Comment SPAM Bad Neighborhood Analysis (2013-Mar)

We track and block a lot of comment SPAM via our WordPress plugin and our CloudProxy WAF. One thing we noticed is that the majority of the SPAM we detect come from the same “bad neighbors” (IP ranges that are known for sending a lot of SPAM).

We did a little query for the month of March (just in 23 days) and these are the top 20 networks used by comment Spammers:

# of comments sent | IP range
42455 96.47.225.0/24
16502 173.44.37.0/24
13748 46.227.68.0/24
13597 194.71.223.0/24
13521 194.71.222.0/24
13422 194.71.224.0/24
13358 194.71.225.0/24
10563 117.21.225.0/24
10505 96.47.224.0/24
10325 91.236.74.0/24
10173 91.231.40.0/24
9262 142.91.81.0/24
8909 195.190.13.0/24
8423 94.242.241.0/24
7494 5.144.176.0/24
6980 94.242.237.0/24
6789 46.227.70.0/24
6772 46.227.71.0/24
6283 142.4.98.0/24
5860 91.236.75.0/24


Those 20 small network blocks were responsible for more than 230,000 SPAM comments sent to the sites we are monitoring (that’s almost 20% of the total that we blocked during the same period). And if you are curious on what were the most common SPAM were, these were the top 5 messages for the month so far:

#1: 6861 SPAM comments had: Hello Web Admin, I noticed that your On-Page SEO is is missing a few factors, for one you do not use all three H tags in your post, also I notice that you are not using bold or italics properly in your SEO optimization. On-Page SEO means more now than ever since the new Google update: Panda. No longer are backlinks and simply pinging or sending out a RSS feed the key to getting Google PageRank or Alexa Rankings, .. bla bla bla… just watch this 4minute video for more information at. httx://www.searchengineoptimizationtips .info

#2: 2723 SPAM comments had: We have decided to open our POWERFUL and PRIVATE web traffic system to the public for a limited time! You can sign up for our UP SCALE network with a free trial .. bla bla bla .. Visit us today: httx://bag.sh/16M (redirects to httx://voxseo.com/traffic/)

#3: 2344 SPAM comments had: Hello Web Admin, I noticed that your On-Page SEO is is missing a few factors, .. bla bla bla (same as #1) .. just watch this 4minute video for more information at httx://www.SEO-SOLUTIONS .INFO

#4: 2079 SPAM comments had: Brokersring .com – Learn how to turn $500 into $5,000 in a month!

#5: 1397 SPAM comments had: You need targeted traffic to your website so why not try some for free? There is a VERY POWERFUL and POPULAR .. bla bla bla .. Sign up before it is too late: http://bag.sh/16M

And these were the top URLs included in the link field of the SPAM messages:

15976 [url] => httx://www.kitdeemail.com
11119 [url] => httx://bag.sh/16M
6968 [url] => httx://www.searchengineoptimizationtips.info
6453 [url] => httx://www.trxsuspensiontrainersale.net
6253 [url] => httx://aerotraffic.com/web-traffic/
4985 [url] => httx://himovie.org
4427 [url] => httx://tiny.cc/zsbvsw
4092 [url] => httx://www.NicoleBerryPsychic.com
3671 [url] => httx://www.gucci–online-shop.com/
3319 [url] => httx://www.busquemail.com.br
3316 [url] => httx://www.emailsvip.com.br
3309 [url] => httx://www.seomaster.com.br

Most of them related to SEO companies and web traffic/link exchanges. Now you know which companies to avoid and what links and networks to block.

If you want to know anything else specific to the comment SPAM we track, let us know and we can add to our reports and post about them.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • http://bloglines.co.za/ Mark de Scande

    Cool just added them to CSF on the BlogLines Server thx for always posting cool tips well done