Caydel’s SEO Blog

So I was thinking about Akismet yesterday - I wonder if it could be abused to silence other people.

Lets think about this a bit - what do we know about Akismet? From everything I have read at the Akismet Website, we know that it weighs a variety of factors in the incoming message to determine whether it is spam or not. Note that this is not blacklist activity; rather the recognition sounds like it is run through a neural net of some sort for heuristic analysis. What factors would they be? Most likely they would include the user name, email address, as well as words and links in the subject and body of the comment.

So, how can this be abused?

Let’s say there is somebody you want to silence on the internet. The first thing you would need is his/her login credentials, such as their typical user name and the email address used. This can easily be retrieved by enticing a user to comment on your own blog.

Now that we have his name, and the email address used to post comments. Consider this scenario:

Lets say we were to start posting comments to other blogs using his credentials. Let’s link to a bunch of prescription drug sites, porn sites, and adultfriendfinder while we’re at it. After posting a certain number of comments like this, would Akismet begin auto-filtering this username and email address as spam?

What if we were to somehow spoof his IP address - what then? Would this be the final nail in his coffin? And how long would you need to keep it up for the identity to get to the point where it is automatically associated with spam? How many legitimate comments would need to be marked ‘not spam’ before this person gets his identity back on the whitelist? If this is a possibility, it presents huge possibilities for abuse.

I would like to hear something from the Akismet team over this - this seems a little too simple, yet I have not seen any evidence that indicates that this is not possible. How about it? Can this be done? Or are the check in place at Akismet good enough to ensure that this won’t happen?

Share This

This morning, a friend pointed out that super-affiliate Jeremy ‘Shoemoney’ Schoemaker had his blog at http://www.shoemoney.com hacked. It’s a bit of a shame, but somewhat interesting to see… Don’t visit the actual site as after 10 seconds or so it redirects to a page that tries to run some Java code on you. I don’t know what the code does, but I didn’t want to find out myself.
anthonycea at the Shoemoney forums posts,

‘Well you better have a good AV because that hacker wants to run a script on your computer when you hit SM.com.

Don’t click on the program or script that pops up because you will be toast! ‘

Share This

Now, before I go any further, let me make a few things clear:

• Spiceworks is an ad-supported program. By removing the ads, you are depriving the development team of their funding. In essence you are stealing the software from them.
• Spiceworks is not open source software. This means that you are not allowed to modify the code for your own uses.
• Removing the ads is probably illegal.

So, why am I posting this? Well, for a few reasons:

• I was having issues with the ads loading - they were timing out, making each page take 30+ seconds to load, and making the software somewhat unuseable.
• Many tech people have adblocker software that is blocking the ads already.
• This is to illustrate a point that I plan to make in an upcoming post.

That said - here is a quick way to remove the ads in Spiceworks. What tools do you need? Nothing. You need notepad, and the Windows Explorer.

An immediate observation I made when first looking at Spiceworks is that it is written in Ruby on Rails. All other things inside, that immediately indicated that somewhere, there was an .rhtml file which contained the layout code to include the ad block.

So, immediately, I performed a serach of the program directory, and found all the .rhtml files.

The two which you need to edit are:

• C:\Program Files\Spiceworks\ruby\lib\ruby\gems\1.8\gems\spiceworks-0.8.3616\app\views\layouts\common\_ads.rhtml
• C:\Program Files\Spiceworks\ruby\lib\ruby\gems\1.8\gems\spiceworks-0.8.3616\app\views\layouts\common\_sidebar.rhtml

To remove the ads, simply open both the above files in notepad. Remove all the contents from _ads.rhtml, leaving it completely empty. Remove everything within the “adbox” div tag.

If you would rather place your own ads in the sidebar, or the other content of your choice, perhaps links, or other content, you can also edit

C:\Program Files\Spiceworks\ruby\lib\ruby\gems\1.8\gems\spiceworks-0.8.3616\app\views\ads\adiframe.rhtml

replacing the contents within the tage with whatever you want to appear there. You could even place your own ads into the spiceworks install if you wanted.

Share This

From a Digg post:

“SEO Black Hats have found a major loophole in the comment preview of the Moveable Type blogging platform. This exploit let’s them insert active links into any post, avoiding the “nofollow” penalty usually associated. This allows them to artificially inflate the importance of spam websites, leading to less accurate search engine results!”

This is really too bad, seeing as their are hundreds, if not thousands, of high-ranking blogs out there based on the Moveable Type platform…

read more | digg story

Share This