Press "Enter" to skip to content

Posts tagged as “Spam Investigations”

welp, looks like my Facebook got hacked …

centaur 0

And Facebook is a perfect example of customer-service hell in which once one has lost one's account, there's no way to talk to a person who can get this unfucked.

What happened? As best as I can figure, someone attempted to hack my 2-factor authentication last night while I slept - I woke up to a text message from Facebook with a 2-factor authentication code.

What did Facebook do? When I went to check, I was logged out of Facebook on all devices, and I was told that my account was suspended for "not following their rules":

Is this possible? No. Since I rarely post, I'm pretty circumspect, and I primarily use it for Messenger to talk to a few old friends, I'm pretty sure that I wasn't doing anything that violated community standards.

And I sure didn't while I was sleeping.

Is there a way to fix this? No. I tried to follow their procedures, only to find I didn't have a linked auth.oculus.com account, because I didn't have an Oculus. And once you do create such an account, there is no mechanism to appeal a suspension - only this reference in the help files:

But, probably because these folks were trying to hack my account, they likely mucked with the email, so I never got an email from Meta about this - not even in my spam folder.

So the hackers did something bad with your account? Maybe? I can't tell. So, the next attempt is to report the account as compromised. There is a way to do that, which takes you to the following page:

But, since the hackers were likely messing with two-factor authentication and trying to break in to the account, we get back to the temporarily blocked state you have above:

Are you sure you were hacked? Pretty sure. The text came in at 2:23am, after I was already asleep.

As a last ditch effort, I remembered I had an open Facebook tab, so I tried to go screenshot it. It quickly logged out, but I got to see, very briefly, my old Facebook page, and could see the last activity was merely me using Messenger to talk to friends.

How could this be fixed? Easily. This is the kind of thing that a customer service representative, looking at the account, can resolve in five minutes flat over chat, just by looking at the calm history followed by a spike of hacked traffic. And it's the responsible thing to do for your customers.

But Facebook doesn't provide access for this - apparently except for business accounts. And, while I'm not happy with a lot of stuff Elon did at Twitter, this makes me more inclined to use services you pay for. X, in contrast, makes it very easy to appeal a decision via an easily findable and accessible form:

https://help.twitter.com/en/managing-your-account/suspended-x-accounts

The bottom line? Someone hacked me while I slept, and a decade plus of Facebook is gone - principally because Meta does not provide basic tools for customer support.

Welp, nothing to do but call Zuck out about it on Xitter ...

-the Centaur

UPDATE: There are forums, where people are reporting this issue, and customer support representatives for the Meta Quest are responding. Cross your fingers. But it wasn't at all obvious that this is a solution! We're getting help from people who aren't even support staff for the same product.

UPDATE UPDATE: Nope, nevermind, they just redirect you back to the Facebook help center, which as I already confirmed, can't help you.

UPDATE UPDATE UPDATE: Apparently Facebook has someone on Twitter who monitors for just this sort of thing. That is an unorthodox solution, but I've heard of the same thing at the Google. I'll reach out; we'll see. Cross yo fingies ....

UPDATE UPDATE UPDATE UPDATE: Apparently those people on Twitter are not affiliated with Facebook - there's a huge list people recommending various peeps as people who "helped me" and when you look at those users they don't appear to be affiliated with Facebook. So, no.

I’m so sorry, web …

centaur 0

… I had to install an ad-blocker. Why? Firefox before any ad block:

Screenshot 2016-12-21 21.08.19.png

Firefox after Adblock Plus:

Screenshot 2016-12-21 21.08.55.png

Yep, Firefox was TEN TIMES SLOWER when loading a page with ads, and it stayed that way because the ads kept updating. Just one page with ads brought FF to its knees, and I did the experiment several times to confirm, yes, it indeed was the ads. I don’t know what’s specifically going on here, but I strongly suspect VPAID ads and similar protocols are the culprit, as documented here:

http://techaeris.com/2016/06/14/vpaid-ads-hurting-internet-experience/

… publisher and website owner Artem Russakovskii took to Google+ and The Hacker News to share some of his findings concerning VPAID ads. He shows how VPAID ads can degrade a user’s browser performance:

“… after several minutes of just leaving this one single ad open, I’m at 53MB downloaded and 5559 requests. By the time I finished typing this, I was at 6140 requests. A single ad did this. Without reloading the page, just leaving it open.

