I posted a write-up of what the various goods carried here are on kushboldt.wordpress.com. For educational purposes only of course.

Wow! Cheers, Kushboldt!

I saw they have a second location in the office complex by Johns Cigars on Myrtle Ave.. Suite C..

So what. Yet another avenue for dumb stoners to become more intelligent

Can we decide if we can respect the very laws we vote in? 215 spells it out and I still have to feel like a criminal because I have Stage 4 cancer and truly need marijuanas’ beneficial effects? I am not a criminal and if I am allowed to smoke, then let me purchase (or receive) the product without feeling like I am wrong.

Bambi, you are not a criminal.

This hummingbird place has some messed up hours. Should open at 8am dudes, not whenever you wake up.

[Unintelligible Cyrillic spam.]

Mr. Nice: I appoint you our official Russian spam correspondent. WHAT DO THESE PEOPLE WANT?

Okay, sir, that’s easy. Short answer: monetary gain.

I’ll give you the technical answer since that is more useful.

Modern comment systems use a “nofollow” value attribute attached to links. As you can see in the page source of the first comment, a link was created and your comment system did not automatically parse the anchor tag and insert rel=”nofollow”

This is valuable to spammers. When a link is posted without the nofollow attribute, search engines take this to mean yes follow this link. When a search engine follows a link, the link is weighted relative to the number of followed links on a page and the weight of other sites which link to the page with the followed link.

However, if your comment system inserts nofollow, any posted link becomes useless to spammers. Google etc. do not follow the link and therefore do not add any weight to the followed link based on it being (supposedly) relevant to the originating page.

“ни че се коментов” is a marker placed to alert potential spammers that the code in this comment system is vulnerable to attack. You may have seen Nigerian scammers using the same tactic on the old “guestbooks” by inserting codewords that other scammers could search for. This post signals that this page contains a link which was verified as having a positive search relevance influence from the originating page (this page). It does not mean that spam links would do well as the above link is actually on-topic and within the relevant scope of what followed links are supposed to be. However, Eastern European spammers could examine the relevance of this and post such things as “herbal” affiliate links such as the phony weed herbal high times-ish programs.

коментов in this sense refers to a comment. One comment in spam terms could net anywhere between 1 and 30 cents depending on how high the relevance of the comment page is.

Links should be set to nofollow with an option to turn this off individually for links which are actually relevant and which you would like to donate a couple of google ether points to.

Basically all you need is a regular expression that replaces with [

The php code for that is as follows function addnofollow ($str) { $str = stripslashes($str); $preg = “/<[s]*a[s]*href=[s]*[“’]?([w.-]*)[“’]?[^>]>(.?)</a>/i”; preg_match_all($preg, $str, $match); foreach ($match[1] as $key=>$val) { $pattern[] = ‘/’.preg_quote($match[0][$key],’/’).’/’; $replace[] = “](http://foo.bar){$match[2][$key]}“; } return preg_replace($pattern, $replace, $str); }

Then just shoot the entire comment string through the addnofollow function before posting.

I am surprised that your programmer did not do this.

I guess it dropped my last comment.

Anyway, I was trying to say that above code won’t work since the comment system did some funky stuff where it actually did the match and pulled “http://foo.bar” from a real anchor link based on the code that I put into the comment.

This is not good. I can see why the spammers have targeted this comment system. There are a wide range of exploits available with this kind of slack… the output from these comments needs to be sanitized.

Hank, you might want to take it into advisement to sanitize the comments… but I would pull any Eastern European comments along with the ones that I just made regarding the specifics of the holes in your comment system. I would not like for someone to read my explanation as a howto to spam the hell out of this blog. I did not realize how bad it was.

Whoa, badass!

I never thought about “nofollow” as a spam prevention technique. I know that Google recommends it, but it’s kind of a tough sell. I do want our comments to be Googlable.

As it stands, we outsource our spam check via API call to TypePad. They don’t catch everything, of course, but they catch 98 percent of it. I clean up afterwards when I find something that gets through, and I can ban addresses outright if I want to. A while back I had to write a custom routine to ban one particularly nasty distributed network. Do you see how “Humboldt: What’s In A Name” has been at the top of the charts on our main page for weeks now? That’s because that network still hits it like 10 times a minute and our ranking system is way naive.

Comments already are sanitized in that you only get to use four or five tags for bold, italics, blockquote, etc. Every other tag is stripped. Or should be. I don’t quite follow what you did up there, but I’m quite sure that the system did not evaluate and run a regex match-and-replace in your comment. We’re on Python, not PHP, in any case.

Thanks for the explanation. I was afraid I had just revealed a potential hole.

This is part that bothered me. Up there, first I had a stray

I was using as a link example.

This took the value and put it here:

$replace[] = “](http://foo.bar)

But, that was supposed to say:

$replace[] = “{$match[2][$key]}“;

It looks like the parser grabbed the previous href value as the regex was written and inserted it into my next comment. You can see why this might be a problem if it accepts code input - albeit in the wrong language in this case - and uses that to modify output. I thought this could be fashioned as an injection.

The spammers don’t get paid for anyone clicking those links, that is not the point. The only objective is for google to think you are associated with their site by making it appear that you have followable links to their spam site, thereby increasing the visibility of their porn/gambling/vicodin/illegal something site for the keywords contained on your page.

If you search for the above post, every instance of this type of message is followed by spam links. Any other posts on this type of post are discussions about how these are spammers, that this is a mark phrase, and how to get rid of them.

Anyway, nofollow will nullify their attempts to steal your google traffic.

As for your pagerank problem, are you using the Google Analytics Data Export API to get the top pages? If not, try that out.

Dropped another comment…

Your comments did somehow transpose “http://foo.bar” from one message to another. That is potentially bad.

Google Data Export APT would be useful for your top pages issue.