Home

Anatomy of an attempt to comment spam

Sponsored Links

Anatomy of an attempt to comment spam

Submitted by Khalid on Thu, 2007/05/31 - 15:07

Today I got an interesting attempt of search engine comment spam.

This practice is where people with questionable ethics claim they can improve search engine ranking by doing "search engine optimization". One of the techniques is to post junk comments on high ranking sites containing a back link to the site/page they want to promote, with the appropriate keywords.

Someone posted the following comment as a followup to the original proposal for Drupal 6 logging and alerts watchdog hook.

Unfortunately one more
Submitted by Home Decor Furniture (not verified) on Thu, 2007/05/31 - 10:35.

Unfortunately one more change is required for watchdog() calls. Now all calls have t() evaluated runtime, which results in a "nice" mix of languages used to log your messages regardless of where are those logged, if you have multiple languages supported on the site.

The IP Address where the comment came from is from Romania.

The text there looked familiar so I did an analysis on Apache's logs to see how this was done.

Unethical SEO

The above IP address first visited my site when doing a search on a site called seochat.com. Here is the original query. As you can see he is targeting my site for the word "comment", using the Google syntax "site:baheyeldin.com comment".

Checks baheyeldin.com

This led him to this page on baheyeldin.com

89.120.3.5 - - [31/May/2007:10:33:29 -0400] "GET /technology/drupal/drupal-6-proposal-for-a-watchdog-hook-for-logging-and-alerts.html HTTP/1.1" 200 30087 " http://www.seochat.com/?tool=7& option=com_seotools& hl=en&lr=&ie=UTF-8&oe=UTF-8&q=site%3Abaheyeldin.com+comment &result_mode=pagerank& num=100& btnG=+++Search+++" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

After a few second, he visits this page:

89.120.3.5 - - [31/May/2007:10:33:37 -0400] "GET /family/the-baheyeldin-dynasty.html HTTP/1.1" 200 23057 " http://www.seochat.com/?tool=7&option=com_seotools & hl=en&lr=&ie=UTF-8&oe=UTF-8&q=site%3Abaheyeldin.com+comment& result_mode=pagerank&num=100&btnG=+++Search+++" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

Checks 2bits.com

Then within a minute, he is on 2bits.com, which has the announcement for the watchdog hook for Drupal 6, after the patch was committed to core.

Note Goba's comment on the article.

89.120.3.5 - - [31/May/2007:10:34:21 -0400] "GET /news/drupal-6-new-hook-watchdog-for-logging-and-alerts.html HTTP/1.1" 200 9804 " http://www.google.com/search?source=ig& hl=en& q=Drupal+6%3A+Proposal+for+a+watchdog+hook+for+logging+and+alerts&btnG=Google+Search" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: 1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

Comment spam

Then back on baheyeldin.com, he copies Goba's comment, and posts it in a comment.

89.120.3.5 - - [31/May/2007:10:35:10 -0400] "POST /comment/reply/820 HTTP/1.1" 200 26485 " http://baheyeldin.com/technology/drupal/ drupal-6-proposal-for-a-watchdog-hook-for-logging-and-alerts.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
89.120.3.5 - - [31/May/2007:10:35:19 -0400] "POST /comment/reply/820 HTTP/1.1" 302 - " http://baheyeldin.com/comment/reply/820" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

He tried to link the comment poster's URL to the keywords "Home Decor Furniture" to a page on this domain, which is registered to one Anton Vassiliev from Sunnyvale, California.

Checking the results

Finally, he tries to see if the comment was posted:

89.120.3.5 - - [31/May/2007:10:35:20 -0400] "GET /technology/drupal/drupal-6-proposal-for-a-watchdog- hook-for-logging-and-alerts.html HTTP/1.1" 200 30228 " http://baheyeldin.com/comment/reply/820" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
89.120.3.5 - - [31/May/2007:10:35:27 -0400] "GET /technology/drupal/drupal-6-proposal-for-a-watchdog -hook-for-logging-and-alerts.html HTTP/1.1" 200 30087 " http://baheyeldin.com/comment/reply/820" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

Of course, since I have the comments set to moderate first, this never got out.

»

Post new comment

  • All spam and irrelevant comments will be deleted.
  • Comments posted here will take some time to appear on the site. Do not post your comment again if you do not see it. Just be patient and it will be published.
  • Note that what you post here will be publicly available on the web and will be indexed in search engines.
  • We reserve the right to unpublish any comments without stating the reasons for that.
  • All postings are subject to our Terms of use
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>
  • Lines and paragraphs break automatically.

More information about formatting options