So I was just taking a look at our MT-Blacklist logs, and discovered a very interesting sequence of events. Here’s the first line:
2004.10.30 21:30:26 Master Blacklist auto-update New String added to blacklist: SPAMURL.com
What that says is that MT-Blacklist automatically updated itself with a bad URL (obviously I substituted the text so as to not give the spammers what they want). Nothing too impressive there, as this sort of thing is a.) what it’s designed for and b.) happens all the time.
Well, as it turns out, it’s a very good thing it did. Less than 3 hours later, a comment spammer tried to post the bad URL to our blogs – nearly 600 times.
The takeaways?
1. MT-Blacklist – or its non-MT equivalent – is a must have now
2. Community defenses are necessary here – without the central blacklisting and autoupdate, I would have come in the next day to 600 spams, with only the assurance that I could manually add them to the blacklist and not get them again. Small consolation.
3. Some of the attacks are quite sophisticated. This event, for example, featured nearly a unique IP for each try – never in the same block. That’s not difficult to do for a determined spammer, but it’s not a trivial exercise either.
4. The system that rewards these spammers (the search engines) needs to attack this problem sooner, rather than later. Authentication schemes like TypeKey are nice, but until a standard is reached and they gain critical mass, they’re bound to irritate your users.