Contribute  :  Support  :  Downloads  :  Forum  :  Links  :  Polls  :  Calendar  :  Directory  :  Advanced Search  
Geeklog The Ultimate Weblog System

advanced search 

Resources

Getting started
Support
Development

Sections

Home
Geeklog (190)
Geeklog 2 (28)
Announcements (201)
Summer of Code (8)
Security (55)
Plugins (50)
Server (26)
Spam (10)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

What's New

STORIES

No new stories

COMMENTS last 2 days

No new comments

TRACKBACKS last 2 days

No new trackback comments

NEW FILES last 14 days


LINKS last 2 weeks

No recent new links

Older Stories

Monday 17-Mar


Tuesday 08-Jan


Saturday 29-Dec


Tuesday 04-Dec


Sunday 04-Nov
Welcome to Geeklog
Thursday, May 15 2008 @ 11:30 PM EDT
   

[Spam] Meet The Bulgarians

Saturday, April 09 2005 @ 01:11 PM EDT
Contributed by: Dirk
Views: 10,265
Spam

Comment spam is a huge problem for a lot of sites these days. And since geeklog.net gets its share of comment spam, we thought we'd give you some information about the spam that hits geeklog.net so that you can use this to protect your own site.

The most persistent wave of spam that's been hitting us for months now comes from two brothers, nicknamed The Bulgarians.

Have you been getting waves of comment spam for poker / casino sites, alternating with spam for pills / drugs, and finance / mortgage sites? Then you're most likely on the Bulgarian's list.

Ann Elisabeth Nordbo has collected some background information on these two. An interesting read (and I highly recommend her other site, Spam Huntress, which is dedicated to fighting comment spam).

Fortunately, there is a very effective method to block these particular spammers. If your webhost lets you edit your own .htaccess file, see Cindy's spampop for the recipe. Cindy also used to keep a list of all the domains that the Bulgarians have registered (over 2500), but had to take it down due to heavy traffic. Ann Elisabeth is now keeping track of the recently used domains.

If you can't create your own .htaccess file, then you should feed your personal blacklist (in Geeklog's Spam-X plugin) with a few typical phrases and keywords from the comment spam you may see. We will also be releasing an update to the Spam-X plugin soon that will include a filter module that lets you apply the "spampop" method from within Geeklog.

In addition to comment spam, the Bulgarians are also flooding sites with referer spam. On a Geeklog site, that will cause a higher server load, since every such request creates a session. Referer spam can be blocked by the same method that's also effective against worms such as the Santy and Spyski worms. The only problem here is that you'll continually have to update your .htaccess to include the new domains.

But that's not all - the Bulgarians are also doing trackback spam. The next Geeklog release will support trackbacks, so we will face that problem then, too. However, the "spampop" method pretty much takes care of this particular sort of trackback spam as well (and Geeklog's trackback implementation also supports spam filtering with the Spam-X plugin).

Okay, that's it for now. I hope this first installment under the new "Spam" topic has provided you with some useful information. Expect more posts in the future.

 

What's Related

Story Options

[Spam] Meet The Bulgarians | 11 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
[Spam] Meet The ???
Authored by: Stranger on Sunday, April 10 2005 @ 09:16 AM EDT
Dear Dirk,

I appreciate your effort to fight spam generators. This problem became actual for many people. Spam generators leaving in comments a lot of crap, marketing sites for the people with deviated sexual orientations, etc…

I have a sensitive question to you:

Why do you call these spam generators “Russians” / “Bulgarians”?

May I notice that the major of the spam, including promotion of drugs, loans and similar crap, are for the marketing of American producers of the mentioned in the spam goods. Why do you think these spammers have got name “Bulgarians”, “Russians”? Is it to destruct people’s attention from the real spam-makers and propaganding population with the image of bad Europeans with socialistic background, promoting American staff (???!!!)

If you do not have conclusive evidences, proofing, that the spam makers ARE really Bulgarians or Russians (not Americans with foreign background, or just Americans), please avoid use of this abusing naming and publish their real names.

And if you have detected IP numbers, piling on Russian ISP – please do not take it as serious evidence of some reasons:

1) Probably None of the Russians are interested in marketing American Business;

2) They might be Americans, residing in the Russian federation and pumping our mails with their commercial crap;

3) Spamming engines can be remotely controlled, just like giant spam mailing robots, YET marketing American products

4) IP number can be easily substituted by any number. Anyone can download software (I believe American software) to clone an IP number

5) They are some companies, providing fight with the email spam (“…just for 10 US$ per month we can…”). I wander how these companies (most likely American and English) stopping the spam, if it is not them self, sending this spam to billions of the people…

[Spam] Meet The ???
Authored by: Dirk on Sunday, April 10 2005 @ 09:57 AM EDT
Erm, did you follow the link "background information"?

And I was not talking about spam in general but about one particular source of spam, which has been tracked back to two Bulgarian brothers (whereever they may live now).

bye, Dirk
[Spam] Meet The ???
Authored by: vesselin on Friday, June 24 2005 @ 03:15 AM EDT

i believe there are spammers from different nations,
and I think there are spammers living in you country too.

