Log in

No account? Create an account
I know it's wonky and I don't care [entries|archive|friends|userinfo]

[ website | My Website ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

[Links:| Randomness Guide to London | Open Guide to Cambridge | Snake Soup | KakeFlickr ]

Weird spam. [Jun. 14th, 2007|03:46 pm]
[Tags|, ]

imc just posted about weird spam — that is, spam which doesn't seem to benefit the spammer. There's an example linked from his post.

We've had similarly weird spam attempts[0] on RGL, for example:

Comment added by gjtbx wicbr: vqkmli ijxdfazsn narjbcsxm lyoizrd gmivefaxp wjmivg okyatsjf http://www.bdiup.fohmiwpxd.com

Just nonsense words; not always with a URL included, and where there is a URL, it's nonsense too.

fanf suggests on imc's post that the purpose could be to see how diligent you are about deleting spam, but even so, if the content differs significantly from what you would actually want to post, it's still not a fair test since nonsense could slip through spam filters where real spam would get caught. Why not just test with actual spam?

Anyone know what's going on?

[0] We have automatic spamtrapping, but these were quite hard to write rules for. I eventually went with "two-word lowercase username plus two occurrences of q followed by not-u", which caught a fair proportion of them.

[User Picture]From: susannahf
2007-06-14 02:59 pm (UTC)
I've seen quite a few of these two. I can only come up with the following explanations:
1) They're just trying to piss people off (kids?)
2) It's a social engineering experiment to encourage people to think links like this are harmless before they unleash their sekrit weapon
3) There's some sort of screwed up keymapping/character set issue in their program. Although that doesn't explain the fact that the URL has a sensible start and end.
(Reply) (Thread)
[User Picture]From: fanf
2007-06-14 03:03 pm (UTC)
4) some idiot has just bought some spamware and is doing a test run with garbage data
5) some idiot has just bought some spamware and doesn't know how to configure it
(Reply) (Parent) (Thread)
[User Picture]From: lovingboth
2007-06-14 03:01 pm (UTC)
Yeah, I get that at work too.

Anything with the string 'http' gets filtered as spam anyway (it doesn't seem to affect genuine posts and catches 99.4% of spam) and this sort of random letters thing is the 0.6%.

I always thought it was just someone who hasn't set up their spamming bots properly!

I do like that test though... I'll see how many it catches here.
(Reply) (Thread)
[User Picture]From: nou
2007-06-14 03:48 pm (UTC)
Yes — if we could just reject everything with http:// in it'd be easier! We do welcome external links though, where appropriate.

I have set a rule to ban any comment (as opposed to a full edit) with more than one http:// in, but I do care quite a lot about not rejecting valid content (not that this has happened yet; I know this because rejected edits get emailed to me and so far our spam burden is low enough that I can read through them).
(Reply) (Parent) (Thread)
From: rik
2007-06-14 03:09 pm (UTC)
If I said "PageRank", would that enlighten?

How about "blogosphere" in conjunction with the last hint?
(Reply) (Thread)
[User Picture]From: lovingboth
2007-06-14 03:16 pm (UTC)
Hmm, but having random wrong links is going to decrease your pagerank, not increase someone else's (the usual reason for comment spam).

Are you saying this is an attack to reduce your pagerank?
(Reply) (Parent) (Thread) (Expand)
[User Picture]From: truecatachresis
2007-06-14 03:14 pm (UTC)
I think malware has become semi-sentient and is roaming the internet, mutating, evolving, infecting botnets and spreading its apparently meaningless seed everywhere.
(Reply) (Thread)
[User Picture]From: nou
2007-06-14 03:50 pm (UTC)
So by rejecting it as spam, I'm actually contributing to its evolution :)
(Reply) (Parent) (Thread)
[User Picture]From: babysimon
2007-06-14 03:18 pm (UTC)
I used to run an open relay (well, not really an open relay, it only delivered locally, but it looked like an open relay from the outside) so I got to see the mails spammers send out to detect and test open relays.

They were always gibberish, never a spammy payload, so I suspect fanf is right, but I don't really understand why either.
(Reply) (Thread)
[User Picture]From: pseudomonas
2007-06-14 03:25 pm (UTC)
If you want to test penetration of a message through a relay, I guess you don't want the test muddied by spamfiltering. So you have to have something that's very variable and certainly doesn't look like any existing spam.
(Reply) (Parent) (Thread) (Expand)
[User Picture]From: johnckirk
2007-06-14 04:29 pm (UTC)
I get quite a few spam comments like that: enough that I screen anonymous comments and may soon block them altogether, but nowhere near as much as I do via email. I have two main theories:

a) It's just a test run for their spambot, as the equivalent of a "Hello world! program.

b) Spammers just aren't that bright, so they've screwed up. E.g. I get several phishing emails which claim to be from Ebay/PayPal, and include the standard text that says "We always include your username so that you know this isn't spam" but don't include my actual username.
(Reply) (Thread)
[User Picture]From: nou
2007-06-15 01:52 pm (UTC)
I get several phishing emails which claim to be from Ebay/PayPal, and include the standard text that says "We always include your username so that you know this isn't spam" but don't include my actual username.

I suspect this is because while they have no way of knowing your actual username, and hence can't include it, they know that the closer they can make their mail to a legitimate eBay mail, the more people they'll catch. It'd look even more suspicious to leave that phrase out.
(Reply) (Parent) (Thread) (Expand)
[User Picture]From: alan1957
2007-06-14 08:15 pm (UTC)

dunno why i didn't fink of this sooner, must be getting old...

aliens. yup, they 'ave obviously infiltrated all aspects of human civilisation, since invading in the 1950s, to the point that they 'ave lost contact wiv one anuvver, so they are forced ter send out their messages as spam 'n' 'ope that they reach their intended audience. the message yew quote probably details a rendevouz point (in croydon maybe).
(Reply) (Thread)
[User Picture]From: babysimon
2007-06-14 10:59 pm (UTC)

Re: dunno why i didn't fink of this sooner, must be getting old...

I knew there was something about Croydon...
(Reply) (Parent) (Thread) (Expand)
From: mikewd
2007-06-15 12:35 pm (UTC)
It's quite likely these are attempts at malware injection (or preparatory tests for this) - they may well be trying to embed javascript or other HTML designed to use browser exploits to do drive by installs of malware. Or at least test for the ability to use your site to do this sort of thing in future (e.g. to check what gets filtered from comments).

The whole bologosphere & "web 2.0" sites which allow uploading of content are an ideal target for people wanting to spread malware as it's much easier than actually having to crack vulnerable servers to do so.

You have to bear in mind that a significant proportion of "spam" these days is not an end in itself but simply a means for delivering compromised zombies (e.g. by phishing type links or iframe exploits or whatever) to use for other purposes - the latter are what is worth the money to the bad guys.
(Reply) (Thread)
[User Picture]From: nou
2007-06-15 01:49 pm (UTC)
The thing is, I understand the ones which include JavaScript or HTML. The ones I'm puzzled about are the ones like the example I gave in my post. No JavaScript, no HTML other than a URL which doesn't resolve. (imc's example may well have been munged/filtered by livejournal, but the one I gave wasn't — that was precisely the content that was sent to the CGI handling the form.)
(Reply) (Parent) (Thread) (Expand)
[User Picture]From: natf
2007-06-15 11:32 pm (UTC)
'If our random wibble to you by email does not bounce then it is a valid email address that we can try to phish later!'

Dontcha just hate spam? Unless it is in a wheat-free (in my case) fritter, of course...
(Reply) (Thread)