I've seen quite a few of these two. I can only come up with the following explanations: 1) They're just trying to piss people off (kids?) 2) It's a social engineering experiment to encourage people to think links like this are harmless before they unleash their sekrit weapon 3) There's some sort of screwed up keymapping/character set issue in their program. Although that doesn't explain the fact that the URL has a sensible start and end.
![[User Picture]](https://l-userpic.livejournal.com/126074641/936728) | From: fanf 2007-06-14 03:03 pm (UTC)
| (Link)
|
4) some idiot has just bought some spamware and is doing a test run with garbage data 5) some idiot has just bought some spamware and doesn't know how to configure it
Yeah, I get that at work too.
Anything with the string 'http' gets filtered as spam anyway (it doesn't seem to affect genuine posts and catches 99.4% of spam) and this sort of random letters thing is the 0.6%.
I always thought it was just someone who hasn't set up their spamming bots properly!
I do like that test though... I'll see how many it catches here.
![[User Picture]](https://l-userpic.livejournal.com/116166715/889435) | From: nou 2007-06-14 03:48 pm (UTC)
| (Link)
|
Yes — if we could just reject everything with http:// in it'd be easier! We do welcome external links though, where appropriate.
I have set a rule to ban any comment (as opposed to a full edit) with more than one http:// in, but I do care quite a lot about not rejecting valid content (not that this has happened yet; I know this because rejected edits get emailed to me and so far our spam burden is low enough that I can read through them).
From: rik 2007-06-14 03:09 pm (UTC)
| (Link)
|
If I said "PageRank", would that enlighten?
How about "blogosphere" in conjunction with the last hint?
Hmm, but having random wrong links is going to decrease your pagerank, not increase someone else's (the usual reason for comment spam).
Are you saying this is an attack to reduce your pagerank?
I think malware has become semi-sentient and is roaming the internet, mutating, evolving, infecting botnets and spreading its apparently meaningless seed everywhere.
![[User Picture]](https://l-userpic.livejournal.com/116166715/889435) | From: nou 2007-06-14 03:50 pm (UTC)
| (Link)
|
So by rejecting it as spam, I'm actually contributing to its evolution :)
I used to run an open relay (well, not really an open relay, it only delivered locally, but it looked like an open relay from the outside) so I got to see the mails spammers send out to detect and test open relays. They were always gibberish, never a spammy payload, so I suspect fanf is right, but I don't really understand why either.
If you want to test penetration of a message through a relay, I guess you don't want the test muddied by spamfiltering. So you have to have something that's very variable and certainly doesn't look like any existing spam.
I get quite a few spam comments like that: enough that I screen anonymous comments and may soon block them altogether, but nowhere near as much as I do via email. I have two main theories:
a) It's just a test run for their spambot, as the equivalent of a "Hello world! program.
b) Spammers just aren't that bright, so they've screwed up. E.g. I get several phishing emails which claim to be from Ebay/PayPal, and include the standard text that says "We always include your username so that you know this isn't spam" but don't include my actual username.
![[User Picture]](https://l-userpic.livejournal.com/116166715/889435) | From: nou 2007-06-15 01:52 pm (UTC)
| (Link)
|
I get several phishing emails which claim to be from Ebay/PayPal, and include the standard text that says "We always include your username so that you know this isn't spam" but don't include my actual username.
I suspect this is because while they have no way of knowing your actual username, and hence can't include it, they know that the closer they can make their mail to a legitimate eBay mail, the more people they'll catch. It'd look even more suspicious to leave that phrase out.
![[User Picture]](https://l-userpic.livejournal.com/97660585/711211) | From: alan1957 2007-06-14 08:15 pm (UTC)
dunno why i didn't fink of this sooner, must be getting old... | (Link)
|
aliens. yup, they 'ave obviously infiltrated all aspects of human civilisation, since invading in the 1950s, to the point that they 'ave lost contact wiv one anuvver, so they are forced ter send out their messages as spam 'n' 'ope that they reach their intended audience. the message yew quote probably details a rendevouz point (in croydon maybe).
![[User Picture]](https://l-userpic.livejournal.com/56568064/204526) | From: babysimon 2007-06-14 10:59 pm (UTC)
Re: dunno why i didn't fink of this sooner, must be getting old... | (Link)
|
I knew there was something about Croydon...
It's quite likely these are attempts at malware injection (or preparatory tests for this) - they may well be trying to embed javascript or other HTML designed to use browser exploits to do drive by installs of malware. Or at least test for the ability to use your site to do this sort of thing in future (e.g. to check what gets filtered from comments).
The whole bologosphere & "web 2.0" sites which allow uploading of content are an ideal target for people wanting to spread malware as it's much easier than actually having to crack vulnerable servers to do so.
You have to bear in mind that a significant proportion of "spam" these days is not an end in itself but simply a means for delivering compromised zombies (e.g. by phishing type links or iframe exploits or whatever) to use for other purposes - the latter are what is worth the money to the bad guys.
![[User Picture]](https://l-userpic.livejournal.com/116166715/889435) | From: nou 2007-06-15 01:49 pm (UTC)
| (Link)
|
The thing is, I understand the ones which include JavaScript or HTML. The ones I'm puzzled about are the ones like the example I gave in my post. No JavaScript, no HTML other than a URL which doesn't resolve. ( imc's example may well have been munged/filtered by livejournal, but the one I gave wasn't — that was precisely the content that was sent to the CGI handling the form.)
![[User Picture]](https://l-userpic.livejournal.com/44499391/520133) | From: natf 2007-06-15 11:32 pm (UTC)
| (Link)
|
'If our random wibble to you by email does not bounce then it is a valid email address that we can try to phish later!'
Dontcha just hate spam? Unless it is in a wheat-free (in my case) fritter, of course... |