Tuesday, December 16, 2008

Honeypot Wiki Down

My host disabled my account due to performance issues with my MySQL queries. I presumed it had to be the wiki so I took it partially down. It was actually probably my backup job that was causing the problem though, I set it up when the wiki was small. My honeypot wiki's database is now 2.16 GB of data. I hadn't cleaned the wiki in a very long time (almost two years it seems). All that spam can take up a lot of space, but I don't see how it could be that huge.

I haven't taken the time to analyze or do anything with the data. If anyone wants it, let me know. It should be pretty much clean from actual data, the wiki never had much real content. I have 363 users (nearly all spammers) and it looks like 73,863 revisions. It has been collecting spam from January 2006 to December 2008 and should be useful for something. I hate to have it down so I will probably start over with a new database, I am sure the spammers won't mind starting over.

Thursday, February 14, 2008

The Many Anna Kravcovas

Its been a long time since I posted here. I still do some antispam stuff, but not nearly like I used to. I still report spammers when I see them of course, but as you can guess from this post, my current hobby is photography. Much more fun than endlessly fighting spammers.

I am sure it will be gone soon since Flickr is pretty responsive to spam reports, but I ran across a spammer hitting photo pages. "She" left two identical comments today on a friend's photo from two different Flickr accounts. If not for that stupid mistake, I might not have noticed. The comment does not link to her webpage, you must retype the URL so it can sneak past spam filters.

Anna.Kravcova.447.
Anna.Kravcova.549.

Those two accounts will probably be removed soon since I reported the spam, but you can see a seemingly already removed but cached copy of the same spam on the mobile version of Flickr from 4 weeks ago from Ann.Kravcova.1988. Or on a republished Flickr page by Ann.Kravcova.2008 here. The spam is gone from the actual Flickr page there too.

Her comments:
Good photo! ;) I want meet you! See my photos here gumble.110mb.com
Of course, a Google search shows a few more.

Searching for gumble.110mb.com lead me to this photo where, Anna 475 and 476 posted three comments at the same time. Here is another where AnnaKravcova posted. Google currently shows 39 other hits on Flickr, but Google's estimate for the search is 1,500 results. I wonder if that many have been removed already, Google's estimate usually isn't that far off.

And another Google of Ann.Kravcova shows a bunch more. In January, Ann 1986 (who is no longer on Flickr) posted:
Cool photo! I want to meet you :) See my photos here: annkravc.h17.ru
Both sites were Anna says she has her photos just show her one photo and a link to a dating service to "meet beautiful Russian Ladies interested in getting in touch with overseas Men."

Update Feb 15: Thanks to Travis, I found a whole lot more Annas. He found 101 a few hours ago, now there are 88. So Flickr is getting a few of them.

And here is Anna's Facebook page.

Labels: , , ,


Thursday, January 18, 2007

First CAN-SPAM Conviction

The Mercury News has an article on a spammer facing up to 101 years. He was found guilty of phishing spam (thanks to the CAN-SPAM act), wire fraud, and a bunch of other stuff. Sounds like he got off easy.

Tuesday, January 16, 2007

Honeypot Cleaning

Its been a long time since I cleaned out my spam trap wiki. The main page is not even usable anymore. It and one other page have reached two megabytes. Even if everyone was on high speed internet, that is not good for a start page.

The last time I cleaned the wiki was August 5. For a small infrequently used wiki that amount of time is not really that unusual. Back in August I had to clean 27 pages. This time it looks like I cleaned 36 pages. You really must use some kind of spam protection if you want a usable wiki. Spammers created some really stupid pages, my favorite is:
Guestbook Spam Collection/mw/mw/wiki/Talk:Guestbook Spam Collection/wiki/Talk:Guestbook Spam Collection/mw/mw/wiki/Talk:Guestbook Spam Collection/mw/index.php