A single VPAID ad absolutely demolishes site performance on mobile and desktop, and we, the publishers, get the full blame from our readers. And when multiple VPAID ads end up getting served on the same page… you get the idea."

Similarly, John Gruber reports that a 500-word text article weighed in at 15MB - enough data to hold more than 10 copies of the Bible, according to the Guardian. Gruber links another post which shows that web pages can get more than 5 times faster without all the excess scripts that they load.

The sad thing is, I don’t mind ads. The very first version of my site had fake “ads” for other blogs I liked. Even the site I tested above, the estimable Questionable Content, had ads for other webcomics I liked, but experimentation showed that ads could bring Firefox to its knees. QC I always thought of as ad-lite, but guess it’s time to start contributing via Patreon.

The real problem is news sites. Sites were opening a simple story kept locking up Firefox and twice brought down my whole computer by draining the battery incredibly fast. I don’t care what you think your metrics are telling you, folks: if you pop up an overview so I can’t see your page, and start running a dozen ads that kill my computer, I will adblock you, or just stop going to your site, and many, many other people across the world are doing the same.

We need standards of excellence in content that say 2/3 of a page will be devoted to content and that ads can add no more than 50% to the bandwidth downloaded by a page. Hell, make it only 1/3 content and 100% extra bandwidth - that will be almost 100% more content than a page totally destroyed by popup ads and almost 3000% less data than one bloated by 10 copies of the Old Testament in the form of redundant ads for products I will either never buy or, worse, have already bought.

-the Centaur

Obfuscated

centaur 0

Screenshot 2016-03-05 15.03.58.png

Yeah, that goop someone injected into my Dakota Frost site doesn’t look suspicious at all.

(In case you’re not a programmer, healthy code doesn’t look like that. This code has been munged and rewritten so it’s almost impossible to see what it does. Not that I care - I just deleted it. But it makes it hard for someone who needs to debug it, in the cases where you need to debug it.)

Sheesh. Get off my lawn. Still cleaning things up. More in a bit.

-the Centaur

So it was a hacked .htaccess…

centaur 0

hacked-htaccess.png

So, the Dakota Frost site got hacked. May still be hacked, for all I know, because I just found and eliminated only one error, and I still haven’t found out how they got in. Of course, I changed all my passwords everywhere else first before logging into the site, confirming no-one had hacked the user accounts, and then downloading all the code for some forensics.

But what was peculiar was that, even though I could clearly see evidence of hackery thanks to the very nice, publicly available Webmaster tools at the Google, I could not see any difference between the live site and my previous backup except for the addition of the Akismet spam filter, which I’m pretty sure I did myself.

Then I found it, when I detected a strange file named kgcakmhg.php. Tracing it back, in the root of the HTML directory, someone had modified files back in February - first to point the .htaccess to a strange file named baccus-contextually.php, which called the weirdly named file and also relied on changes to the style directory. No changes to the blog code were necessary - everything was being rewritten before it got there.

Removing those files? Easy. Site’s back to normal … I guess. Closing the open barn door? Uh …harder. Since I don’t know which door they came through.

Off to do more debugging …

-the Centaur

So, dakotafrost.com has been hacked

centaur 0

20160304_185447.jpg

So, yeah. I’ve lost sites to hacks before - the wiki on dresan.net, which I barely used - but those were obvious. This one is a subtle hack, not immediately visible, detected by the supercomputers at the Google. Will take a bit of effort to work this one out.

You see disruption here, you know why.

Sigh.

