Veronica Moser, Type Key Spammer

by
This entry was published at least two years ago (originally posted on January 5, 2005). Since that time the information may have become outdated or my beliefs may have changed (in general, assume a more open and liberal current viewpoint). A fuller disclaimer is available.

While there’s a fair amount of chatter today about spammers shifting tactics away from comments and towards Trackback (which my linklog got hit with this morning, actually), I just ran into a different approach — my first TypeKey authenticated spammer.

In theory, enabling TypeKey is supposed to be one of the more effective way of combatting comment spam, as it presents a much higher (and supposedly non-scriptable) barrier to the spammer. As the Six Apart Guide to Comment Spam notes:

The worst case scenario…would be if a spammer created a TypeKey account, and used it to send spam to your weblog. However, because the first comment from any TypeKey user must be approved by your before being published, the only way a spammer could sneak spam onto your site would be to first submit a comment that appears to be legitimate. While it’s possible that some spammers might attempt this, it is highly unlikely that they would be able to do this using automated scripts. If they do and are reported to Six Apart, TypeKey’s terms of service allows us to disable their accounts.

Apparently, that’s just what has happened to me. I noticed a comment that fit the profile of a standard spam comment pop up in my comments RSS feed: all it said was “Very interesting,” and included a link to http://veronicamoser.com/. I didn’t have a clue who Veronica was, so I did a quick Google — the results were pretty telling.

Since this was the first time I’ve seen this type of attack, though, I went ahead and left the comment (though I did edit out the active link) and sent a quick note to Six Apart. I’m rather surprised that someone went through this much trouble — barring a new script attack, ‘Veronica’ would have had to sign up for a TypeKey account, visit my page, sign in to the TypeKey system, and then manually post the comment. I’m also fairly amused that they used the name ‘Type Key Spammer‘ for their TypeKey profile — essentially thumbing their nose at authority, I suppose.

Of course, the one worry is if this might be a test case, and someone actually is working out a script to continue with the comment spam attacks even in the face of TypeKey authentication. We can always report the offending TypeKey account to Six Apart, of course, but if the spammers keep creating new accounts…well, it’ll just be one more side to the battle against spam.

Whee. :P