Comments on: Spam in my feed… Ugh… http://www.contentious.com/2007/11/10/spam-in-my-bloglines-feed-ugh/ Amy Gahran's news and musings on how we communicate in the online age. Sun, 23 Nov 2008 16:43:48 +0000 http://wordpress.org/?v=2.6.3 By: Wordpress & Spam at Journal of Crisology http://www.contentious.com/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1215358 Wordpress & Spam at Journal of Crisology Tue, 04 Mar 2008 18:52:49 +0000 http://www.contentious.com/archives/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1215358 [...] browsing for reasons it appears I’m not the only one: this blog feed reported the same problem already November 7th last year. And indeed, I’ll have to [...] [...] browsing for reasons it appears I’m not the only one: this blog feed reported the same problem already November 7th last year. And indeed, I’ll have to [...]

]]> By: contentious.com - Spammer with a sense of humor http://www.contentious.com/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206575 contentious.com - Spammer with a sense of humor Mon, 12 Nov 2007 17:02:11 +0000 http://www.contentious.com/archives/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206575 [...] just found in my Wordpress moderation queue this comment, submitted in response to my post about my blog being [...] [...] just found in my Wordpress moderation queue this comment, submitted in response to my post about my blog being [...]

]]> By: contentious.com - My blog got hacked, probably at Blogworld Expo http://www.contentious.com/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206496 contentious.com - My blog got hacked, probably at Blogworld Expo Sun, 11 Nov 2007 17:23:32 +0000 http://www.contentious.com/archives/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206496 [...] Yesterday I posted about how a reader let me know that a huge chunk of spam had shown up in a post I made from Blogworld Expo in Las Vegas. As I investigated this further with the help of readers (especially Mihai Parparita) and my colleague Justin Crawford, I learned that someone had gained access to my Wordpress installation (most likely by stealing my password) and inserted spam directly into my post. This problem appears to have started only very recently — while I was at Blogworld, on the conference wifi network. [...] [...] Yesterday I posted about how a reader let me know that a huge chunk of spam had shown up in a post I made from Blogworld Expo in Las Vegas. As I investigated this further with the help of readers (especially Mihai Parparita) and my colleague Justin Crawford, I learned that someone had gained access to my Wordpress installation (most likely by stealing my password) and inserted spam directly into my post. This problem appears to have started only very recently — while I was at Blogworld, on the conference wifi network. [...]

]]> By: Amy Gahran http://www.contentious.com/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206451 Amy Gahran Sat, 10 Nov 2007 22:10:32 +0000 http://www.contentious.com/archives/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206451 Neil -- yes, come to think of it, I noticed that comments were set as closed on that post! I manually re-opened them when I saw it, and I figured I had just accidentally closed them. But it's possible that could be related to this bug. I'm waiting to hear from my geek-on-call about the wordpress upgrade. But if he can't do it right now, I appreciate your offer of help, and I'll let you know. Thanks, - Amy Neil — yes, come to think of it, I noticed that comments were set as closed on that post! I manually re-opened them when I saw it, and I figured I had just accidentally closed them. But it’s possible that could be related to this bug.

I’m waiting to hear from my geek-on-call about the wordpress upgrade. But if he can’t do it right now, I appreciate your offer of help, and I’ll let you know.

Thanks,

- Amy

]]> By: Neil Ford http://www.contentious.com/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206450 Neil Ford Sat, 10 Nov 2007 22:04:10 +0000 http://www.contentious.com/archives/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206450 I tried posting a comment to your Blog World post (recommending a bag) but when I hit post it said comments were closed. I just thought you'd closed comments. This would have been shortly after the post hit Google Reader for me as I had my unread count down to nothing yesterday. If you need a hand with the upgrade, let me know. - Neil. I tried posting a comment to your Blog World post (recommending a bag) but when I hit post it said comments were closed. I just thought you’d closed comments. This would have been shortly after the post hit Google Reader for me as I had my unread count down to nothing yesterday.

If you need a hand with the upgrade, let me know.

- Neil.

]]> By: contentious.com - Why blogging conferences is so damn hard http://www.contentious.com/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206449 contentious.com - Why blogging conferences is so damn hard Sat, 10 Nov 2007 21:39:13 +0000 http://www.contentious.com/archives/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206449 [...] reader, you may see a big block of spam below. Sorry about that — my blog has been hacked. I’m working to fix it.) [...] [...] reader, you may see a big block of spam below. Sorry about that — my blog has been hacked. I’m working to fix it.) [...]