Spam on my Google Spam page started off slow, only five spams for nearly four months, then near the end of November someone from 81.177.14.26 started hammering my wiki. Up until November 22, that IP address had hit me six times; after that it hit various pages 336 times until January 15.
  1. (hist) Google Spam (2,098,046 bytes)
  2. (hist) Main Page (2,097,958 bytes)
  3. (hist) Guestbook Spammers/mw/index.php (1,227,992 bytes)
  4. (hist) Guestbook Spam Collection (78,014 bytes)
  5. (hist) My spam blacklist (38,568 bytes)
  6. (hist) Spam (32,691 bytes)
  7. (hist) First Spam (28,572 bytes)
  8. (hist) Spam Caught Here (27,533 bytes)
  9. (hist) Test (27,023 bytes)
  10. (hist) Interesting Searches (24,794 bytes)
  1. Main Page (427 revisions)
  2. Google Spam (142 revisions)
  3. Test (110 revisions)
  4. CSS Hidden Spam (97 revisions)
  5. Guestbook Spammers/mw/index.php (68 revisions)
  6. Wiki Spam Collection (66 revisions)
  7. My spam blacklist (39 revisions)
  8. Suggestions (29 revisions)
  9. Spam Caught Here (22 revisions)
  10. First Spam (18 revisions)
  1. Main Page (7,851 views)
  2. CSS Hidden Spam (3,010 views)
  3. Wiki Spam Collection (2,598 views)
  4. Test (2,449 views)
  5. Guestbook Spam Collection (2,419 views)
  6. Google Spam (1,870 views)
  7. My spam blacklist (1,273 views)
  8. Suggestions (1,173 views)
  9. Spam Caught Here (753 views)
  10. First Spam (742 views)

Tuesday, December 19, 2006

5 Things You Didn't Know About JoeChongq

Spamhuntress tagged me in the ongoing blog tag meme. Not being a big fan of meme's I am upping the ante (perhapses in an attempt to kill it off). Rather than just a simple five unknown facts about you, I say they must all rhyme. Here are mine:

1. I have a frog.
2. I do not have a dog.
3. I do not drink eggnog.
4. This site was my first blog.
5. I live in a city without smog.

For assistance, see rhymer.com. You will need it Manni, John, and Dirk. You have been tagged. Oh, and anyone else reading this, your tagged too. >;-p

Saturday, October 21, 2006

Email Harvesters

Tasty Research has a post about some interesting data from Project Honey Pot. He describes two different types of email harvesters, hucksters and fraudsters, and how they differ in their spamming styles.

Wednesday, October 11, 2006

\81 Spim

I don't get on instant message services very often, but I have had accounts on the big ones for years. Because I am not online all the time I am able to avoid most Spim. But today when I logged in with Miranda, I got a spam IM on my Yahoo account. If you look at the source of the message, the URL is written as:
h\81t\81t\81p://chat-detectives.c\81o\81\m
While that isn't a clickable link, it likely would get through some spim filters. And if displayed as intended, it would be easy to retype. Luckily copying it doesn't result in a good URL in either IE or Firefox. I was able to see the extra characters (as boxes) but I assume they disappear if you use the official client.

Here is today's spim by chatdetectives.com_ab43 as I assume is meant to appear:
THIS IS A GREAT SITE! http://chat-detectives.com
And just about 30 days ago I got this from chat_detectives_agent_yrm:
Ever wondered what your significant other does online when you aren't around? Would they flirt with other people or even cheat if given the right opportunity? Mine did... Wanna find out just how faithful they would be in the face of temptation? http://chat-detectives.com
It does appear hidden in Firefox, but not in IE.

This certainly isn't news to those following spim, but to me these two instant message spams make up a large percentage of the spim I have ever received. I wonder what other forms of spam \81 could be used in.

Monday, October 09, 2006

Forum Spam with Images

I was just visiting The Extensions Mirror and found two interesting posts on their forum. I assume both will be gone pretty soon, but for now they are:In case they are cleaned by the time you read this you can also see the movie post here. The car post can be seen here as well. All these were posted in the last few days by "carpost."

The movie spam use lots of movie review text which is usually meant to add to the page's relevancy in linking to the spammer's site with topical text. The movie one "borrows" images and bandwidth from several places which aren't connected to the spammer such as AllPosters.com. With the poor quality of the post and over abundance of topical text stolen from blogcritics.org and rollingstone.com's reviews of one of the movies the images correspond to, I must conclude that he is mainly attempting to trick search engines.

The second post gets its car image from the site linked in the forum spam and does not borrow its text (a long list of keywords) from elsewhere. Since I saw this one first, it made me wonder if the spammer was using the image as a traffic gauge. Incoming referrers can already tell him how many people came from the sites he spammed (hopefully none), but image views would also tell him how many people actually looked at his posts. With this he could determine which spams were more successful on humans and fine tune his future spams. But since the other does not really fit that use and the quality of the posts is not likely to draw humans, that conclusion doesn't make a lot of sense.

So why the images then? I can think of several other possible reasons:
  1. Images with file names relevant to the post could add to the relevance of the links to his page. That is ruled out since the file names are totally random.

  2. Images in the post may disguise it from moderators looking to delete spam. That could be a motivation, but wouldn't be very successful since the rest of the post is so spammy.

