Short of closing off comments and pingbacks permanently, there is no way for a blogger to avoid spam: on the main blog I run, I can count on a couple of dozen dubious comments and/or TrackBacks every single day, and there are plenty of folks who see much, much more.

It is, of course, fruitless to attack this problem by banning IP addresses; a spam attack comes from multiple addresses more or less simultaneously, through an army of zombies, PCs conscripted by various pieces of malware, using their spare CPU cycles to relay spam on the orders of some cyberthug many miles away. You'd have to ban literally millions of IPs to make a dent in it: the scripts which run your site would spend more time looking up IPs than actually processing blog entries. Movable Type, perhaps realizing the futility of it all, dropped its IP-ban feature in version 3 in favor of lookup tools geared toward keywords.

Still, the IP address is recorded and is therefore traceable. Which suggests a question: If your machine has been hijacked and turned into a zombie, are you responsible?

Trini (our hardware guru) and I discussed the matter at length, and we decided that yes, you are: it's your responsibility to take at least adequate security measures to prevent this sort of thing. (Had I a swimming pool, I would be expected to take steps to make sure that the neighborhood kids don't drown in it, and merely having a six-foot fence around the yard is not necessarily sufficient under the law.) If I get a spam from your PC, I should be able to ascertain your identity and then ask you to take the necessary steps to cut it out already.

Needless to say, this idea is not going to catch on. ISPs are, by and large, not interested in handing out this information to people outside law enforcement, and there is, at the moment, no law that demands the disconnection of zombies. Morover, if there were, there would be massive public outcry once the first interruption of (dis)service took place: "There but for the grace of Norton go I," they would say, and why are you picking on poor little J. Random User, who never sold an erectile-dysfunction pill in his entire life? Mostly, I suspect, people will blame Windows, which over the years has rivaled the Albert Hall for holes.

On the other hand, there is some recognition of the concept at the other end. A spam is of no use unless it gets you to click on some Web site; occasionally I look at the URLs involved, and more than once I've found that they've been tucked away on massive corporate or educational sites. In fact, I had a bogus TrackBack this past week which linked back to a page hidden deep within the Department of Music at Columbia University. When I find such things, I feel a certain obligation to set matters right. Here's a segment of an email I sent to an instrumentality of the British government upon finding a link there:


Pages like [URL redacted] were presumably set up without your permission and are being used for the purpose of spam.

I have no way of knowing whether this is an actual [staff member page] or simply a ghost page, but either way, you might well not want it on a site under Crown oversight.

The response was quick:

Thank you very much for bringing this to our attention.... [I]t was very concerning to see that someone had misued our website. Our website contractors were notified immediately and have told us the issue has now been resolved.

And I've not seen that link since. Admittedly, this is something like trying to empty the Caspian Sea with a soup ladle, but hey, it's my soup ladle.

The Vent

  16 April 2007

 | Vent menu | E-mail to Chaz

 Copyright © 2007 by Charles G. Hill