?

Log in

No account? Create an account
Weird spam. - I know it's wonky and I don't care [entries|archive|friends|userinfo]
Kake

[ website | My Website ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Links
[Links:| Randomness Guide to London | Open Guide to Cambridge | Snake Soup | KakeFlickr ]

Weird spam. [Jun. 14th, 2007|03:46 pm]
Kake
[Tags|, ]

imc just posted about weird spam — that is, spam which doesn't seem to benefit the spammer. There's an example linked from his post.

We've had similarly weird spam attempts[0] on RGL, for example:

Comment added by gjtbx wicbr: vqkmli ijxdfazsn narjbcsxm lyoizrd gmivefaxp wjmivg okyatsjf http://www.bdiup.fohmiwpxd.com

Just nonsense words; not always with a URL included, and where there is a URL, it's nonsense too.

fanf suggests on imc's post that the purpose could be to see how diligent you are about deleting spam, but even so, if the content differs significantly from what you would actually want to post, it's still not a fair test since nonsense could slip through spam filters where real spam would get caught. Why not just test with actual spam?

Anyone know what's going on?

[0] We have automatic spamtrapping, but these were quite hard to write rules for. I eventually went with "two-word lowercase username plus two occurrences of q followed by not-u", which caught a fair proportion of them.
LinkReply

Comments:
[User Picture]From: susannahf
2007-06-14 02:59 pm (UTC)
I've seen quite a few of these two. I can only come up with the following explanations:
1) They're just trying to piss people off (kids?)
2) It's a social engineering experiment to encourage people to think links like this are harmless before they unleash their sekrit weapon
3) There's some sort of screwed up keymapping/character set issue in their program. Although that doesn't explain the fact that the URL has a sensible start and end.
(Reply) (Thread)
[User Picture]From: fanf
2007-06-14 03:03 pm (UTC)
4) some idiot has just bought some spamware and is doing a test run with garbage data
5) some idiot has just bought some spamware and doesn't know how to configure it
(Reply) (Parent) (Thread)
[User Picture]From: nou
2007-06-14 03:57 pm (UTC)
Regarding reason (1), I saw some rather cute spam the other day:



What's the betting that Daniel and Freddie aren't very old? :)
(Reply) (Parent) (Thread)
[User Picture]From: susannahf
2007-06-14 04:07 pm (UTC)
My instinctive reaction to that was to think "Bless!" in the tone of voice that one uses when observing a toddler continuously making toast (or doing some other relatively trivial task) because he's just discovered he /can/.
(Reply) (Parent) (Thread)
[User Picture]From: lovingboth
2007-06-14 03:01 pm (UTC)
Yeah, I get that at work too.

Anything with the string 'http' gets filtered as spam anyway (it doesn't seem to affect genuine posts and catches 99.4% of spam) and this sort of random letters thing is the 0.6%.

I always thought it was just someone who hasn't set up their spamming bots properly!

I do like that test though... I'll see how many it catches here.
(Reply) (Thread)
[User Picture]From: nou
2007-06-14 03:48 pm (UTC)
Yes — if we could just reject everything with http:// in it'd be easier! We do welcome external links though, where appropriate.

I have set a rule to ban any comment (as opposed to a full edit) with more than one http:// in, but I do care quite a lot about not rejecting valid content (not that this has happened yet; I know this because rejected edits get emailed to me and so far our spam burden is low enough that I can read through them).
(Reply) (Parent) (Thread)
From: rik
2007-06-14 03:09 pm (UTC)
If I said "PageRank", would that enlighten?

How about "blogosphere" in conjunction with the last hint?
(Reply) (Thread)
[User Picture]From: lovingboth
2007-06-14 03:16 pm (UTC)
Hmm, but having random wrong links is going to decrease your pagerank, not increase someone else's (the usual reason for comment spam).