  3. He is after human hits and by sprucing up his posts he hopes to get more visitors. A possibility, but not likely since other than images the posts are clearly targeted at spiders.

  4. He doesn't really know what he is doing and is attempting to target both search engines and humans with the same spam. Likely.
Visiting the car site, car-post.net, you will see it consists a forum and a blog. The forum is full of what looks like forum spam posted by carpost, morgan richh (familiar names), meedia4, and denzel89. But since it is his own site and he put it there I guess we can't call it spam. The blog however has little content, but what it does have is "repurposed" from autoblog.com that was formerly copyrighted by Weblogs, Inc. and is now somehow under the Creative Commons Attribution license.

The movie site, snaph4.com, is totally different. It is an intro page to Fast Movie Downloads and links to fastmoviedownloads.com which has the same exact content. For further connection between sites (and in case the "mirrors" above disappear), you can see the movie site spam in the car site's forum.

The whois info does not seem to indicate any connection between sites. I did find it unusual that the IP address snaph4.com is hosted on has 3,856 other sites on it though.

A bit of Googling for the less familiar names I found above lead me to a more examples of their posting habits that go back to at least late August using one or both of those names. Here are a small number of them:

Keira Knightley forumHPC.net ForumsThe DJ Cafebettyslist.comDigging through those, I ran across some apartment pages hosted on the car site which at the bottom say "website designed by ®snap4.com". Not that we really needed more proof of connection between them. Most if not all of the posts contained images and often the posts mixed topics, movies, cars, and housing.

Tuesday, September 12, 2006

Spammers Don't Like Anti-Spammers

Spammers don't like us. Shocking? We are hurting these poor business men pushing illegal pills, penis enlargers, porn, etc. We are depriving them of being able to feed their families (and buy fancy cars) because they can't find any real jobs. I guess if you put it that way, we should all quit and let them continue their attempt to ruin the internet.

Anyway, to read a bunch of Russian spammers crying about how they are doing nothing wrong and we should leave them alone, check out the comments on Spamhuntress' KLIK Media GmbH registrar post. Currently 64 comments in four days and growing fast.

Update: Spamhuntress has posted some commentary on the reason some spammers don't see what they are doing as wrong. She says it is cultural differences. They don't see screwing Americans and other westerners as wrong because we are all so rich. I agree that is a reason behind a lot of spam, but certainly not all. There are plenty of slimy western spammers out to get rich at the expense of others as well, they are just jerks.

Friday, September 08, 2006

What's That User-Agent

I found an odd User Agent in my site stats and attempted to look it up. It was EchO! and it was eating up a lot of bandwidth for a bot. It doesn't seem to be a very common bot so Google wasn't a lot of help, but a few results down I found a List of User-Agents. They didn't really have much info on EchO! so I kept looking and found User Agent Database, The Web Robots Database and finally Bots vs Browsers. None of which even listed it, but do look like useful repositories.

I found it odd that I could not find the User-Agent in my log file, but assumed I must be doing something wrong. The only "echo" I found in my logs was BonEcho, the development code name for Firefox 2.0, which are mostly my own hits. A bit more investigation lead me to realize the bot AWStats was reporting as EchO! was me. No wonder it was taking up so much bandwidth and not accessing robots.txt. My server is using an older version of AWStats which was released before Mozilla started using the BonEcho name, I presume that is not a problem in newer releases.

Friday, September 01, 2006

Phishing Victim and Response

The wife of the owner of DreamHost.com fell for an email phishing scam recently. It wasn't a particular clevar scam and she knew to be careful but getting money back from the IRS was too much of a draw. This just goes to show you how vulnerable people are to phishing. You don't have to be stupid to fall for them. The really interesting part of the article though is what he did after finding this out.

Secure Browzar

There is a long post about how this browser may not be all that it seems. It was touted as having no install and that it did not save information from visited websites. According to that post, digg comments, another post and another, it is a simple IE wrapper and appears to do little to improve privacy against a knowledgable user. It became really popular all the sudden this week and if this is true a lot of people could be installing it and getting a false sense of security. It may be effective against casual snooping, but it isn't going to protect your browsing habits from the FBI or your hacker friend.

Clearly people really want privacy and security, but Firefox already offers built in options to do that. Plus for even more privacy you can get Portable Firefox and/or the Stealther extension.

I have not tried Browzar to confirm this for myself, but if you do you should know what you are getting or not getting. As one of the above posts said, this could be just a mistake or a few bugs and future versions will work as advertised, but for now it doesn't appear to be as good as it sounds.

