AI Spam?

I wonder what effect generated text like will have on internet spam. Until now, our anti-spam filters were trained heuristically to try and recognize typical spam patterns, but now spammers could turn into AI models to generate unique text to mask their spammy messages on emails, social media and blogs. Imagine spam links wrapped in elaborate text about any subject you can conceive of. And if the site link behind it is novel each time, it will be increasingly unfeasible for administrators to figure it out.

Not only that, but a lot of sites use minimum active account life to figure out which accounts could be spam. Such accounts are marked based on site interaction and ratings which either forced spammers to buy account, or set up spam farms with people doing nothing but interacting natively on social media until their account was live long enough so that it could bypass spam filter.

Now spammers can simply plug an text AI behind each account and have it run on autopilot for a few months, until they flip on its spam switch, and it transparently starts peppering spam links in its normal posts, which would make the switch almost indistinguishable unless it posts a well known spam site or something. They could even target specific subreddits and train finetuned generative models on the typical posts of users in there, which will even make it fits the typical subreddit pattern extremely well.

I also expect anti-spam to turn into their own AI models to catch them, but I wonder how much this countermeasures can help. It could be that a model could be trained to figure spam patterns a human cannot distinguish, but I’m curious to see how effective it could be. I suspect an easier solution would be to have an AI check the site behind each link and try to figure out if it’s a spam site or not, based on heuristics a human might take too long to figure out.

I have the feeling however that ultimately this is a battle that countermeasure AI is bound to lose. And if that happens, it will start leading to what I suspect will be a internet-wide dissolution of anonymous trust. But I will write about that in a latter post.

Intense Debate comments deactivated

Image representing IntenseDebate as depicted i...

I’ve been using intense debate for the longest time, being a very active proponent of their comment system, hell, even getting a gift T-shirt for my efforts; but now I find myself having to disable the comment system and go back to the default wordpress comments.

 

The reason for this is that for some reason their comment system has somehow been compromised by spammers, and blatantly obvious spam comments are coming in constantly, and that is even though they are supposed to be going through Akismet which is excellent at catching this kind of stuff.

 

I didn’t take this decision lightly, I contacted support who initially thought comments were coming through the internal comments, but once I pointed to evidence that it is coming through ID, they said they were going to “look into it” and that I should fight spammer with IP bans, which is a ridiculous idea.

 

In fact, another reason why I’m ditching ID is that they have completely dropped the community ball. I have no idea what is up, but I got all excited when they got acquired by Automattic, and was expecting to see ID comments start to get rolled out in WordPress.com and stuff which would have been awesome. Instead the ID people literally fell of the map. Their active blog pretty much died, making 1 post in a year, their support either doesn’t reply, or gives worthless suggestions like IP bans on spammers. And most importantly, their development all but stopped. I haven’t seen any improvements in ID every since the automattic acquisition and that’s just sad.

 

I was content to stick with ID anyway since it’s better than my theme’s built-in ones, but now that it has also become quite a lot of work to scrub my comments every few days, enough is enough!

 

Perhaps it’s time to look into Disqus whose developers seem to be actually interested in improving and making useful.

Gah, cracked again

The site got compromised yet again. This time through a cross-site exploit. More aggravation follows. Some more information about what happened is discussed.

Has anyone smeared honey all over my site while I wasn’t looking? Once again I find out the Division by Zer0 has been compromised and spam links are being inserted invisible into my content. And that’s only 10 days after the last time. Argh!

This time I didn’t discover it through a google search but rather when someone from NoState.com contacted me through IM to let me know. This time the spam links were not hidden from the normal source but rather simply invisible in the normal page. This at least makes them much easier to find out and know when you’ve removed them. Nevertheless, this always feels like a very nasty violation every time it happens.

However the exploit was better hidden this time. It wasn’t just a few files hidden in my subdirectories but rather code inserted in my actual wordpress and theme files. This seemed to have been done through some kind of xss exploit but I have no idea how it managed it as I’m running the lastest WP version. Fortunately Adrian was good enough to point out a wordpress support thread for my exact issue which helped me locate and rip out the source of the spam quickly. This is why it pays to microblog your aggravation I guess 🙂

Btw, I also noticed that the previous malicious cache.php file had reappeared in my wp-content folder. This time I saved a copy before deleting it and now you can all see what kind of crap they put in your server. Notice the quite humorous note telling you that “modified republishing is restricted”. Or what? Are they going to take you to court?

At least this later crack forced me to finally go ahead and lockdown my site even more. Now the site root, wp-content and my theme directory are read-only from my user as well. Let’s hope this doesn’t create any issues. Unfortunately I cannot make the plugin directory read only as very often they need to write in there as well but I don’t think this was done through a plugin so I think I’m good.I’ve also finally changed the prefix for all my database tables to avoid any zero-day exploits which I’ve been meaning to do for a while.

I also tried to install one logging plugin I saw mentioned in the wordpress forum but unfortunately it didn’t work for me. What would be really great however is a way to monitor all your site files for changes and whenever any file is modified or added, an email would be dispatched to the admin. Sure, you might get notifications for when you upload a new plugin or add new images through wordpress’ builtin function but you could easily ignore those. But when you see a change in your index.php that you didn’t initiate, then certainly something needs to be checked.

