CommentLuv and Spammers

I’m a big fan of CommentLuv. It lets me reward my commenters with links back to their blogs. It also introduces me to blogs that I might not have otherwise stopped by (either due to a comment on my blog or a CommentLuv-enabled comment on someone else’s blog).

Not too long ago, B brought an issue to my attention. Apparently, a spammer tried to post to her blog. Akismet caught the spammer, but what worried her was the CommentLuv link. Despite filling out his URL, CommentLuv was showing a different, legitimate blogger’s CommentLuv link. We wondered how exactly he was able to pull this off and worried that it might mean the beginning of spammers abusing CommentLuv. A short while later, this same spammer tried to spam my blog with the same tactic. Again, Akismet caught it. Instead of deleting the spam like I usually do, however, I decided to hold onto it to examine it.

At first, my theory was that he somehow detected when CommentLuv was reading his “blog posts” (in quotes because his site wasn’t a blog and didn’t even have an RSS feed) and gave CommentLuv a different page than a normal browser would see. As I examined his post, however, I found out that I was giving the spammer way too much credit. The “hack” (such as it is) is much, much easier.

Page load times are a big issue for blogs. You want your page to load as quickly as possible. Obviously, then, you don’t want your page delayed by loading (or attempting to load) the most recent links for CommentLuv enabled posts. If CommentLuv were dynamic like this, only sites with very few comments would be able to use it. Instead, CommentLuv wisely embeds the link within the comment itself.

Of course, now the issue arises of telling the difference between a CommentLuv link and a normal link. CommentLuv solves this by using a string of characters before and after the link that aren’t likely to appear otherwise. This string of characters is “.-=” before the link and “=-.” after the link (no quotes, of course).

For example, if I posted on a CommentLuv enabled blog yesterday, the following would be appended to my comment:

.-= TechyDad’s last blog .. <a href=”http://www.techydad.com/?p=3371″ rel=”nofollow”>A Looney and Wiggly Time At Six Flags</a>=-.

When a user read through the comments, this link would appear along with a CommentLuv heart (if the blog administrator kept the default settings).

Now, what would happen if I wasn’t TechyDad. Suppose I was EvilSpammer. Now I post a link to my evil spammer website in the URL box and add the code quoted above in the comment field after my comment. I might even put “TechyDad” in the name field to increase the illusion. The result would be that a blog administrator not paying close enough attention might see a post from “TechyDad” with a “CommentLuv” link to TechyDad’s actual latest blog. This blog administrator might be tricked into making the comment live and thus giving a link to the EvilSpammer website.

So how can we stop this? Well, CommentLuv could let the beginning/ending string be customizable. This would keep spammers from knowing the combination. Still, most users would likely not change the defaults. Perhaps the strings could be a set of three random symbols. This would mean that every blog install would be different. Lastly, perhaps CommentLuv or some other WordPress plugin could check the URL in the CommentLuv section to make sure it is from the same site as the URL in the URL field. If the CommentLuv link points to http://www.techydad.com/?p=3371 while the URL link points to EvilSpammer.com, then some action (delete the CommentLuv link, mark the comment as Spam/Pending, etc) could be taken.

By far, this abuse doesn’t warrant turning off CommentLuv. CommentLuv is just too valuable a plug-in to ditch because of a few spammers. Until a permanent solution is arrived at, just keep your eyes open for CommentLuv abuse just like you keep your eyes open for spammers who slip through Akismet.

UPDATE: After posting this, I noticed that CommentLuv’s creator had sent me a link via Twitter. The link showed off an upcoming version of CommentLuv which won’t hard code CommentLuv links into the comment text but will save them to a comment meta table. For those of you whose eyes glazed over at “comment meta table”, it means that the link will be stored elsewhere but linked up to the comment. So your blog will seem to operate the same as before, but spammers won’t be able to just add “.-= LINK =-.” and get a CommentLuv link. Much better solution than my suggestions above! There are other improvements also, but this should eliminate emerging CommentLuv spam campaigns. I’d tip my hat to CommentLuv, but I’m not wearing one. (Mental note: Find a hat to wear so I can tip it to CommentLuv!)

6 comments