Update: BBC News did a story pointing out that many believe Browzar to be adware and that it doesn't work. In it, the developers respond that it is not adware and that they want to fix anywhere the browser is leaving behind traces.

Monday, August 28, 2006

Tripod Phishing

F-Secure has a post pointing out that Tripod isn't doing a good job preventing obvious phishing sites from being hosted on their free service. Now if this were a small free hosting service it would not be a big surprise, but Tripod has been around for many years. I used to even have a site there long enough ago I hardly remember it.

Still a small number phishing sites isn't that unbelievable (of course there could be plenty others Google didn't index). Clearly if they were doing nothing they would be full of these scam pages. But from Google's cache, the dates on the current three I saw are the 17th, 22nd, and 24th. That is up to eight business (12 total) days to catch the earliest of them and all three are still up. See them in Google while you can.

I checked out some of the competition (MSN, Yahoo, Geocities, GooglePages, and Blogspot) using similar searches.

Of those searches, I found only one other page. The lucky host was Blogspot, though this wasn't nearly as bad as the others. It was only a splog not a phishing site and they have already removed the account.

F-Secure has a poll asking, "Should free hosting companies try to detect Phishing sites hosted on their servers?" The answer is clear to me. If the free hosts don't do it they will quickly be known for not caring and be over run with scam sites. Hosting that much garbage certainly won't make their business look very professional. Out of the first about 1000 responses, currently almost 90% agree with me that it is the free hosts responsibility to at least try.

Wednesday, August 23, 2006

Wikipedia Fix

Ars Technica has an article about an experimental feature the German Wikipedia is trying out to reduce "vandalism, edit wars, and misinformation." Edits won't go live until approved by a logged in user with "a certain level of time and experience."

That is a very good solution to those problems and will give articles some stability and hopefully credibility. But it will severely limit editors if they must wait for their changes to appear. It will also put a burden on those who must approve the edits when there are multiple conflicting versions of the page to merge.

Spam Cartoons

The stupid and often random subjects used by email spammers are often funny, but Spamusement makes them even funnier with "poorly-drawn cartoons" illustrating them. Some of my favorites:

Spyware Fight

In a pretty innovative attempt to prevent users from ending up with spyware infestations, Google started popup warnings when you attempt to visit a site known to distribute malware. This is built right into their search results rather than relying on a toolbar or extension.

That might be old (early August) news for those who keep up on search engine news, but what surprises me is I have not yet seen it in action and I do visit slimy sites quite frequently in my tracking down spam. I wonder if they decided to take it offline to rethink it.

A visit to StopBadware.org which maintains the malware database shows an example of one of the sites in their list, ThemeXP.org. Yet in Google's search results there is no popup, just google ThemeXP. Does that mean the warning popup is offline?

I have also yet to see Firefox 2.0 beta warn me of a Web Forgery with its new anti-phishing technology. I have even followed clearly deceptive links in bank phishing emails and not seen the warning. It is based on Google's Safe Browsing extension if you want to try it out before Firefox 2.0 is released.

What I have been using that is working pretty well is McAfee SiteAdvisor. It is available for both Firefox and IE for free. It advises you of the status of the site you are visiting by color coding its button. It also puts indicator icons on search results (Google, Yahoo and MSN) so you know before you even click (even on ads). When you hover the icons it gives you a brief summary of why the site got its rating. This service not only warns you about malware, it warns you when a site is likely to spam you if you sign up, I really like that.

Of course, there are privacy issues to think about when you add this protection to your browser. For the best protection, every URL you visit gets transmitted to the database provider. With Safe Browsing and Firefox 2.0's anti-phishing there are local checking options which provide some protection, but I would rather the best protection I can get.

Update: In early August, a Mozilla representative pointed out that 2.0's phishing filter isn't working yet. So I guess I shouldn't have uninstalled Safe Browsing yet. This post says you now get Safe Browsing as part of Google Toolbar. He also suggests you try OpenDNS, which reportedly corrects obviously mistyped URLs and warns about possible phishing sites.

Update 2: I found an example of Google's warning popup still working from another blog. Maybe StopBadware.org removed TweakXP from the list and just haven't updated the site with a better example.

Sunday, August 20, 2006

Finding A New Host

Less than a month ago the entire server my site was hosted on was hacked. Supposedly that vulnerability was fixed. Well someone must have it out for that particular server because it was hit again last night.

So far I haven't found another host, but this is just getting insane so I am seriously looking now. Even if I don't find the best, it will still be a huge improvement. I have not heard from support yet, but the backup I have access to is again full of the hacked files. Thankfully this time I backed up everything earlier this month after learning the hard way last time.

