Nonsensical spam

Wednesday 26 July 2006

More about comment spam: Recently I started getting a new style of spam, and I can't for the life of me figure out why anyone would bother. The web site URL is gibberish, and the comment itself includes two links to web sites which are gibberish:

name: Austin
email: chad(at)pochta(dot)com
website: http://rdrritkk.com/wclp/fqqe.html
remote_addr: 218.75.87.37

Thank you!
http://rdrritkk.com/wclp/fqqe.html | http://ydjkxpiu.com/dymt/phzj.html

Not only is there no site at those two domain names, they aren't even registered. I thought, maybe they're trying to get some Google juice for the domains before registering, and then they'll register the ones that do well. But of course Google won't index sites that don't exist, and there isn't even any content in the comment for Google to index. It's a content-less pointer to nowhere. If they mentioned Xanax or something, then maybe there's a way it would help the spammers, but there's nothing here.

The spams come in bunches, with different random domain names. Any theories? What's the point?

Comments

[gravatar]
Dave 8:49 AM on 26 Jul 2006

Maybe they are "pings" -- used to determine whether or not your blog system filters out such stuff. If the comments show up, the spammers will send real spam next time.

That theory doesn't make too much sense though. Why go to all the trouble of posting test messages that are empty? Why not just post real spam and not bother trying to confirm if it worked?

Hmm...

[gravatar]
masukomi 9:42 AM on 26 Jul 2006

i'm sure someone's probably already suggested this but it could just be encoded information for people who know to look here. Like anonymous non-sensical classified ads in newspapers. A great way to send your secret message without any direct connection between you and the receiver.

[gravatar]
Simon Brunning 9:51 AM on 26 Jul 2006

I get these too. It occured to me that they might be trying to overwhelm blacklist based anti-spam software, so that thier real spam doesn't get blocked so often.

Gits.

[gravatar]
Darryl 10:59 AM on 26 Jul 2006

Two guesses:

1) blacklist poisoning
2) testing to see if it gets filtered or deleted. If not come back with real spam later.

[gravatar]
JohnMc 12:37 PM on 26 Jul 2006

Darryl has the right mindset. I have helped a few people set up some blogs with comments and filters. Some filters are dynamic and if a mass of nondefined roots show up the whole comment system bogs down. Utlimately the blogger has a choice, forego comments or live with the spam and hate mail. Neither is a great choice.

[gravatar]
Justin 5:40 PM on 26 Jul 2006

1. Blacklist poisoning
2. Bayesian filter whitening
3. Email address existence checking

[gravatar]
daniel 6:28 PM on 26 Jul 2006

Maybe spam/malware programs also have alpha stages... or even 'subtle' bugs ;-)

As far as good guesses go, noise generation is more credible than susceptibility testing IMHO, mostly because they could test with real spam. If they are trying to stay out of blacklists while testing, then it could also be considered a somewhat noise-based behavior.

Add this nonsense to Spamlent Green's attempts and you get fuzzing spambots (which do exist, I believe).

[gravatar]
Kyle Bennett 3:47 PM on 27 Jul 2006

I lean toward the steganography angle, as mosukomi says.

Another possibility is research. Use this kind of thing to test out the reach of a botnet or some such, using urls that can be searched for without getting a lot of false hits. Might be prelude to some more serious kind of co-ordinated attack.

Either way, makes me wonder who might be behind it. I've heard that servers in Israel have already detected intrusion attempts by Hezbollah.

[gravatar]
Gerrit van H 2:31 PM on 7 Aug 2006

Very strange indeed ... as a webdeveloper ... I have now come accross a few of my sites who have been "spammed" with these kinds of comments. Also a website that had "V*agr*" "C*al*s" and the like ... but nonsense for the rest.

Also ... i have found some kind of hashes in messages ... that look like md5 hashes for instance.

Has anyone had any success filtering these kinds of comments? I have now programmed a feature to have a maximum number of comments from 1 IP address per hour ... but the spam seems to be coming from a dozen different IP addresses ... so that will only work a bit.

Add a comment:

name
email
Ignore this:
not displayed and no spam.
Leave this empty:
www
not searched.
 
Name and either email or www are required.
Don't put anything here:
Leave this empty:
URLs auto-link and some tags are allowed: <a><b><i><p><br><pre>.