-the Centaur

Is Spam out of Control?

centaur 1
I don't know, you tell me. According to reports, somewhere between 75% and 90% of all email is spam, and if I read the numbers right, over 99.5% of all comments on this rather minor blog are spam. Yeah. That's extraordinary. That beats it all. -the Centaur

The Spammers Are Getting Snarky

centaur 0
They've tried flattery, they've tried clever links ... now they're trying humiliation:
The following time I read a blog, I hope that it doesnt disappoint me as much as this one. I mean, I do know it was my option to read, but I really thought youd have something fascinating to say. All I hear is a bunch of whining about one thing that you would fix in case you werent too busy in search of attention.
Too bad this comment was posted on an image ATTACHMENT. :-P So there was no whining to comment on. Even if I follow the comment back to the article, it was about the importance of not whining when things go bad and moving on with your life. Tracing back the link revealed that no, there was no real person behind this: there was an apparently fake blog that was actually an invitation to some kind of ad network. Apparently they keyword matched the text of my article with the comment in an attempt to get some attention. So: nice try, but bad spammer, no backlink. -the Centaur In more detail, my methodology: my moderation software asked me about this comment. The comment was not obviously related to an article and was badly written, so I drilled through to the referenced post and found it was an attachment. It's entirely possible that someone clicked on the parent article, which did reference whining, then clicked on an attachment in an attempt to post an irritated comment. But the person's email address was for an ad network, the linked-to-blog seemed to have unrelated articles, and on my second visit to the blog the ad network tried to take over my whole screen (yay Google Chrome for saving me!). People don't generally have email addresses that are the same as spam networks, so I classified the comment as spam. It was a new kind of spam, so I'm posting about it. UPDATE: Ooo, ooo, I forgot the best part of the methodology: do a search for a long phrase in the spam to see how often it appears on the internet. You can't do too long - the spammer may be using software that introduces slight word variations - but if it's long enough to be unique and it still shows up everywhere, you're virtually guaranteed the comment is spam. I don't care how repetitive a commenter is, nobody is going to write "The following time I read a blog, I hope that it doesnt disappoint me as much as this one" on "About 847,000" pages, according to Google.

We Heed Not Flatterers…

centaur 0
... especially the spammy kind. Let's do a little naturalistic analysis, a little data collecting, shall we?
  • Maintain up the beneficial work mate. This website publish shows how well you comprehend and know this subject.
    -Mr. "Traffic Generation Promotion"
  • I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success.
    -Mrs. "How Men Date"
  • hi very good blog here, you can list it on our site for more views
    -Mr. "Ads Classifieds"
  • This is a really good read for me, Must admit that you are one of the best bloggers I ever saw.Thanks for posting this informative article.
    -Miss "Belly Fat Burner"
  • Unbelievable, that’s exactly what I was seeking for! You just saved me alot of work
    -Sir "Miles the Car Guy"
  • I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success.
    -Ms. "Refinance Loan"
What are the keys? Lack of grammatical or logical sense, not apropos to the articles, text repeated over and over again from different posters, names that are obvious commercial scams, sites that are obvious commercial scams ... and some that are bizarre cries for help from deep within The Algorithm:
Why did you remove my post… My post was actually useful unlike most of these comments. Ill post it again. Hiya guys, I spottet a great way to make a lot of money online creating blogs. I expect this is primaraly for the website admin but there are probably alot more bloggers reading this. I have already made thousands using the techniques detailed in the product and it has only been 2 months.
Now, there are some that aren't bad ... almost close enough to get you ... again, if they didn't show up again and again, and weren't posted by "Mister Cheap Free Viagra Guy" at iscamu@suckers.com. Sigh. Fortunately a friend of mine out here for the Rush concert is a WordPress blogger and keyed me in that I hadn't enabled Akismet, WordPress's built in comment spam fighting plugin. Doing that now... -the Centaur P.S. What really gets me is that these spam comments are arriving at the blog of someone who actually studies spam. I know The Algorithm doesn't know that, but still...

Comments … STILL Moderated

centaur 0
Um, automatic robot gang, I just have to tell you: the following scheme doesn't work well for comment spam:
Hi! Just checkd out your site! Keep up teh good information. Very nice work? Do it youself?! Very relevant to me, we also have a community with theme similar on similar information. Is Blogger the WordPress? Ima Spammer http://cheapfreeviagra.malware.org/
Especially if there's no relationship between the salsa of text and the post. I mean, come on, if you're going to comment on my WordPress theme don't do it on the Pound Cake Alchemy post. 8 more spammy comments ... marked as spam. -the Centaur

Anonymous Commenting Disabled

centaur 0
who gave me this dang thing

Sorry, commenters, but the signal-to-noise ratio of anonymous comments was approaching zero. :-( It was getting to the point I almost rejected some real though short comments because they were looking like the spam comments I was getting - I apologize if I dinged a real person by accident. But when you don't know who's sending a gift, you never know what's inside the wrapper.

