I'm running a few private blogs, for business purposes, that are password protected via .htaccess on the main and archive directories. There are no external links to them from the open net, and they haven't been archived by Google. Yet somehow the spammers have found them. A couple days ago, we had dozens of poker spams in the comments.

Anyone have any idea how they're doing this?

You may have a trojan on your PC. Somebody may have harvested your usernames and passwords.

That's pretty unlikely--I'm behind a vicious firewall, and running Zone Alarm as well.

Though perhaps they got them from one of the other users.

Spammers aren't known for playing by the rules, I wouldn't be surprised that a bot for spammers can pull such things, even from a password protected page.

My point is, how do they even know that the pages are there to break into, unless they've hacked the site? And if they can do that, there are a lot worse things they could be doing than comment spamming.

Rand

What makes you think your spammers would be interested in anything worse than comment spamming?

I don't really know very much about tracking stuff on the internet, but could it be that they found your website via one (or more) of the sites it's linking to? Maybe the 'bot has a cracked list of the websites referring people to www.cnn.com or something.

If this is how they're finding you, it may be worth your time to write implement a script that reroutes all hyperlinks through another webpage, either one you control or a free service like www.tinyurl.com.

run a spyware check--most spyware doesn't seem to even get slowed down by most conventional firewalls et al, so you may have some despite the firewall.

Another alternative is that the spyware has infected somebody who uses or has used your site.

THat being said, perhaps the biggest probability is that the spammers are just hitting every URL in existance, just to see what they get.

Make sure that you have trackbacks/pingbacks disabled, and that you have turned off all notification services. Lots of blogs get found by the spammers this way. You make a post, and it ends up on the notification sites (blo.gs, Technorati, etc.), and it's all downhill from there. Pingomatic, while useful if you want to be found, is especially bad if you're trying to hide since it hits about 15 of those services.

Are your comment-posting cgi's themselves accessable without a password? And do they have the default names for the script? Spammers will often do a 'brute-force' search by simply attempting to post to http://domain-name/comment-script.cgi for every domain name and common comment script name they can find. I've seen these hits on my sites, and I don't even have blogging software installed.

If you can, password protect the comments scripts. If you can't do that, rename them to something nonstandard.

If these blogs have unique domain names, they can be found by searching DNS. And even if they don't, a scan of IP addresses responding to port 80 connects will find web sites.

I've noticed that hackers will attempt to break into web servers on any Comcast address within minutes of going live, so I can only assume that there is constant port scanning going on, probably through bots carried by viruses or something like that.

Spyware applications like VX2 have trojans that browse through a computers internet cache. Then, utilizing a backdoor created by the virus and upload that information to a target server on the net. They relay the information along common http 80 or ftp routines. I'd have everyone you know that access those pages run the new Microsoft Anti-spy on their computer. Also good to use another program called Hijack This. It's a low level process viewer that actually shows you the portions of the registry linked to running processes in the background. Its also cool cause if you look in the config button under the MISC tab there is a neat little utility that flags files that are currently in use for deletion on next reboot. Saves you a trip into safe mode to remove a file that keeps hiding in memory.

If you have any external links from outside sites, that can lead right to the pages. Spiders can actively pull any web page from any directory on the net, I'm not sure if they can pierce a password protected page, but spammers would've found a way to do it if it could be done. You might want to check your server logs for any bot activity the past month or so.

If you have any external links from outside sites, that can lead right to the pages.

I don't (as far as I know). That was one of the premises of what we were doing, was that it was to be independent of the net (other than running on it for TCP/IP and HTTP). The question about it happening due to referrers from links going outside is more interesting. I'll have to go see if we have any.

Spiders can actively pull any web page from any directory on the net, I'm not sure if they can pierce a password protected page, but spammers would've found a way to do it if it could be done.

Why bother, unless the spiders are looking for it and adding to the data base? I'd like to think that Google isn't grabbing (and using for rankings) password-protected pages. If they are, this is an issue that should be elevated.

Here's a faq on bots, towards the bottom of the faq, it shows how to protect yourself from these hostile bots.

http://www.robotstxt.org/wc/faq.html#visit