Wiki Navigation

SpamIdentification

Here are the various techniques SpamLookup currently employs to identify weblog spam.

IP-based lookup

The IP address of the commenter/pinger is checked (by default against bsb.empty.us and opm.blitzed.org) using a DNS lookup. So if their IP is 1.2.3.4, then a DNS query is made for each service, such as: 4.3.2.1.bsb.empty.us and 4.3.2.1.opm.blitzed.org. If these services resolve that domain to an IP (traditionally 127.0.0.2), then the IP is registered because it is a source of spam. Most likely an open proxy or zombie PC that is sending out weblog and/or e-mail spam.

Domain-based lookup

Domain lookups are useful than IP lookups. Primarily because domains have an associated cost to the spammer. For each domain they spam and we block, that is another $4 they have wasted (or less... what is the lowball price for domains these days?). So if some.spammer.com is spamming with their domain in the hyperlink(s) posted, that domain is checked (by default with bsb.empty.us and sc.surbl.org) using a DNS lookup. We check for the following domains: some.spammer.com.bsb.empty.us, spammer.com.bsb.empty.us, some.spammer.com.sc.surbl.org and spammer.com.sc.surbl.org. Upon the first resolved domain, the message is flagged as spam.

TrackBack IP check

The IP address of the sender and the IP address that resolves for the domain of the TrackBack ping are compared. If they differ, the user can take action.

Passphrase checks

The user can require a particular passphrase in order for the comment or TrackBack ping to be posted. This option is off by default.

Checking HTTP Headers

The user can test for the X-Forwarded-For HTTP header and block or moderate based on whether it is populated or not. This header is usually used to identify a proxy being used. They can also specify a list of local network IP blocks to exclude from this test.

Hyperlink Count limits

"Greedy spam" is very typical sign of weblog spam. This is where the sender tries to place dozens or sometimes even hundreds of links in a single post. The user can specify their limits and can block or moderate based on them.

Dynamic proxy checking

The user can enable dynamic proxy testing. This is where the sender is actively probed to determine whether they are an open proxy or not. If they are, their IP can be automatically added to the weblog's IP banlist.

Wordlists

The user can specify a list of words and patterns they wish to use to trigger moderate/block actions.

Download in other formats:

Plain Text