05 Jan

Comment spam abuses Google Drive and bypasses Akismet

Recently there were few spammy comments posted on the blog. I mean real, actual comment spam:

I'm using a simple captcha and Akismet - it filters out pretty much all of the spam. So, these 2 comments getting through the filters really caught my attention.

How it works

Comment text is obviously generated using some sort of spam template. It consists of a greeting, short text to entice user to click on a link and - in current spam wave - a question "Are you in?", followed by a link to Google Drive. So far it's all nice and dandy.

Problem starts when user opens link to Google Drive. It opens a preview of PDF document, something like this:

The big captcha box you see in the screenshot is not an actual captcha. The whole image is a link to the promoted site, in this case, topratinglist[.]com. Considering that users are used to seeing these captchas, it's quite likely some of them will click on it. Mission accomplished! bigsmile

Promoted sites

So far, I was able to trace this sort of spam to the following sites:

  • topratinglist[.]com
  • clicksbilling[.]ru
  • afsstrong[.]site
  • clickgred[.]ru
  • mastbilling[.]ru
  • bledclick[.]ru
  • mayclick[.]club

Unsurprisingly, all those are shady sites run by Russians. For example, topratinglist[.]com just redirects you to a very NSFW advertisment.

PDF file contents

Ordinary user will never see the original PDF file - Google Drive Preview renders the file as HTML.

That poses quite a problem for antiviruses - they can't block the entire drive.google.com domain and there is no point blacklisting the original PDF as user never downloads it. Unsurprisingly, these PDFs are not on VirusTotal and the one I uploaded was not detected by any major antivirus:

If you look at the file details on Google Drive, it's owned by someone called "Petr Petrov" or "Vasia Vasia". There are dozens of such PDF files owned by each of the accounts.

The original PDF file contains a lot of metadata that allows to learn more about persons behind this spam:

  • They use Microsoft Word 2010
  • They are Russian-speaking (surprise!)
  • Their timezone is GMT+3 - link to Russia again.
  • They create new PDFs only on weekdays - somewhere between 11:00 and 23:30. Those are some strange working hours! smile

Spam evolution

I also tried to look back in history and see how this particular comment spam has evolved. From what I can tell, English version of this spam started somewhere around 09-Nov-2018. Thanks to some irresponsible blog owners we can see it in the full glory:

I'm sure the spambot respected their wishes and never posted on that site again. bigsmile

Digging even further, you can find the same sort of spam in Russian-speaking forums, with Russian-language ruse:

This spam dates back to March 2018, as we can see in the file details. Google Drive account is also owned by someone else named "123 123":

Another Russian-language attempt abuses Kaspersky logo to make it look even more trustworthy:

Funny how these things sometimes evolve! smile

Conclusion

It would be trivial for Google to block this sort of abuse of Google Drive and document preview. And it would be trivial for Akismet to fix their filters to catch this sort of spam. But I guess the volume of spam is too low to catch their attention.

As for me, I made some simple changes to ensure this sort of spam doesn't come through anymore. Have a nice stay here! smile

9 thoughts on “Comment spam abuses Google Drive and bypasses Akismet

    • Avatar

      Simple answer would be - "no, I did not".

      Longer answer - some files got blacklisted while I was writing the article and making screenshots. So, it looks like Google blacklists certain files "automagically". However, they do not kill the offending accounts. And, as screenshots show, extremely similar files have been on Google's servers since March 2018 and are still not removed.

      Reporting few individual files will not solve the problem - it requires a systemic solution.

  1. Avatar

    This is something I've come across as well. They've somehow picked up my personal email from somewhere and are now using it in various contact forms. I made a quick post about it on my personal blog: {hidden link}

      • Avatar

        Yeah, I have my personal email set up as a secondary email for my Gravatar account. I tried searching it on Google but it doesn't return any pages. I'd probably signed up for something which ended up leaking my email address somehow. :/

  2. Avatar

    Oof. I didn't know those kinds of comments existed... Anyway, I do know about the Akismet and spam comments, and some still manage to bypass it, despite being set to "strict". I ended up making an entire page of spam comments (I think there's about 25 comments so far) on one of my WordPress blogs. The comments are really weird, some weirder than those you have pictures of.

    • Avatar

      But no matter now. I've quit WordPress and put someone else as the owner of my blogs. No need to deal with spam comments now.

Leave a Reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

Your email address will not be published.

 −  1  =  2