I think that I’ve fought the spam-master to a draw – the comment spam assault ended early Friday morning. Now it’s time to prepare for the next assault.
Looking at my server log, the organization and thought behind the assault is apparent. Attacks from a single IP address are spread out in time, indicating that the attacker is rotating through several independent targets. And the spam itself seems to vary slightly from comment to comment.
For my next counter-measure, I considered an IP throttle. But it looks like the target rotations will defeat that. I thought about detecting duplicate comments, but the spam-master has got that one beat as well. I may need to start working on outbound link and anchor text blacklists.