Several times a day, I get notification that there are new comments on this blog, waiting for moderator approval…
…unfortunately, they’re not adoring fans . It’s always “comment-spam”, trying hard to place some advertising on my site for refinancing of mortgages, various pills, porn, and who-knows-what-else. It’s typically from many different IP addresses, so the actual spammers are almost certainly hiding their identity. Today, I figured I’d take a closer look.
I had assumed that I’d find a set of computers, of similar operating systems and configurations, as part of a botnet being used for this sort of thing. After seeing the results and giving it some thought, it’s obvious that a botnet would be unnecessary for this sort of endeavor. There are plenty of machines out there ready to do one’s bidding for comment spam, without having to build an elaborate net.
What I have found is a lot of machines running wide open web proxies, on common ports such as 3128 and 8080. Running the IP’s through GooSweep shows that these specific proxies are on many lists of proxies, blacklists, not to mention tons of blog comments. The spammers are keeping the proxies busy, and it’s amazing that some of them have been up as long as they have (on the order of weeks).
Most script-kiddies find proxies like this by scanning ranges on common ports. Me? I get them delivered by email on a daily basis.