The boom in comment spam is controlled by a small hardcore of abusers that have hit on a way to game Google's search algorithms in order to spread advertising and malware, according to a new report from security firm Imperva.
The firm doesn't offer any hard numbers on the scale of comment spam - link-heavy comments that pollute many web comment forums - but that the issue has been getting worse won't come as a surprise to website owners.
After conducting a two-week test last September Imperva made the discovery that 80 percent of the spam against 60 different applications and services originated from only 28 percent of attackers.
Campaigns start with URL harvesting, that is finding vulnerable and highly-ranged websites to target with spam. The quality of a target is dictated by how easy it is to post spam, that URL's search engine ranking and whether the site allows search engines to follow links or not.
The attackers have even managed to find ways to make the spam text sounding more life-like, using 'spintax', a technique for automatically generating many usable comments from the same basic text.
Imperva's research suggested that once attackers had picked on specific URLs, they would attack the same site repeatedly over a period of days and weeks; the research also found one persistent attacker had been hiding behind Google's own App Engine proxy service as a way of fooling blacklisting filters.
"The reason it has got worse is that the industry around comment spam is very mature," said Imperva CTO, Amichai Shulman.
The rise of comment spam was not merely a nuisance and impacted on the usability of forums and comment pages as well as consuming bandwidth. It was also used to push people to click fraud ads - and worse.
The attraction of piggybacking links on top of trusted websites was simple search engine optimisation and there seemed to be nothing Google could do about it, he said.
"Attackers have found a way to circumvent whatever Google is doing to detect it," said Shulman. "It drives users away from the applications."
Imperva's answer is to use reputation services such as its own ThreatRadar system, ideally early in an attack.
Ironically, one of the firms that has the biggest battle with comment spammers is Google itself, which last year had to revamp YouTube's comment system by insisting on a Google+ login to post. This is one of the off things about this war; users have become so acclimatised to comment spam that they barely notice it.