A security firm found that the majority of comment spam – messages left on sites to carry out fraudulent advertising or spread malware – is created by a small number of saboteurs.

A report released Monday called the “Anatomy of Comment Spam,” (PDF) delved into the growing problem, which can negatively impact firms’ reputations, along with user security.

Imperva, which published the report, found that just 17 percent of comment spam offenders posted the majority of these spurious messages. The firm tracked comment spam activity on more than 60 applications, over a two-week period in September, before spotting the trend.

Through its investigations, Imperva also found that the malicious activity sometimes escalated after companies stepped in to mitigate.

“The comment spam issue has become so prevalent that organizations are fighting back, by implementing mitigation services,” the report said. “Interestingly, there have been incidents of spammers fighting anti-spammers in an attempt to shut down those mitigation services, and many of those counter attacks have been successful.”

Barry Shteiman, Imperva’s director of security strategy, told SCMagazine.com in an interview, that distributed denial-of-service (DDoS) attacks, or even an increase of more comment spam, directed at websites’ comment sections, often occurred as “counter attacks.”

“One of the unfortunate things that is happening, is if that attack doesn’t work, the attacker becomes frustrated and uses DDoS [against enterprises],” Shteiman said.

As companies become more aware of this money-generating tactic by scammers, they’ve strengthened their website applications to prevent spam, he added.

“But sometimes that not enough, because the tools are advanced enough to bypass it,” Shteiman said of firms’ counter measures. “For instance, there are services that [complete] CAPTCHA forms for you.”

Attackers often employ free or crowdsourced tools to bypass verification methods, like CAPTCHA, that help weed out automated, or spam, comments from those of legitimate users, he explained.

“While there is an attempt to create all of these deterring mechanisms, it’s not something that is top of mind for companies. [Comment spam] is an emerging problem that’s been increasing in the past few years,” he added.

In addition to finding that a small set of attackers were behind most comment spam “attacks,” Imperva noted that 58 percent of comment spammers were active for long periods of time – meaning they generated spam for longer than a day and targeted more than one website.

“We’ve found that there’s not enough resources to explain to CSOs what comment spam is and why they should care about it,” Shteiman said.  

“Let’s say I can go on a medical site to communicate with doctors and all I see is spam. I won’t trust that site and I’ll go somewhere else. That’s a brand impact,” Shteiman explained. “Also, when you have the ability to produce a spam message on a website, you may include a link. Imagine if that link leads to malware.”

The report concluded that, after an attack, the sooner organizations peg the culprit, the better, since repeat offenders appeared to plague organizations. 

“IP reputation will help in solving the comment spam problem, by blocking comment spammers early on in their attack campaigns,” the report said.

To prevent such incidents, Imperva advised that companies employ a number of mitigation techniques, in addition to manually inspecting posts. The use of content inspection services, for instance, which verify the reputation of hyperlinks inserted in comments were advocated.

As well, firms were encouraged to utilize online repositories that check the reputation of a poster, and to “demotivate” comment spammers.

“[Demotivation] specifies whether a link should be followed by the search engine’s indexing algorithm,” the report said. “Setting the ‘nofollow’ value for posted comments decreases the comment spam motivation.”