-the Centaur

Pictured is my cousin Bryan Norman, receiving a joke gift of a mailbox at last Christmas's White Elephant gift exchange - though I dispute the Wikipedia article, I lived 38 years in the Southeastern United States and never heard it called a "Yankee swap" - always "White Elephant" or the less-politically-correct "Chinese Christmas".

Spam comments: the new black.

centaur 0
Hey black hat guys, comments are STILL MODERATED. This is doing you no good. Cut it out.

Latest Spam WTF

centaur 0
Some time back I received a spam email that was blank. This is understandable, actually; probably just someone trying out a list of email addresses. I also got one containing the cryptic text "podmena traffica test"; this turned out also to be a "spoofing traffic test". Now I've got a bit of comment spam, which also seemed mysterious, until I dug into it a bit. From my email:

Anonymous has left a new comment on your post "Why I Write":

I can not participate now in discussion - it is very occupied. I will be released - I will necessarily express the opinion. [url=DELETED]acheter levitra[/url] This rather good idea is necessary just by the way

Publish this comment.

Reject this comment.

Moderate comments for this blog.

The deleted URL is to a French eBay site, "acheter levitra" is French for "buy Levitra," which is a brand name of Vardenafil, which is, of course, a Viagra clone. So this is essentially random pseudo-English text with a "buy Viagra" link, depending on the 1% of people who click on such links and the 1% of people who buy to pay for the cost of putting this spam on my blog. Charming.

Comment reeejected.

-the Centaur

UPDATE: I got a similar post of with a less obvious spam form, targeting one of the more popular pages on my blog (can you say pooound cake?):
"I found this site using [url=http://google.com]google.com[/url] And i want to thank you for your work. You have done really very good site. Great work, great site! Thank you! Sorry for offtopic"

But the [url=XXX]TEXT[/url] pattern was a dead giveaway. A search on Google for ["[url=http://google.com]google.com[/url]"] - note that's the '[url.../url]' thing in double quotes; the outermost brackets are the syntax you use to indicate a chunk of text is a query, like [centaur] - SO anyway, a search on Google for that nonsense revealed that the exact text of that comment has appeared elsewhere. So this is just more comment spam, trying to see if comments are unmoderated here.

Comment flattering! But reeejected.

Podmena Traffica Test?

centaur 0
Recently I've been getting a lot of pointless "spam" with a reasonable sounding subject line but a body that only says "podmena traffica test". Mysterious, and pointless, from a spam perspective; so I assumed it was some automatic program testing a variety of addresses to see which ones bounced.

Finally I decided to track it down, and while I don't know for sure I've now heard a good hypothesis:

There seem to be some strange spam emails doing the rounds, with a body text of "podmena traffica test".. what gives? It makes a bit more sense if you transliterate it into Cyrillic, which leaves you with a Russlish phrase "подмена трафика тест" and that simply translates as "spoofing traffic test".

Trying to verify his logic: Romanizing "podmena traffica test" gets me "подмена траффица тест", as predicted, and translating that back to English gets "substitution traffitsa test" which is close enough.

The specifics of the message I'm seeing don't match the description in that blog post, but it's enough to make me think that the author has nailed it: it's a Russian spammer testing out addresses and more importantly web servers.

Mystery solved! Now quit it, spammer guys.
-the Centaur
Update: I keep getting this spam. I have now received this spam almost 60 times in the last month, according to Gmail.

Ok wiseguys…

centaur 0
... moderation of comments is now ON, spamfiends.

-the Centaur

Wiki Hacked Again

centaur 0
Well, the wiki is down again. Some idiot with a spambot corrupted all the pages - and when I tried to correct them, it appeared like the pages changed back to spam as fast as I corrected them. So it's down. Up again soon, I hope. If only I'd written down all those cool things Bolot showed me ... oh, wait, I did :-)

-Anthony