Comment SPAM Bad Neighborhood Analysis (2013-Mar)

We track and block a lot of comment SPAM via our WordPress plugin and our CloudProxy WAF. One thing we noticed is that the majority of the SPAM we detect come from the same “bad neighbors” (IP ranges that are known for sending a lot of SPAM).

We did a little query for the month of March (just in 23 days) and these are the top 20 networks used by comment Spammers:

# of comments sent | IP range

Those 20 small network blocks were responsible for more than 230,000 SPAM comments sent to the sites we are monitoring (that’s almost 20% of the total that we blocked during the same period). And if you are curious on what were the most common SPAM were, these were the top 5 messages for the month so far:

#1: 6861 SPAM comments had: Hello Web Admin, I noticed that your On-Page SEO is is missing a few factors, for one you do not use all three H tags in your post, also I notice that you are not using bold or italics properly in your SEO optimization. On-Page SEO means more now than ever since the new Google update: Panda. No longer are backlinks and simply pinging or sending out a RSS feed the key to getting Google PageRank or Alexa Rankings, .. bla bla bla… just watch this 4minute video for more information at. httx://www.searchengineoptimizationtips .info

#2: 2723 SPAM comments had: We have decided to open our POWERFUL and PRIVATE web traffic system to the public for a limited time! You can sign up for our UP SCALE network with a free trial .. bla bla bla .. Visit us today: httx:// (redirects to httx://

#3: 2344 SPAM comments had: Hello Web Admin, I noticed that your On-Page SEO is is missing a few factors, .. bla bla bla (same as #1) .. just watch this 4minute video for more information at httx://www.SEO-SOLUTIONS .INFO

#4: 2079 SPAM comments had: Brokersring .com – Learn how to turn $500 into $5,000 in a month!

#5: 1397 SPAM comments had: You need targeted traffic to your website so why not try some for free? There is a VERY POWERFUL and POPULAR .. bla bla bla .. Sign up before it is too late:

And these were the top URLs included in the link field of the SPAM messages:

15976 [url] => httx://
11119 [url] => httx://
6968 [url] => httx://
6453 [url] => httx://
6253 [url] => httx://
4985 [url] => httx://
4427 [url] => httx://
4092 [url] => httx://
3671 [url] => httx://–
3319 [url] => httx://
3316 [url] => httx://
3309 [url] => httx://

Most of them related to SEO companies and web traffic/link exchanges. Now you know which companies to avoid and what links and networks to block.

If you want to know anything else specific to the comment SPAM we track, let us know and we can add to our reports and post about them.

About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development. You can find more about Daniel on his site or on Twitter: @danielcid

  • Mark de Scande

    Cool just added them to CSF on the BlogLines Server thx for always posting cool tips well done

Share This