On a more positive note, I’ve gone ahead and integrated with Google’s Friend Connect. You can probably see it already on my sidebar where you can add yourself as a “member” of the site, whatever that is. I used to have Facebook but that requires you to add a FB application which not everyone cares to do. Everyone and their mother has a a google account by now however so hopefully this may give me a better idea of how many people like the site enough to register themselves.

But I swear, if I get compromised again, I’m going for a complete wipe and reinstall. It can only mean that I’ve got a trojan that won’t stop making my life difficult.

Reblog this post [with Zemanta]

I feel exploited

The Division by Zer0 has been exploited with Spam Keyword injections. Aggravating! This post gives some more information on that.

Goddamnit! Someone, managed somehow to insert malicious php scripts into the site which were injecting invisible spam links to my content. Even more insidiously, those links were not injected to the html source of the page unless the browser user agent reported that it was a googlebot, making them all but impossible to see with a normal browser.

I was lucky to notice this because in the Google Webmaster tools I still had my site address added as www.dbzer0.com which was wrong as I’m not using the www. part anymore. Fortunately however, this allowed the site stats to show the keywords in the content instead of simply how people are linking to it, which made all the spam stand out.

Oh ouch!
WTF?

When I saw that my fist action was to do a search just to see if I was possibly looking at outdated data.  Unfortunately, the results were not uplifting.

Oh shi--
Oh shi--

This was not good. Looking at the cached copies of these pages, it was obvious that these links existed at least since the start of February which means that whatever is causing this, was added after my upgrade to WP2.7 or managed to remain active after it. The source code for the googlebot looked like this, when it should have been looking like this. The links were apparently pointing to redirection scripts in a cracked Movable Type based blog. I’ve fired an email to the author to advise him to take the site down but have heard nothing from him yet.

Take note people: If you’re not going to keep your site updated and patched, either take it down, or export it into pure html and let that stand. Don’t let your obsolete php and mysql setup running as that just invites people to turn your old site into a spam haven.

At this point I started looking around the interwebs in a bit of a panic as hate this kind of shit being associated with me. I couldn’t find anything exactly like what I had unfortunately. The only thing coming close that I found was this post which at least gave me some ideas on where to look.

I was able to discover 2 malicious php scripts residing in my wp-content folder. One was called cache.php and was on directy under /wp-content/ while the other was in the /wp-content/uploads and had a weirder name (can’t remember now). I summarily deleted them (although in retrospect I should have probably saved them for all of you to see) but I did notice the ironic comment inside, warning people not to copy them and pass them around.

I couldn’t find anything else after that but I was still not certain I was rid of the spam. A quick look through the google bot’s eyes showed me that the page didn’t return any spam results but that could also be because the script doing it is smart enough to recognise fake google agents. The only real way to find out if this still happens is to wait until Google indexes one of the spammed posts again and see if the spam links still appear.

As a precautionary measure, I also changed my WP password (as unlikely as it is that it would have been cracked through brute force) and looked around for anything that can help me discover such stuff in the future. I did find a plugin that looks very promising in this regard but unfortunately due to the way it asks for RAM and the setup of my host’s php, I can’t allocate enough memory for it to run. A last precaution was to add a search alert for these keywords appearing on my site which will, if I get cracked in the future again, give me notice within a few days.

On a more positive note, hopefully by removing these huge-ass scripts (many hundreds of line of code each) perhaps the load on my server will be reduced as well. But I’d be happy even if I simply see these keywords disappear from the Webmaster tools soon.

Reblog this post [with Zemanta]

Problems commenting?

I just noticed a weird google query coming to my site

post a new comment site:dbzer0.com

Which leads me to believe that someone cannot comment here.

Whoever you are, if you’re having troubles leaving a comment, send me a mail or contact my comment provider’s support to inform them. I’m currently testing their beta plugin and perhaps this is causing you problems.

Currently the comment form uses Javascript and you should also have the old WordPress comments available if your javascript is disabled. I also activated a new anti-spam plugin today to help out with the spam (it has already blocked 50 of ’em since the afternoon) so there is a chance this is causing you problems.

Spam-b-gone

Finally I seem to have managed to find the correct combination of WP plugins to stop spam from even logging a comment. Initially I had only Akismet, which, although good, logged the spam comments only after they were enterred and as a result my Popularity Contest plugin was affected which forced me to manually recount comments in order to fix the values. Bad Behaviour helped considerably but spam comments still kept avoiding the filter and thus bogging down my count. The latest one I tried was bcSpamBlock which appears to work admirably along with my other two spam blockers. For 2 weeks now I have not had a single successful spam comment logged in Akismet.

Finally…

Damn spam!

I am annoyed. I thought I was mostly free of the ravages of spam after activating Akismet and Bad Behaviour but it seems that there is one thing that is still affected by them and that is the Popularity Contest Plugin. Unfortunately even though Akisment is good enough to grab the spam after it’s been posted, the popularity plugin still logs the WordPress call and counts the comment. As a result I see posts rising to the top when they have no reason to do so and Populatiry Contest reports 50+ comments while there none (they’re all caught).

Argh! So annoying…

Now I have to find a way to reset the count for these particular posts and hopefully get a better version of Bad Behaviour that will be able to stop more [tag]spam[/tag] bots before they have a chance to post.

UDATE: Fortunately the author of the plugin anticipated this and provided a handy button to recount the comments (I initially did not push it because it said “reset”). Popularity is back to normal now. Eeeeexcellent! 🙂