Jalaj P. Jha

Just recently I started putting up the Top Commentators list on blog. Though normally I don’t go and look for what comments have been caught as span by akismet, I happened to visit the page to find a comment , that seemed to be by Nirmal, lying there. Nirmal is in the Top Commentators list since day one. A second look on the comment revealed something interesting, the url posted with comment was not of Nirmal’s blog and was not by Nirmal hinself. This was an attempt to hijack the top commentators list by someone pretending to be one of the top commentators, but with different email id (email id of original commentator being known only to blog owner) and a different url which sometimes, if hijack is successful, replaces the genuine url by original commentator.

What is Top Commentators List, its Hijack and how does hijacker gains from it.

Top commentators list exist on various blogs to encourage various readers into participating in discussion through comments. The commentator in turn gets a chance to show up himself in the sidebar of the blog with a link to his site/blog url if he had provided any. These links are mostly ‘DoFollow’ links (with rare exceptions) that is advantageous in strengthening one’s position in Google ranking.

Everyone is allowed to post comments as long as they add meaning to the discussion and is not just to get one’s link added on sidebar. All bloggers keeping Top Commentators list go through posted comments to prevent abuse, and most either require each comment to be moderated, while some moderate first comment without approval of which none of the comments pass. In all, bloggers confirm that commentators of good repute (at least not bad) only pass through, which our Hijackers here are not! So instead of posting in own name they choose name of a person already present within various comments or on “Top Commentators” list. This way sometimes (or maybe many-a-times) they pass the screening of comments and their comment gets published.

Now once a comment has been published how “Top Commentators” list gets filled? Let me show you here (sorry for getting too technical from this point onwards). The code below comes from the Top Commentator Widget v0.999 available here

Below is the piece of code that queries the comments database to find the top commentators. For this purpose it creates a list in descending order of number of comments posted by each author name. So if a hijacker posts a comment in others name it too is included in the count for the author.

To find the url associated with each author a query is fired for each commentator seeking is url. Some variation of Top Commentators plugin fire a simple select query taking the url of the most recent query. In such a case instead of showing up the original commentator’s url the hijacker’s url is shown in the list and this is what we are talkng here about the Top Commentators List Hijacking. The hijackers are hopping around the blogs featuring Top Commentators firing comments looking for such vulnerability, and once such a blog is traced, they insert comments in name of more than one commentators for various urls they are trying to get link love for. Andy Bailey, also a Top Commentator recently had to remove Top Commentators list following such an attack. The plugin in discussion here is though tougher to crack as it checks for url that was most used to comment (check code below) and thus hijacker cannot succeed with a single comment. But still there remains room for success. If the hijacker posts comment equal to number of comments by original commentator plus one, he gets into the list, and the fact for concern here is that his comments even doesn’t needs to be approved as such a check is not done in this query.

So all bloggers featuring Top Commentators List should make a check by posting themselves a comment with a url different that one of the commentator and posting in his name ensuring that comment passes moderation. Now check if the list is hijacked or not. If yes, you need to take a break or ensure that none of comments pass without strict url checking. For my blog Hijackers please don’t try as firstly the blog is safeguarded by Akismet so there is a lot possibility that your comment passes into spam list immediately. Secondly this blog is hosted on wordpress.com that don’t have top commentators facility and thus the list here is not a result of “Artificial Intelligence” but of real intelligence.

How do we fight these hijackers. Simply by using email address as a deciding factor for Top Commentators list. Since email is the only field that is not publicly available, hijackers have little chance to take over. Hope to see modified plugins soon.