I wrote a plugin a few days ago that notifies me of any comments left on my blog (using an Amazon SNS queue), regardless of status. That’s really of no interest to anyone except to explain why I’ve noticed the large uptick in comment spam that’s come in on one specific post today.

Normally I’d totally ignore the spam, particularly since it was actually being detected properly as such 1, but I saw it was all coming from the same IP. In the past I’ve found reporting spamming IPs to the abuse contacts registered for their address block to be a very pointless endeavor but today I decided to try anyway since the volume was so high and all coming from the same source.

Well apparently the culprit was prepared for that, because the IP soon switched. So I reported the new one. Then it switched again and started to alternate every few messages… so I reported those. In the end I reported just over a dozen different IPs 2, which isn’t many at all for a spam network. The interesting part of the whole process was seeing where the spam was coming from and the responses I received.

Where does it come from? Well, mostly the typical sources. A few Chinese ISPs, some in Central America, one in Slovakia, and at least two in the Czech Republic. From the reverse DNS it looks like several are mail servers, which are quite commonly compromised to send spam… though typically of the email variety.

The IPs mostly belonged to ISPs we’ve never heard of, with a handful of exceptions… A West Virginia school district, an Indian government organization, and three very popular hosts here in the US: Amazon EC2, Linode, and Slicehost / Rackspace Cloud.

The only two responses I received (at least in the several hours up to writing this) were from Amazon and Linode.

Amazon’s response was just over 3 hours and netted me a semi-automated form reply with a case number and a note that they’d investigated the EC2 instance belonging to the IP I reported and notified the customer and would continue to investigate and take any needed action.

Linode’s response took barely more than an hour and got me a live response from a human being on their support staff thanking me and saying they’d do the same. Pretty impressive for an independent operation, but not at all unexpected for a VPS host that tailors to developers and sysadmins.

I had also expected to get a response from Slicehost or Rackspace, but there was some question as to which entity the IP actually belonged to (I reported it to Slicehost, as the block is actually sub-allocated to them) that may have caused a delay.

For what it’s worth, none of the IPs were active for very long after I reported them, though they had probably just moved on to other targets (neither were the ones I didn’t report).

In all the two responses I did get and the hope that I’m doing some small part to fight spam in the only way I can left me with a positive impression of the whole adventure. It’s unfortunate that not everyone is as responsive to abuse complaints as they should be, but it’s equally heartening to know that there are quality hosting companies out there that are.

  1. Thanks in very large part to the TypePad AntiSpam service, which operates an Akismet-compatible API that’s been significantly more accurate in my experience than the real thing. 
  2. Ignoring several I knew would be totally pointless to report and reporting one twice as it reappeared shortly after stopping 
Originally published .