Are you saying this is an attack to reduce your pagerank?
(Reply) (Parent) (Thread)
[User Picture]From: babysimon
2007-06-14 03:19 pm (UTC)
I think he's just trying to explain why people spam web pages.
(Reply) (Parent) (Thread)
[User Picture]From: nou
2007-06-14 03:49 pm (UTC)
But as lovingboth says, this does nobody's PageRank any good because (a) there aren't always URLs in the spam content, and (b) when there are URLs, they don't actually exist as websites.
(Reply) (Parent) (Thread)
[User Picture]From: truecatachresis
2007-06-14 03:14 pm (UTC)
I think malware has become semi-sentient and is roaming the internet, mutating, evolving, infecting botnets and spreading its apparently meaningless seed everywhere.
(Reply) (Thread)
[User Picture]From: nou
2007-06-14 03:50 pm (UTC)
So by rejecting it as spam, I'm actually contributing to its evolution :)
(Reply) (Parent) (Thread)
[User Picture]From: natf
2007-06-15 11:34 pm (UTC)
ooo wow - I did not know that you and kake knew each other! I know you both from different environments! ;-p
(Reply) (Parent) (Thread)
[User Picture]From: babysimon
2007-06-14 03:18 pm (UTC)
I used to run an open relay (well, not really an open relay, it only delivered locally, but it looked like an open relay from the outside) so I got to see the mails spammers send out to detect and test open relays.

They were always gibberish, never a spammy payload, so I suspect fanf is right, but I don't really understand why either.
(Reply) (Thread)
[User Picture]From: pseudomonas
2007-06-14 03:25 pm (UTC)
If you want to test penetration of a message through a relay, I guess you don't want the test muddied by spamfiltering. So you have to have something that's very variable and certainly doesn't look like any existing spam.
(Reply) (Parent) (Thread)
[User Picture]From: babysimon
2007-06-14 03:26 pm (UTC)
Makes sense. This was in ~2003 when spam filtering was less sophisticated though...
(Reply) (Parent) (Thread)
[User Picture]From: nou
2007-06-14 03:53 pm (UTC)
Hm, yes, and I suppose the same could apply to wikispamming — checking whether a wiki actually is open edit. But you'd only need to do that once, surely, and we had a fair few of these (though I've not seen any for a week, so it looks like they've given up).
(Reply) (Parent) (Thread)
[User Picture]From: pozorvlak
2007-06-15 08:44 am (UTC)
You're assuming it's only one group doing it...
(Reply) (Parent) (Thread)
[User Picture]From: nou
2007-06-15 01:50 pm (UTC)
Fair point, though it does seem odd that multiple separate groups would use exactly the same form of nonsense.
(Reply) (Parent) (Thread)
[User Picture]From: lnr
2007-06-14 03:57 pm (UTC)
How often did you get blacklisted?
(Reply) (Parent) (Thread)
[User Picture]From: babysimon
2007-06-14 04:04 pm (UTC)
Not at all to my knowledge.

But then I wouldn't know or care much if I did - this machine wasn't supposed to get incoming SMTP from anyone other than me or my coworkers, and we weren't testing it against blacklists...
(Reply) (Parent) (Thread)
[User Picture]From: johnckirk
2007-06-14 04:29 pm (UTC)
I get quite a few spam comments like that: enough that I screen anonymous comments and may soon block them altogether, but nowhere near as much as I do via email. I have two main theories:

a) It's just a test run for their spambot, as the equivalent of a "Hello world! program.

b) Spammers just aren't that bright, so they've screwed up. E.g. I get several phishing emails which claim to be from Ebay/PayPal, and include the standard text that says "We always include your username so that you know this isn't spam" but don't include my actual username.
(Reply) (Thread)
[User Picture]From: nou
2007-06-15 01:52 pm (UTC)
I get several phishing emails which claim to be from Ebay/PayPal, and include the standard text that says "We always include your username so that you know this isn't spam" but don't include my actual username.

I suspect this is because while they have no way of knowing your actual username, and hence can't include it, they know that the closer they can make their mail to a legitimate eBay mail, the more people they'll catch. It'd look even more suspicious to leave that phrase out.
(Reply) (Parent) (Thread)
[User Picture]From: johnckirk
2007-06-15 08:07 pm (UTC)
I'm not sure about that. If people don't read that sentence then there's no benefit to having it (because they wouldn't notice it being missing). If they do read it, surely they'll notice the lack of an account name? I'd say that it would be more convincing to leave it out, and maybe substitute an alternate sentence to take up the same amount of space, e.g. "For your security, all internet transactions are encrypted."

