Today, for no particular reason, I got attacked by spammers in an unprecedented magnitude. It was not old school e-mail spam – that has been quite stabile the last years on about 100 spam mails per day. No, it was all other kinds of spam.

Comment spam

First of all, my server log has been busy logging 4 times as many comment spam attacks as usual. I normally have about 20 comment spam attacks per day, but today it was almost 80 (and today isn’t over yet). All of them failed to actually post a comment because they tried to make an invalid postback. That is the error message I get from comment spam attacks.

Trackback spam

Normally, I don’t get much trackback spam - maybe a few per day, tops. Today I received 22 which is a record for one day. None of them got through because I check for various conditions about each request and they all failed that check. Strangely enough, there have been no pingback attacks today.

Referrer spam

This is a very annoying way of spamming. I have a referrer log and every time a visitor enters my website with a referrer in the request headers, that request get’s logged so I can see where my visitors come from. Spam bots know this and send requests with fake referrer headers so that I might follow one of those referrer URLs to check it out. It’s pretty obvious most of the time that xxxgallery.com and cheap-mortage.tk is referrer spam. I do have a mechanism to filter them out. It’s very effective, but it also produces some false negatives. I can live with it.

Conclusion

It seems the annual let’s-spam-blogs-day is today and all spammers join forces and fire away. Spammers are people too and it’s nice to see that they can work together and combine various different spam techniques for optimum reach. I’m just glad that all their attempts to pollute my site were futile. Not a single spam attempt got through, just to my logs. It’s actually a good thing because for the first time I got a change to test my spam defences properly. It would have been nice if they would have invited a spammer who could do pingback spam as well. I guess you can’t win them all. Maybe they will invite him for the next annual let’s-spam-blogs-day.

I wonder if this is related to the International Talk Like A Pirate Day which is today. 

I’ve hooked a health provider up in my web.config to send me all unhandled exceptions by e-mail. See here how to do that – you just have to put some lines in the web.config. Well, I get all sorts of different exceptions but one I get more than 20 times a day. It’s actually rear that I get anything else than this one particular unhandled exception.

It looks like this:

Exception type: System.ArgumentException
Exception message: Invalid postback or callback argument. Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%@ Page EnableEventValidation="true" %> in a page.  For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them.  If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.

Am I an idiot? 

Now you might think that I’m an idiot that I didn’t do anything about it months ago, but hold on a minute. It says that a postback is invalid because event validation is turned on. It’s turned on by default in ASP.NET so that’s no big surprise. No my dear reader, this is not an error I would like to remove by disabling the event validation, because this error is in fact caused by spam bots trying to spam my comments.

They all fail in doing so, because event validation is enabled and thus throwing this exception every time they try. Did I mention to say that event validation is turned on by default and is a native feature of ASP.NET? That means that all ASP.NET application has a natural spam bot protection system build right into it by default. How cool is that?

Maybe this example will convince those of you who didn’t believe me in the last post I did about ASP.NET security and unnecessary CAPTCHAS.

Update 30 minutes later: I've just received 25 more mails in half an hour. Maybe the bots read my post and didn't believe me either.