ThreatRadar Feed: Comment Spam

TECHNICAL BRIEF
ThreatRadar Feed:
Comment Spam
In This Brief:
Product Overview
Product Overview
About This Feed
About This Feed
ThreatRadar Reputation Services
Imperva Incapsula
Background
Supporting Research
Key Findings
Inspecting Spam Traffic
Looking Into Reputation
Mitigation Technique
Addressing comment spam is a time consuming task for organizations. Typically,
companies are required to manually edit spam out of content after it’s posted, or
lean on moderators to filter individual posts to ensure they are legitimate. Imperva’s
Application Defense Center (ADC) researched the behavior of comment spammers over
time and discovered that the vast majority (80%) of comment spam is produced by a
small set (21%) of attackers. With the ability to identify the most prominent attackers,
organizations can block traffic from IP addresses known to produce comment spam.
Imperva developed the Comment Spam IP feed from anonymized attack data generated
by Incapsula, Imperva’s cloud-based web application firewall service. With its extensive
customer base of tens of thousands of organizations, Imperva leverages a list of known
active comment spamming source IPs from websites protected by Incapsula. This
anonymized attack data is then analyzed by the Imperva Application Defense Center
(ADC) and the resulting feed is included as part of Imperva ThreatRadar Reputation
Services. Organizations leverage this feed to block IP addresses known to produce
comment spam.
ThreatRadar Reputation Services
Hackers are becoming more industrialized and well resourced. Sophisticated criminals
are leveraging networks of remotely-controlled computers, or bots, to launch large-scale
automated attacks. Stopping automated attacks requires identifying users—typically
bots—that are actively attacking other websites.
ThreatRadar Reputation Services provide an automated defense against automated
attacks by instantly detecting and stopping known malicious sources. As an add-on
service to the SecureSphere Web Application Firewall (WAF), ThreatRadar detects
web traffic originating from bots attacking other websites, from anonymizing services,
and from undesirable geographic locations. Up-to-date lists of phishing sites enable
SecureSphere to detect compromised users and fraudulent file requests.
Figure 1.
Imperva Incapsula
Imperva’s Comment Spam IP feed is developed from anonymized attack data generated by Incapsula, Imperva’s cloudbased web application firewall service. This service offers businesses a powerful way to protect critical web applications
and optimize website performance. By routing web traffic through Imperva’s global network of data centers, Incapsula
ensures that bad traffic is removed before reaching protected websites and good traffic is accelerated.
Incapsula leverages highly accurate rule-sets to protect websites against known and emerging threats, including
SQL injection, cross-site scripting (XSS), illegal resource access, comment spam, site scraping, malicious bots, and
other OWASP top ten vulnerabilities. With over 20,000 customers across the globe, this feed demonstrates the positive
network effect of sharing attack information, saving companies time and money associated with manual comment
spam remediation efforts.
Background
After monitoring attack data, specifically application spammer behavior over a long period of time, our research team
concluded that the majority of spam that is introduced into forums, messaging boards, site comments and other areas
of a website, originates from relatively few sources (see Figure 2). These sources can be monitored and blocked, thus
eliminating the majority of application spam.
Figure 2.
2
It’s important to note that most spammer campaigns last for more than one day, turning many of the attack sources into
repeat offenders.
Supporting Research
Key Findings
1. Web pages leveraging popular phrases in their URLs and content can experience a high volume of
widely diverse forms of comment spam.
2. A small number of attackers (21%) are responsible for a large amount (80%) of comment spam traffic.
3. With access to the source IPs of prominent spammers, organizations can dramatically reduce the
manual remediation efforts associated with comment spam.
Inspecting Spam Traffic
In order to better understand the comment spam attack pattern, we took a closer look at the spam traffic directed
at a single victim. We analyzed one website that was receiving a lot of comment spam traffic; it consists of a single
host with many URLs. The victim is a non-profit organization that provides information and functions as a community
support group.
We discovered high diversity in the volume of comment spam traffic across different pages. Our theory associates the
attack rate at this site with a popular phrase used within the URL address and page content. We also discovered that a
small number of sources produced most of the traffic.
Looking Into Reputation
We discovered that most of the comment spam traffic originated from attackers that have been active for long periods
and attacked multiple targets. To illustrate the exact relationship between the number of attacked targets per attack source
and the duration of the attacker’s activity, we designed an “Attack-Source Reputation Quadrant” graph (see Figure 3).
Figure 3.
3
In the “Attack-Source Reputation Quadrant” graph, the Y-axis represents the number of targets that were attacked,
and the X-axis represents the duration of an attack. Accordingly, each dot in the graph represents an attack source,
corresponding it to the source’s longevity and the number of targets it attacked during the course of our analysis.
We focused on the upper right quadrant of the “Attack-Source Reputation” chart (blue) and explored the traffic.
As demonstrated in Figure 4, 72% of attackers were active only for a single day and attacked only a single target.
Nonetheless, most of the comment spam traffic (58%) was active more than one day and attacked more than one target.
In summary, a relatively small number of attackers are responsible for a large amount of the comment spam traffic.
Figure 4.
Mitigation Technique
Imperva offers a new approach to preventing comment spam: block the source IPs that were identified as having
produced comment spam. Imperva’s Application Defense Center concluded that a small set of attackers generate the
majority of comment spam. Thus, with access to the source IPs of prominent spammers, organizations can dramatically
reduce the manual remediation efforts associated with comment spam.
Imperva receives anonymized attack data from Incapsula, Imperva’s cloud-based web application firewall service that
protects the websites of tens of thousands organizations. Imperva leverages this extensive list of known active comment
spamming source IPs and produces a feed for ThreatRadar Reputation Services, an add-on service to the SecureSphere
Web Application Firewall.
About Imperva
Imperva, pioneering the third pillar of enterprise security, fills the gaps in endpoint and network security by directly
protecting high-value applications and data assets in physical and virtual data centers. With an integrated security
platform built specifically for modern threats, Imperva data center security provides the visibility and control needed to
neutralize attack, theft, and fraud from inside and outside the organization, mitigate risk, and streamline compliance.
www.imperva.com
© Copyright 2014, Imperva
All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva.
All other brand or product names are trademarks or registered trademarks of their respective holders. ThreatRadar-Feed-Comment-Spam-0414.1