ifuleuiycfi – I Really Admire You, Spammers

Recently, the admin tool of this site is very slow. I didn’t pay enough attention until it takes about several minutes to load a page in MovableType admin. I found out it was because of the comment spams.

The log shows I am almost 1000 junk comments every day. In the peak time (6:00 – 8:00 AM), there are more than 10 comment requests in every single minute.

MovableType have great anti-spam features. It blocked all of them, but it requires a lot of resources to handle that. The result is, the server is slower and slower. Lunarpages, the hosting company ever emailed me complaining my MT installation sometimes consumes about 40% of one CPU, out of 4 CPU they have for the server.

It seems to be a serious issue.

Changed the Script Name

I guess the spammers may try to post to the default installation of all the MT based blogs: /cgi-bin/mt/mt.cgi. I decided to change the default script name from mt-comments.cgi to something new. I choose the name of the script to a random name.

mt-comments-ifuleuiycfi.cgi

Then changed the configuration so it is now the new comment script. The name ifuleuiycfi of the scripts reads:

I Fu Le U If You Can Find It.

Fu Le means admire in Chinese

Spams Comes After Me

To be honest with you, I don’t think they will check the page for comment scripts before posting spams.

I was wrong, deadly wrong. Within one minute, a new comment spam appeared, using the new comment script. I did a rename, so the previous comment script does not exist already.

screen-ifuleuiycgi.png

New spams keep coming. I’d like to say: “I really admire you guys, spammers”.

Since many of the URL ends with .ru, I guess it comes from Russia.

Changed to Javascript Code

The rule I set for anti-spam is, I don’t add additional work to people who comments. Quickly, I wrote a piece of code like this:

<form method=”post” action=”http://home.wangjianshuo.com/cgi-bin/mt/mt-comments.cgi”

name=”comments_form”

onsubmit=”if (this.bakecookie.checked) rememberMe(this); s1=’http://home.wangjia’; s2=’nshuo.com/cgi-bin/mt/mt-‘; s3=’comments-ifuleuiycfi.cgi’; this.action = s1+s2+s3;”>

The form still direct the robots to mt-comments.cgi, which does not exist.

This time, the comment spams went away. I got only one spam in the last few days – obviously, this honest guy posted manually.

From the server log, mt-comments.cgi is really busy. A file not found error does not add as much burden to the server as a real comment.

So way to go, cheers, and jia you, those spam robots!

9 thoughts on “ifuleuiycfi – I Really Admire You, Spammers

  1. well, i do not think the guy does it manually.

    i guess the spam does in this way:

    1. Crawl a HTML Page

    2. Find Tag and then find the action, the textbox, etc

    3. Programmatically post.

    So if you change the action to anything, it still works. You use some fake action in the second method so it does not work. It is hard to recognize it programmically to analyze the javascript.

    Well, i hate spam

  2. Chedong, I have that in the script, but the guy quickly get all the hidden value and start to post. I would say, they are really smart on this part.

    Jack, my point was, when someone still be able to post, i believe they posted mannually – at least they catch up so quickly.

  3. We might need to consider HIP (Human Interaction Proof), the pictures with blured/twisted/dotted text.

  4. Xinquan, of cause. It is just a simple trick and not protected by any law. :-) just remember to change it to your URL otherwise, it will all come to my site.

    mvm, one principle is avoid adding burden to people who comment. There are too much overhead to use that kind of technology in spam protection. I am a strong believer to evaluate the conditions we are in before we take action. The condition I am in is, the spammers won’t spent any second on a particular site like this.

  5. My blog had also been spamed by those ads, but I’m using drupal without any anti-spam features, it took me more than an hour to delete all spammed comment. :(

Leave a Reply

Your email address will not be published. Required fields are marked *