]]> By: Amy Gahran http://www.contentious.com/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206448 Amy Gahran Sat, 10 Nov 2007 21:35:47 +0000 http://www.contentious.com/archives/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206448 Another update: Via Twitter, my friend Karoli (who blogs at <a href="http://www.drumsnwhistles.com/" rel="nofollow">Drums n Whistles</a>) noted that she suffered a similar hack a couple of years ago. The problem came from a Wordpress security hole. Info about it here: http://snipurl.com/1tft7 Thanks, Karoli! I'll look into it. I'm currently on Wordpress 2.1.2, but the lasest stable release is 2.3.1. I'll arrange an upgrade. Another update:

Via Twitter, my friend Karoli (who blogs at Drums n Whistles) noted that she suffered a similar hack a couple of years ago. The problem came from a Wordpress security hole. Info about it here:

http://snipurl.com/1tft7

Thanks, Karoli! I’ll look into it. I’m currently on Wordpress 2.1.2, but the lasest stable release is 2.3.1. I’ll arrange an upgrade.

]]> By: Mihai Parparita http://www.contentious.com/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206447 Mihai Parparita Sat, 10 Nov 2007 20:44:50 +0000 http://www.contentious.com/archives/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206447 It looks like the spam is in the original post too, you just can't see it. However, if you do a view source and search for "viagra", you will see (I've replaced angle brackets with square brackets to make sure the HTML is not interpreted): [p][font style="overflow: hidden; position: absolute; height: 0pt; width: 0pt"][br /] alternative impotence natural viagra [a href="http://www.industry.ucsb.edu/technology/blog/wp-includes/js/tinymce/themes/advanced/images/xp/1/index.html"]viagra[/a] viagra overdose[br /] free sample viagra uk [a href="http://www.industry.ucsb.edu/technology/blog/wp-includes/js/tinymce/themes/advanced/images/xp/1/buy-viagra.html"]buy viagra[/a] viagra patent[br /] I'm guessing you can see this in WordPress's post editor too. The CSS that's applied is stripped by wed-based aggregators, which is why this is visible there. Desktop aggregators tend to leave CSS alone (since they have fewer security concerns), thus you don't see it there. It looks like the spam is in the original post too, you just can’t see it. However, if you do a view source and search for “viagra”, you will see (I’ve replaced angle brackets with square brackets to make sure the HTML is not interpreted):

[p][font style="overflow: hidden; position: absolute; height: 0pt; width: 0pt"][br /]
alternative impotence natural viagra [a href="http://www.industry.ucsb.edu/technology/blog/wp-includes/js/tinymce/themes/advanced/images/xp/1/index.html"]viagra[/a] viagra overdose[br /]
free sample viagra uk [a href="http://www.industry.ucsb.edu/technology/blog/wp-includes/js/tinymce/themes/advanced/images/xp/1/buy-viagra.html"]buy viagra[/a] viagra patent[br /]

I’m guessing you can see this in WordPress’s post editor too. The CSS that’s applied is stripped by wed-based aggregators, which is why this is visible there. Desktop aggregators tend to leave CSS alone (since they have fewer security concerns), thus you don’t see it there.

]]> By: Amy Gahran http://www.contentious.com/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206446 Amy Gahran Sat, 10 Nov 2007 20:19:39 +0000 http://www.contentious.com/archives/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206446 Mihai -- thanks for helping me figure this out. The odd thing is, I can see the spam only in web-based feed readers (bloglines and Google Reader). It doesn't show up at all in Newsfire or Safari. I'll need some help diagnosing and fixing this, but I've got some people I can call to help. Just when I was hoping to take the day off.... Sigh.... - Amy Gahran Mihai — thanks for helping me figure this out. The odd thing is, I can see the spam only in web-based feed readers (bloglines and Google Reader). It doesn’t show up at all in Newsfire or Safari.

I’ll need some help diagnosing and fixing this, but I’ve got some people I can call to help.

Just when I was hoping to take the day off…. Sigh….

- Amy Gahran

]]> By: Mihai Parparita http://www.contentious.com/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206444 Mihai Parparita Sat, 10 Nov 2007 20:02:52 +0000 http://www.contentious.com/archives/2007/11/10/spam-in-my-bloglines-feed-ugh/#comment-1206444 It looks like the same viagra spam ended up in the feed data that was crawled (and cached) by Google Reader: http://www.google.com/reader/view/feed/http://feeds.feedburner.com/Contentious The fact that both Reader and Bloglines have the same data makes it less likely that it's a bug in Bloglines. I'm guessing that your blog was somehow hacked. When looking at your feed: http://feeds.feedburner.com/Contentious I see the viagra links in there too. It looks like the same viagra spam ended up in the feed data that was crawled (and cached) by Google Reader:

http://www.google.com/reader/view/feed/http://feeds.feedburner.com/Contentious

The fact that both Reader and Bloglines have the same data makes it less likely that it’s a bug in Bloglines. I’m guessing that your blog was somehow hacked. When looking at your feed:

http://feeds.feedburner.com/Contentious

I see the viagra links in there too.

]]>