacklisting and keyword filtering. One side effect of this was the impressive array of dodgy IPs collected in the blacklist - at the time of writing, it amounts to about 1,000 unique IPs used by the spammers. Most of these are open proxies, of course, but I thought it would be interesting to see where in the world most of this comment spam originates from.

Using my recently aquired IP to country database, I ran through the blacklist and assembled a list of the top ten countries from which the comment spam came. Here's the list:

Top 10 Countries

    Country Percentage
1. South Korea 29%
2. United States 13%
3. Israel 7.5%
4. China 7.5%
5. Japan 4.3%
6. United Kingdom 4.0%
7. Hong Kong 3.0%
8. India 2.9%
9. Brazil 2.4%
10. Belarus 2.2%

Analysis

South Korea leads the way at the top of the table - with 29% of blacklisted IPs coming from this geographic location. It's little wonder - South Korea has one of the highest penetrations of broadband use, and the dense, tech-rich country has incredible amounts of bandwidth available to the average internet user.

It's this highly available bandwidth and lax policy against spam of this type that means these blooming tech economies are spam havens. It is a similar case with China, Hong Kong and India, which together make up 42% of all spam IPs blacklisted.

Presumably a lot of comment spam come through hijacked connections - 'botnets' of computers infected with backdoor programs, allowing the spammer to use the machine for his/her own nefarious deeds. I daresay this is why the US and the UK feature highly - despite having comprehensive spam laws, the large net user bases here are a prime target for malware. The site in question is based predominantly in the UK, so I expect that figure is inflated slightly, but it would appear there are a lot of spammers operating through machines in the US.

Although these figures don't tell us much about the spammers - they could operate from anywhere in the world and rely solely on open proxy networks and malware-infested machines, for instance - but they do give us an impression of where the machines used come from. The prime factors seem to be available bandwidth and lax (or non-enforced) spam laws, and perhaps a ready supply of infected machines. One thing is certain, however, and that is that the deluge of comment spam doesn't show any signs of stopping, as more and more people vie for competitive markets, the spammer's efforts may only be redoubled as long as there are rewards to be had.