Saturday, October 21, 2006

Email Harvesters

Tasty Research has a post about some interesting data from Project Honey Pot. He describes two different types of email harvesters, hucksters and fraudsters, and how they differ in their spamming styles.

  • posted by JoeC @ 2:10 PM 0 comments

    • Wednesday, October 11, 2006

    \81 Spim

    I don't get on instant message services very often, but I have had accounts on the big ones for years. Because I am not online all the time I am able to avoid most Spim. But today when I logged in with Miranda, I got a spam IM on my Yahoo account. If you look at the source of the message, the URL is written as:
    h\81t\81t\81p://chat-detectives.c\81o\81\m
    While that isn't a clickable link, it likely would get through some spim filters. And if displayed as intended, it would be easy to retype. Luckily copying it doesn't result in a good URL in either IE or Firefox. I was able to see the extra characters (as boxes) but I assume they disappear if you use the official client.

    Here is today's spim by chatdetectives.com_ab43 as I assume is meant to appear:
    THIS IS A GREAT SITE! http://chat-detectives.com
    And just about 30 days ago I got this from chat_detectives_agent_yrm:
    Ever wondered what your significant other does online when you aren't around? Would they flirt with other people or even cheat if given the right opportunity? Mine did... Wanna find out just how faithful they would be in the face of temptation? http://chat-detectives.com
    It does appear hidden in Firefox, but not in IE.

    This certainly isn't news to those following spim, but to me these two instant message spams make up a large percentage of the spim I have ever received. I wonder what other forms of spam \81 could be used in.

  • posted by JoeC @ 4:06 AM 0 comments

    • Monday, October 09, 2006

    Forum Spam with Images

    I was just visiting The Extensions Mirror and found two interesting posts on their forum. I assume both will be gone pretty soon, but for now they are:In case they are cleaned by the time you read this you can also see the movie post here. The car post can be seen here as well. All these were posted in the last few days by "carpost."

    The movie spam use lots of movie review text which is usually meant to add to the page's relevancy in linking to the spammer's site with topical text. The movie one "borrows" images and bandwidth from several places which aren't connected to the spammer such as AllPosters.com. With the poor quality of the post and over abundance of topical text stolen from blogcritics.org and rollingstone.com's reviews of one of the movies the images correspond to, I must conclude that he is mainly attempting to trick search engines.

    The second post gets its car image from the site linked in the forum spam and does not borrow its text (a long list of keywords) from elsewhere. Since I saw this one first, it made me wonder if the spammer was using the image as a traffic gauge. Incoming referrers can already tell him how many people came from the sites he spammed (hopefully none), but image views would also tell him how many people actually looked at his posts. With this he could determine which spams were more successful on humans and fine tune his future spams. But since the other does not really fit that use and the quality of the posts is not likely to draw humans, that conclusion doesn't make a lot of sense.

    So why the images then? I can think of several other possible reasons:
    1. Images with file names relevant to the post could add to the relevance of the links to his page. That is ruled out since the file names are totally random.

    2. Images in the post may disguise it from moderators looking to delete spam. That could be a motivation, but wouldn't be very successful since the rest of the post is so spammy.

    3. He is after human hits and by sprucing up his posts he hopes to get more visitors. A possibility, but not likely since other than images the posts are clearly targeted at spiders.

    4. He doesn't really know what he is doing and is attempting to target both search engines and humans with the same spam. Likely.
    Visiting the car site, car-post.net, you will see it consists a forum and a blog. The forum is full of what looks like forum spam posted by carpost, morgan richh (familiar names), meedia4, and denzel89. But since it is his own site and he put it there I guess we can't call it spam. The blog however has little content, but what it does have is "repurposed" from autoblog.com that was formerly copyrighted by Weblogs, Inc. and is now somehow under the Creative Commons Attribution license.

    The movie site, snaph4.com, is totally different. It is an intro page to Fast Movie Downloads and links to fastmoviedownloads.com which has the same exact content. For further connection between sites (and in case the "mirrors" above disappear), you can see the movie site spam in the car site's forum.

    The whois info does not seem to indicate any connection between sites. I did find it unusual that the IP address snaph4.com is hosted on has 3,856 other sites on it though.

    A bit of Googling for the less familiar names I found above lead me to a more examples of their posting habits that go back to at least late August using one or both of those names. Here are a small number of them:

    Keira Knightley forumHPC.net ForumsThe DJ Cafebettyslist.comDigging through those, I ran across some apartment pages hosted on the car site which at the bottom say "website designed by ®snap4.com". Not that we really needed more proof of connection between them. Most if not all of the posts contained images and often the posts mixed topics, movies, cars, and housing.

  • posted by JoeC @ 2:25 PM 0 comments