On reason I haven't moved yet is I have done some looking around and there just isn't much reliable information out there. Most of what I find is self promotional, splogs, questionable review sites, or other people looking for a host. There are a number of good looking host review sites, but much of the info looks like taken from the host's page or submitted by them. I would much rather find a blogger who has tried several hosts and strongly recommends it. But thanks to splogs and reblogs those are impossible to find.

GoDaddy was high on my list mostly because I couldn't find anything that offered what I want. It sounds great and has really low prices, but is apparently is insanely oversold and has little support.

I finally decided on BlueHost.com partly because of the CEO's blog in which he admits they have had bad service lately and what they are doing to fix it. The price is reasonable though it isn't nearly as cheep as the $20 a year I paid before, but you do get what you pay for and I will have a lot more features to play with. The company has been around since 1996 so in terms of internet years that is like forever. Overall customers seem to be relatively happy, unlike with my previous host after they were sold. Hopefully I made a good choice. I will let you know how it turns out.

Saturday, August 05, 2006

Hacked Server

Parts of my playground site, chongqed.info (not the more important chongqed.org), have been down since July 26 or 27. I am finally mostly through recovering and reinstalling things (I think). I was away from home when I got the email that the entire server had been compromised. According to my host it was due to a bug in Fantastico Application Installer which allowed a hacker to replace all the index pages on everyone's accounts with some anti-war propaganda.

The root page of my site that listed antispam RSS feeds headlines is gone thanks to my host having just backed up the hacked files before realizing anything was wrong and me not being able to find my offline copy. Maybe I will see if I can set it up again some day, but for now I am happy I finally got everything else mostly back to normal. If you want a great host, be sure not to choose mine. It is dirt cheep at $25 a year, but you get what you pay for.

All the wiki spam I have been collecting on the honeypot wiki is fine. Since the site has been down for about a week and a half I decided it was a good time to clean up the spam and start fresh. I reverted or blanked a total of 27 different pages. At least 10 of those were talk pages spammers created. Here are the pages with the top numbers of revisions (very few of those are reverts):
  1. Main Page (204 revisions)
  2. Wiki Spam Collection (56 revisions)
  3. CSS Hidden Spam (42 revisions)
  4. My spam blacklist (25 revisions)
  5. Suggestions (21 revisions)
  6. Google Spam (15 revisions)
  7. Spam Caught Here (13 revisions)
  8. First Spam (11 revisions)
  9. Spam (8 revisions)
I would like to do some more detailed analysis of the spamming patterns (knowing me I won't get around to it), but from those numbers at least one thing is clear. Spammers like the main page a lot. That makes the suggestion to lock your main page sound like a really good one. Most of the time your main page is going to be pretty static anyway.

Friday, July 21, 2006

Forum Spam Lists

I hate signing up to forums. There are a number of sites I visit regularly and read their forums, but never sign up even if I have something useful to say. I hate giving out my email address, even throw away addresses because then I still have to remember what I used and the password.

I am also always a bit worried about the site selling members' email addresses or accidently letting them leak. Well it looks like the latter has recently been happening with Invision Power Boards though it is certainly only the latest to be compromised.

I first heard about this at one of those forums I read but don't sign up for, someone noticed they were getting spam at a site specific address used only at that forum. He isn't the only one.

At Neowin, a hacker setup the site to download some Windows exploits when visited with IE. It was that malfomed .WMF file exploit from a while back which would only hit unpatched Windows system, but surely there are still plenty of those.

It seems Invision already has a fix for this, but of course no one keeps up on security patches. They also have a new version that includes this fix and now has a virus scanner built in.

Monday, July 10, 2006

Disney Spam

Today I found someone upset that Disney.com referrer spammed him. If true, that would be very shocking and upsetting. But it is very unlikely that Disney or anyone associated with them did the spamming. Most likely, it was a spammer testing out his new software. I have seen such spams for sites such as , , , and . Often a few days after these test spams you may get the actual spam following a similar pattern.

The purpose of web spam is to get more visitors, more ad impressions, and/or to improve the site's ranking in search engines. Disney as well as the other large sites I mentioned already have very high PageRank and tons of traffic so a few more links would mean little to them.

Of course, this is still spam and you should take the necessary measures to block it. But you can't blame these big corporations for what some mentally challenged spammer is doing to test his software or your defenses.

Spammers also sometimes spam for antispam sites such as chongqed.org, spamhuntress.com, or even a journalist who writes about spam. But these are for revenge and hurting our image rather than testing. This really doesn't make sense though. Few people that check the sites are going to mistake us for spammers. And the links only add to our PageRank.