Quoting from a fake Nationwide email I got today:

Nationwide Building Society Online Banking Security Team is carrying out a fraud prevention
exercise on all accounts to reduce and prevent Fraud on our online
Banking system .All Verified Accounts will recieve a Special Anti-
Fraud Protection, Which will reduce all risks of Online Fraud.

Please click on Sign in to Secured Online Banking to continue Update.
your account information to the verification process.

Remember Failure to verify your account details will lead to account
suspension for security Reasons.


Leaving aside the fact that I don't have a Nationwide account, this message just looks weird: erratic capitalisation, incorrect positioning of the full stop at the end of the first sentence, and a sentence without a verb in the second paragraph.

I assume that this is because the people who sent it don't speak English as their first language, so they don't realise how unconvincing it looks; this doesn't really suggest that they are criminal masterminds who have carefully planned this operation out in every detail. Coming back to the standard text, I think that those people are taking a different approach to the same problem: they know that they can't write coherent English themselves, so they just use the existing text in its entirety, without actually understanding what that text says.
(Reply) (Parent) (Thread)
[User Picture]From: alan1957
2007-06-14 08:15 pm (UTC)

dunno why i didn't fink of this sooner, must be getting old...

aliens. yup, they 'ave obviously infiltrated all aspects of human civilisation, since invading in the 1950s, to the point that they 'ave lost contact wiv one anuvver, so they are forced ter send out their messages as spam 'n' 'ope that they reach their intended audience. the message yew quote probably details a rendevouz point (in croydon maybe).
(Reply) (Thread)
[User Picture]From: babysimon
2007-06-14 10:59 pm (UTC)

Re: dunno why i didn't fink of this sooner, must be getting old...

I knew there was something about Croydon...
(Reply) (Parent) (Thread)
[User Picture]From: natf
2007-06-15 11:37 pm (UTC)

Re: dunno why i didn't fink of this sooner, must be getting old...

*falls off chair laughing*
(Reply) (Parent) (Thread)
From: mikewd
2007-06-15 12:35 pm (UTC)
It's quite likely these are attempts at malware injection (or preparatory tests for this) - they may well be trying to embed javascript or other HTML designed to use browser exploits to do drive by installs of malware. Or at least test for the ability to use your site to do this sort of thing in future (e.g. to check what gets filtered from comments).

The whole bologosphere & "web 2.0" sites which allow uploading of content are an ideal target for people wanting to spread malware as it's much easier than actually having to crack vulnerable servers to do so.

You have to bear in mind that a significant proportion of "spam" these days is not an end in itself but simply a means for delivering compromised zombies (e.g. by phishing type links or iframe exploits or whatever) to use for other purposes - the latter are what is worth the money to the bad guys.
(Reply) (Thread)
[User Picture]From: nou
2007-06-15 01:49 pm (UTC)
The thing is, I understand the ones which include JavaScript or HTML. The ones I'm puzzled about are the ones like the example I gave in my post. No JavaScript, no HTML other than a URL which doesn't resolve. (imc's example may well have been munged/filtered by livejournal, but the one I gave wasn't — that was precisely the content that was sent to the CGI handling the form.)
(Reply) (Parent) (Thread)
From: mikewd
2007-06-17 04:29 am (UTC)
Well I still suspect it's some sort of test - maybe just testing out the operation of some new spambot software or possibly a demonstration run for potential customers (e.g. you can run it in demo mode for free, where it posts random text, but if you want real spam posted you gotta pay).

I guess if its a demo not using real looking spam is more likely to get through filters and so impress the potential buyers....
(Reply) (Parent) (Thread)
[User Picture]From: natf
2007-06-15 11:32 pm (UTC)
'If our random wibble to you by email does not bounce then it is a valid email address that we can try to phish later!'

Dontcha just hate spam? Unless it is in a wheat-free (in my case) fritter, of course...
(Reply) (Thread)