Hey black hat guys, comments are STILL MODERATED. This is doing you no good. Cut it out.
Posts Tagged ‘Spam Investigations’
Some time back I received a spam email that was blank. This is understandable, actually; probably just someone trying out a list of email addresses. I also got one containing the cryptic text “podmena traffica test“; this turned out also to be a “spoofing traffic test”. Now I’ve got a bit of comment spam, which also seemed mysterious, until I dug into it a bit. From my email:
Anonymous has left a new comment on your post “Why I Write“:
I can not participate now in discussion – it is very occupied. I will be released – I will necessarily express the opinion. [url=DELETED]acheter levitra[/url] This rather good idea is necessary just by the way
Publish this comment.
Reject this comment.
Moderate comments for this blog.
The deleted URL is to a French eBay site, “acheter levitra” is French for “buy Levitra,” which is a brand name of Vardenafil, which is, of course, a Viagra clone. So this is essentially random pseudo-English text with a “buy Viagra” link, depending on the 1% of people who click on such links and the 1% of people who buy to pay for the cost of putting this spam on my blog. Charming.
UPDATE: I got a similar post of with a less obvious spam form, targeting one of the more popular pages on my blog (can you say pooound cake?):
“I found this site using [url=http://google.com]google.com[/url] And i want to thank you for your work. You have done really very good site. Great work, great site! Thank you! Sorry for offtopic”
But the [url=XXX]TEXT[/url] pattern was a dead giveaway. A search on Google for [centaur] – SO anyway, a search on Google for that nonsense revealed that the exact text of that comment has appeared elsewhere. So this is just more comment spam, trying to see if comments are unmoderated here.
Comment flattering! But reeejected.
Recently I’ve been getting a lot of pointless “spam” with a reasonable sounding subject line but a body that only says “podmena traffica test”. Mysterious, and pointless, from a spam perspective; so I assumed it was some automatic program testing a variety of addresses to see which ones bounced.
Finally I decided to track it down, and while I don’t know for sure I’ve now heard a good hypothesis:
There seem to be some strange spam emails doing the rounds, with a body text of “podmena traffica test”.. what gives? It makes a bit more sense if you transliterate it into Cyrillic, which leaves you with a Russlish phrase “подмена трафика тест” and that simply translates as “spoofing traffic test”.
Trying to verify his logic: Romanizing “podmena traffica test” gets me “подмена траффица тест”, as predicted, and translating that back to English gets “substitution traffitsa test” which is close enough.
The specifics of the message I’m seeing don’t match the description in that blog post, but it’s enough to make me think that the author has nailed it: it’s a Russian spammer testing out addresses and more importantly web servers.
Mystery solved! Now quit it, spammer guys.
Update: I keep getting this spam. I have now received this spam almost 60 times in the last month, according to Gmail.
… moderation of comments is now ON, spamfiends.
Well, the wiki is down again. Some idiot with a spambot corrupted all the pages – and when I tried to correct them, it appeared like the pages changed back to spam as fast as I corrected them. So it’s down. Up again soon, I hope. If only I’d written down all those cool things Bolot showed me … oh, wait, I did