I wouldn't normaly waste my time writing stuff in your forum, but the fact is - when i wrote 'bulgarians' in google your article was one of the resulst on the first page.. right next to http://en.wikipedia.org/wiki/Bulgarians ..- and have a look - there aren't mantioned any famous bulgarian spammers ;)

no, but there is mantioned one of the fathers of the modern computer - John Atanassov.
So why don't you GEEKZ wrote somethin` positive like.. :)) Bulgarians - inventors of the modern computer .. duh..
[Spam] Meet The ???
Authored by: Dirk on Friday, June 24 2005 @ 01:00 PM EDT

I think the posts by Joe and Ann over at spamhuntress.com (where you posted the same thing) pretty much cover everything that can be said.

Let me just add that there are good guys and bad guys in every country. And if you don't want the bad guys to make the headlines, why not do something about them?

For example: Are there anti-spamming laws in Bulgaria? If so, can you help us make use of them? I would be more than happy not having to spend a portion of my free time every day just to catch up with these guys and prevent them from making our sites unusable ...

bye, Dirk

good guys bad guys..
Authored by: vesselin on Thursday, June 30 2005 @ 10:23 AM EDT
oh.. it's obvious you haven't been in eastern europe lately ? :)) the last thing police should worry around here is spam..

im serious :) ..im just trying to say .. the world we live in is very different from the world you live in

..but whatever, i don't think 'meet the bulgarians' is a proper title unless it's some article about history :) really, so please do me a favor, do what is the right thing to do, and rename that spam-related-article, maybe something like Bulgarian Spamers or somethin`.. but not 'Meet the bulgarians'

thank you :)

(and one more thing - I don't really believe we do have such laws about spam)
[Spam] Meet The ???
Authored by: vesselin on Friday, June 24 2005 @ 03:33 AM EDT
you haven't talked about BUlgarian spammers or bulgarians, you actually entitled your spam realated article "Meet the bulgarians". so please.. could you change it's title ?
[Spam] Meet The ???
Authored by: Dirk on Monday, April 11 2005 @ 01:19 PM EDT
I see you left a similar comment on Ann Elisabeth's site. So let me ensure you that this is not some evil American conspiracy against Bulgarians or Russians (which I didn't even mention, btw) in general.

Ann Elisabeth and others have tracked down one particular spammer who just happens to be from Bulgaria (and I think Ann's evidence is sound and matches what we see here and over on geeklog.info).

And since you obviously missed that bit: Neither Ann Elisabeth nor myself are American ...

bye, Dirk
[Spam] Meet The "No Names"
Authored by: RickW on Tuesday, April 12 2005 @ 11:34 PM EDT
Dirk was not trying to slander the citizens of any country. He is just using a nickname for two guys that we can track because of their location, i.e. Bulgaria. When someone refers to the "Nigerian Scam Letter", do you find that offensive? Again, it's a relationship of spam identity and spammer location. I suppose we could call these guys "Spammer #231786"...

---
http://www.antisource.com
[Spam] Meet The Bulgarians
Authored by: Dirk on Monday, April 11 2005 @ 01:28 PM EDT

Here's some more information, in the hope to make it somewhat clearer which sort of spam I was talking about above. Typically, a spamrun by the Bulgarians looks like this:

  • They send comment, trackback, and referer spam for up to 6 domains for about 24 hours. There's usually a pause then for a few hours before the next spamrun starts with a fresh set of domains.
  • Most of the time, the spam is for poker sites, but they also do drugs and finance spam (no porn, AFAIK).
  • Most of the time they use subdomains containing the keywords, like poker.example.com.
  • All the spam posts look pretty much the same and start with a phrase like "Please check some helpful info about ...", "You are invited to check out the sites in the field of ...", etc.
  • Comment posts are usually a huge list of keywords and links, while trackback spams (because of the nature of trackbacks) contain only one link.
  • Typically, the spamvertised sites, when called up in a browser, display a bogus message that makes you think the site has already been closed down. In fact, they usually only open the site after the spamrun has ended.

Those are the main characteristics. If you've been hit by them once, you'll recognize them immediately.

I don't have any insight on the sort of sites they usually hit, but it's not restricted to Geeklog sites: Similar reports can be found from users of Wordpress and Serendipity, to name just the ones I know about. A Google search for "poker spammer", "poker spam", or similar turns up a lot of reports and if you compare them with the characteristics listed above you'll see that it's the same source in almost every case. The Bulgarians (i.e. these two brothers) really seem to be the #1 source for this sort of spam.

bye, Dirk

[Spam] Meet The Bulgarians
Authored by: bjudson on Tuesday, January 24 2006 @ 08:01 AM EST
What is the status on this effort?

I have been getting mass trackback spam, and am on the verge of shutting down trackback on my site before I even see how useful it is.

I tried to post my personal blacklist, that has gotten rid of all the existing spam, but it was seen as spam on this site. :-)

The blacklist was just the URL's of the sites the spammer is posting (not as links just as text).

-Astrogen
Status
Authored by: Dirk on Tuesday, January 24 2006 @ 03:05 PM EST

The status of what? The above article is about a certain group of spammers who are easily identifiable and who can be filtered effectively with the Spam-X modules provided. That includes their Trackbacks.

Maintaining a blacklist requires a lot of time and effort and nobody really wants to do that anymore. If you're interested in other techniques, have a look at our geeklog-spam mailing list, where a few experimental Spam-X modules have been posted.

bye, Dirk
© 2002-2008 Geeklog
Created this page in 0.40 seconds		 Powered By Geeklog 1.4.1 
Hosted by pair.com