Wednesday 26 July 2006 — This is over 18 years old. Be careful.
More about comment spam: Recently I started getting a new style of spam, and I can’t for the life of me figure out why anyone would bother. The web site URL is gibberish, and the comment itself includes two links to web sites which are gibberish:
name: Austin
email: chad(at)pochta(dot)com
website: http://rdrritkk.com/wclp/fqqe.html
remote_addr: 218.75.87.37
Thank you!
http://rdrritkk.com/wclp/fqqe.html | http://ydjkxpiu.com/dymt/phzj.html
Not only is there no site at those two domain names, they aren’t even registered. I thought, maybe they’re trying to get some Google juice for the domains before registering, and then they’ll register the ones that do well. But of course Google won’t index sites that don’t exist, and there isn’t even any content in the comment for Google to index. It’s a content-less pointer to nowhere. If they mentioned Xanax or something, then maybe there’s a way it would help the spammers, but there’s nothing here.
The spams come in bunches, with different random domain names. Any theories? What’s the point?
Comments
That theory doesn't make too much sense though. Why go to all the trouble of posting test messages that are empty? Why not just post real spam and not bother trying to confirm if it worked?
Hmm...
Gits.
1) blacklist poisoning
2) testing to see if it gets filtered or deleted. If not come back with real spam later.
2. Bayesian filter whitening
3. Email address existence checking
As far as good guesses go, noise generation is more credible than susceptibility testing IMHO, mostly because they could test with real spam. If they are trying to stay out of blacklists while testing, then it could also be considered a somewhat noise-based behavior.
Add this nonsense to Spamlent Green's attempts and you get fuzzing spambots (which do exist, I believe).
Another possibility is research. Use this kind of thing to test out the reach of a botnet or some such, using urls that can be searched for without getting a lot of false hits. Might be prelude to some more serious kind of co-ordinated attack.
Either way, makes me wonder who might be behind it. I've heard that servers in Israel have already detected intrusion attempts by Hezbollah.
Also ... i have found some kind of hashes in messages ... that look like md5 hashes for instance.
Has anyone had any success filtering these kinds of comments? I have now programmed a feature to have a maximum number of comments from 1 IP address per hour ... but the spam seems to be coming from a dozen different IP addresses ... so that will only work a bit.
Add a comment: