Tue 10 May 2011
The Game Is Afoot!
Posted by anaglyph under Blogging, CowBlogTech, Hmmm..., In The News, Spam Observations, Web Politics
[26] Comments
I really love a good mystery! In my last post Desperate? I talked about the apparent spamming of my (and others’) blog comments by Microsoft. Cow reader Damned Skeptic took me to task about this conclusion, and I defended my logic in the Comments of that post.
In a nutshell, what I said was that given that 99.9% of all the comment spam I get is about link hoarding, what evidence is there that the Bing (and also Yahoo) links were not cut from the same cloth? To me it looks like someone is trying to get some link action happening for those sites.
Except…
This morning I was inundated with a whole lot of spam such as this one from ‘Datherine’:
Here’s where Datherine is linking:
Now, is that not totally bizarre? Firstly, I will acquiesce: it’s fairly conclusive evidence that my first hypothesis was incorrect. I doubt that ALL the search engines are attempting to up their ranking like this. That would just be ridiculous. But what IS going on, then?
One thing that I can tell you is that Akismet (my spam filter) is on top of this – look at the stuff that was scooped up overnight:
There were dozens like this. These, of course, are all generated by bots and are easy to screen, unlike the spumans I mentioned yesterday. But look at those links! Way to add some pile carpet to the noise floor. Why would anyone want to generate lots of links to just any search engine? What are we seeing here? Are the big search engines involved in some kind of clandestine link deluge war? Is there any relevance in the fact that all the attempted links from yesterday and the day before were exclusively Bing and Yahoo, and this morning, for the first time, it’s Google? Wow.
Another thing I can tell you is that this spam was targeting my most visited pages, such as the FAQ, the Rasputin contests and some of my Peter Popoff posts. There is definitely some method behind this madness…
LINK THE BISMARCK!
HAHAHAHA!!! Oh, man, you’re batting 1.000 this week, ol’ pal. HAHAHA!
I wonder if davidzhawk at Blogation http://blogation.net/#!/entry/910 is on the right track with his speculation that what the spammers are trying to do is make their address appear legitimate to WordPress spam filters, so it has nothing to do with MS, Yahoo or Google. Though it’s still a guess it would explain what is happening. I looked in a friends spam filter today, and there was a one sentence comment like the ones above except it had no URL which fits davidzhawk’s idea too.
Hmm. Not sure how that would work. Even if they got around the filters (which do a heck of a lot more than merely looking at an outbound URL), there’s no payload delivery once they’ve gotten in. The entire admitted content is just a stupid sentence (the email addresses appear to me to be legitimate, but stolen, if my contact with the real Jeff Morgan is anything to go by).
We could assume they are trying to build up a ‘trusted’ status with some kinds of moderated blogs (which require an approved post before allowing further comment) but so far there is no sign of secondary posts by the same commenter, which would then be a dead giveaway. These systems usually rely on an authenticated email address anyway – the URL is not significant.
And anyway, if the idea is that it somehow fooled bloggers who moderate their comments into allowing in a ‘trojan horse’, as it were, then the utility seems pretty marginal. I mean, you’d have to be mighty dumb not to recognize these comments as trash. This would require a moderated blog, a stupid administrator and a lot of knocking at the door for a very small success rate. And then to what end? Drop a link or two which would almost immediately be discovered and removed?
No, after examining this I think there’s something much more sophisticated at work. It also ‘feels’ slightly creepy to me, nothing I can put my finger on. It feels like someone walking around your house and trying the doors to see which one’s unlocked.
One thing that’s interesting – doing an IP lookup on each of the spamments I got today reveals huge discrepancies between the domain of the spammer’s (almost certainly stolen) email address, and the attached IP.
So, the domain for one is coaxialkw.com (Kuala Lumpur) but the IP resolves to Missouri in the US. Another has the address gawab.com which is a Middle-Eastern provider, but the IP resolves to Essen in Germany. All the addresses I looked at are like that: a web domain in one country and an IP elsewhere. Now, while this is possible (my own site would appear like that) the combinations are so peculiar that something seems fishy. And there are none that have the same locality. That’s pretty unlikely.
Of the explanations I’ve seen so far my wild speculation money is still on davidzhawk’s guess. Spammers are finding it harder to get their bots past the spam filter, so they send out more innocent looking bots. The spammer assumes that if the bot gets past the filter then the payload bot has a better chance of getting through. Rather than being sophisticated maybe this is a desperate, if unsuccessful, attempt by spammers to get their bots past the spam filter. There’s no expectation by the spammer that the bot will fool a human. If the spam filter catches the bot that’s a failure for the spammer.
What would the big search engines have to gain by a clandestine link deluge war? They don’t need to move up the search engine rankings, so the reason this is done by spammers doesn’t apply to them. The reward would have to be significant for them to risk the bad publicity if they get caught doing something that they actively oppose.
It doesn’t make any kind of sense though. Anything with a payload is easily detectable – it’s not dependant on something that’s come before (except in the ‘permission’ scenario I outlined above). The outgoing URL is insignificant. And anyway, an outgoing URL that points to the Bing or Yahoo or Google uber domain is meaningless and can be screened. A commenter is simply not going to have one of those as their home page, and that’s the sole reason for the outgoing URL link.
Oh, I agree – it’s probably not that. It was just a quip. The only scenario I can think of is that Bing decides to spam to get some link leverage and then Google retaliates to show them that they can play that game too. Highly unlikely, you would hope, but stupider and more venal things have happened on the intertubes plenty of times.
I don’t see any plausibility in davidzhawk‘s idea without some mechanism being offered, and I concur that it’s probably not a link war. That leaves us with… a mystery…
And a further mystery to contemplate. This morning my spam filter had caught two spamments overnight. TWO. That is an extraordinary circumstance. I don’t think that’s happened since I first installed filtering when the Cow came across to WordPress many years ago. Mostly I get at least a couple of dozen spam comments every morning, sometimes a hundred.
There is something highly peculiar going on.
I’ve been doing some sleuthing and found an interesting April 2009 Akismet blog post titled “Eliminating spam is good SEO”. (http://blog.akismet.com/2009/04/28/eliminating-spam-is-good-seo/) The pertinent quote is this:
“And spammers have recently learned to post several comments over time, the first of which contains no link or obvious clue. (We call these precursor spams).”
Makes it seem possible that the comments you are seeing are precursor spam with a real but meaningless URL added.
Yes, that’s the moderated permission tactic I was talking about. Some blogs require a first-time commenter to be ‘authenticated’ by the blog moderator, and then all further comments by that particular commenter are allowed to pass. The strategy that the spammers are using is to attempt to get their ‘ticket’ and then they figure they can come and go as they please. It hardly ever works though, unless the blog owner is either stupid (as I said) or they have a blog that has so many commenters that they can’t keep track of them. Most blogs aren’t like that. It seems to me a fairly desperate tactic. And you don’t need an outbound URL. The cookie works off a combination of the email address and the IP. The reason for not needing an outbound URL is simple – many commenters don’t have blogs or websites. You yourself don’t have one. So there is simply no necessity to have anything in the outbound URL field. It matters not one way or the other, and spam filters don’t need to check for it.
One could put up an argument for it being effective under some special circumstances, but to fool even the dumbest of bloggers it would have to involve a person (not a bot) taking the time and trouble to write a meaningful comment on the topic at hand.
For instance, look at ‘Tim Warren’s’ comment at the end of this post that came in just now, and completely bypassed my spam filters. Would you have picked it as spam? It’s the most legitimate-looking spamment I think I’ve ever seen (and is it a coincidence it arrive on the same post as the spamment from ‘Jeff Morgan’? I wonder…) The mistake ‘Tim’ made was to have his o/b URL linked to an anti-wrinkle cream site. So his payload was what gave him away. This is pretty obvious and must inevitably be the case.
Maybe some people are not diligent enough to pick up these kinds of things, but it seems like a LOT of work for what can only be a very tiny amount of payoff. ‘Tim’ can only be earning pennies, and he’s forced to spend time reading the post (although in this case it’s mostly pictures so he can make meaningful comments without actually addressing the text) and then writing coherent commentary.
I agree that it’s unlikely that the intent of these comments is to fool a moderator. I also know that an outbound URL is not necessary. And I suppose if I credit spammers with some intelligence, it does seem unlikely that they wouldn’t already know that the precursor spam tactic won’t work even on unmoderated blogs. Where we seem to differ is on whether there is any significance to the fact that these spam comments have outbound URLs.
The payload possibilities I can think of are that it’s hidden in some way or it’s the outbound URL. I have no idea if it’s possible to hide something in a comment, so I can’t even speculate on that. And unless someone comes up with a plausible reason for Bing, Yahoo or Google to do this, there’s no reason to think it’s the outbound URL.
So it seems likely to me that there is no payload, and in that case, I’m not interested in why a spammer wanted to fill in the website box. Though once that decision is made it does make sense to use an outbound URL that won’t get the comment sent to spam.
I just did a google search on the text from the “Jaundalynn” spam comment and not too surprisingly there were quite a few hits. In the places where I could click the outbound URL, I found a number of Yahoo and a Google but no Bing. I found one site that looked like a repository for one line messages. Page after page of these things with outbound URLs leading to Bing, Yahoo and Google.
I need a new wild guess. I’m not inclined to think the URL is significant, but I’m stumped as to what purpose these comments serve.
You’re right about the Tim Warren comment. I wouldn’t have thought it was spam. I wonder how many people are that thorough and check the outbound URL. I don’t think I would have checked.
The payload possibilities I can think of are that it’s hidden in some way or it’s the outbound URL. I have no idea if it’s possible to hide something in a comment, so I can’t even speculate on that.
There’s no way to hide something in the URL, but there are ways to hide things in comments – and spammers have tried this before. Unfortunately for the spammers a moderator can still see what they’re up to, though. There IS a way you could make the URL deceptive. Let’s say I wanted to fool someone like this – how would I go about it? Well, it’s really easy for me as a moderator to spot a bogus comment in several ways: a weird email address; an IP that looks phoney when compared to the email domain; irrelevant comments; and easiest and quickest of all, an outward bound or embedded URL that has an obviously spammy address like cheapcarinsurance.com. Something like bing.com is equally as implausible. There is a trick, however, that would work. If you set up a domain that looked legitimate, like, oh, let’s say jeffmorgan.com and made your email jeff@jeffmorgan.com I would not be able to tell from just looking at the comment details if you were a spammer. So, you could then make jeffmorgan.com a re-direct site that, when the link was clicked, took you to a spam site.
I doubt that spammers would employ this trick though, because the point of comment spamming is not to make someone from my blog visit the site, but to get link rankings on the search engines. And so, while jeffmorgan.com would get plenty of links, the actual spam site would not. And of course, the ploy would be uncovered almost immediately.
Page after page of these things with outbound URLs leading to Bing, Yahoo and Google.
Yeah, I went and had a look too. Mystifying. I even found a spam page that was comment spammed – spam with comments attracting spammer comments! My head is spinning…
I need a new wild guess. I’m not inclined to think the URL is significant, but I’m stumped as to what purpose these comments serve.
Well, since that big splurge over two days when I started all this, they have completely stopped. Not a single one came through yesterday or today. Nothing. It’s not even being flagged and caught by Akismet. As much as I know you don’t want to agree with me, it’s like a schoolyard spat – as if Bing and Yahoo made an attempt to get their hits right up, and then Google retaliated with a ‘Nyah nyah nyah – we can do it to’.
Pure speculation I’ll admit, but it’s speculation that fits ALL the facts. The only thing that you’re offering me in contradiction is ‘C’mon – they wouldn’t do something like that!’
Is there more Pocket Jesus now?
Y’know, Queen Willy, if the spammers would leave me alone you’d get more of Pocket Jesus, Simple Graphics Man and even Safety Craig.
Hey, and anyway, it’s a detective story. I’d have thought you’d be all up for that?
Pitka would have solved this case by now.
Pitka works only during the holidays.
Last I heard Pitka was under cover, deep inside Paris.
Yeah, and he wasn’t looking for the Phantom of the Opera either.
Skynet begins and you’re to blame!
Just calling it like I see it…
Maybe this guy is just selling corn?
Hey, you’ve got a new picture on your sidebar. I like it! You handsome devil you….
It’s my new look.
Yeah I get a ton of this stuff from too, Askimet though kicks their ass all the time
They’re certainly still around, because I’ve had a string of them at my place. And searching for what was going on lead me here. Anaglyph said:
I think that’s probably what’s going on. I know there’s not much of a payload if the door opens, but the payload might not be the point. Testing WordPress security measures, cataloging who is monitoring, who is running akismet, who is running Bad Behavior. It might just be the first sweep in which this blog — being properly comment-filtered — gets dropped from subsequent hack attempts. Maybe it keeps happening because it’s multiple people using the same tool. Maybe because it’s an automated process poorly programmed.
Perhaps. It certainly stopped suddenly. I had two days of it and then an eerie silence (weirdly, pretty much ALL spam stopped for a day). Now we’re back to normal transmission, but the bing.com and google.com addresses have disappeared pretty much, except for the very occasional one.
I’ll be curious if you see the same thing happen – let me know. Maybe mass brains will have a chance of figurin’ it.
Perhaps it’s possible that the spammers can know via automation which posts actually make it through and then proceed to spam blogs who allow that. I don’t know. It seems strange that you’d use those major domains though – why not make up a bunch of plausible domains instead? If those spams had come through from, oh, widget.net or thingummybob.com they’d have had a much better chance of being inconspicuous.
A puzzle for sure…