Spam Observations


Nidiffer Pedagogiek contacted me today with this important message. I can’t decide which bit of it I like best.

From: Notification
Subject: Valentine’s Day 2012
Date: 17 February 2012 10:17:43 AM AEDT

Gaily for reverend

He was burning hot.

Proposal area: Rush in Now

Really your,
Nidiffer Pedagogiek.




Some tips for phishermen:

1. A spell-check is probabbly a good idea.

2. When speaking language other than your own, learn how plural work.

3. Proper (companies)hire professionals to make surethat type spacing is correct.

4. Try not to invent wordis that don’t exist in your target language. Also, to use correct grammar.

5. Sense it might good idea be to appear to make.

6. avoid Arbitrary capiTalization.

7. Humour is generally best avoided. Oh, sorry, I see – that wasn’t intentional.

8. A number pulled out of your ass is meaningless and impresses nobody (ref:198550)

This rather bizarre email arrived in my inbox this morning. It didn’t seem to be pitching anything in particular ((Unless it’s a cunningly clever advertisement for yellow sponges or Mercedes. Or Jamaican holidays.)) and had nothing but a return email address. I present it here for you in full (I have marked points of interest):

Urgent Prayer – My jamaican neighbor next door is bringing all these people with these white exotic cars trucks and especially white mercedes bens people to live with them and throwing yellow sponges on my porch and other stuff in my yard. I want and pray that The Lord will make these people with this white mercedes ben car to move away from next door with marie and michelle right now because they are really getting on my last nerves. Marie and michelle are causing so much trouble for me and trying to make me jealous of them and make other neighbors in our neighborhood jealous of them by having all of these people that they know and do not know to come to their townhouse with white cars and trucks. The Lord Blessed me with a white truck because i was involved in a hit and run accident in 12/10 and i was walking 18 blocks to catch the bus and now marie and michelle next door is so jealous of my white truck and have these people with a white mercedes ben to come and live with them causing trouble for me and trying to make me and the other neighbors in our community jealous. Marie is getting on my last nerve and I am so sick of marie and michelle and all of these other jamaicans who come over to their house next door. Please Pray with me that The Lord will make now the people with this white mercedes ben move and never come back now and nobody else never come there In Jesus Name Amen

Here is a pictorial aid to help you get a better grasp of the scenario:

Intercepted by Akismet from comments this morning:

Whoa there Sonny Jim! You just keep your hands off my rss.




I really love a good mystery! In my last post Desperate? I talked about the apparent spamming of my (and others’) blog comments by Microsoft. Cow reader Damned Skeptic took me to task about this conclusion, and I defended my logic in the Comments of that post.

In a nutshell, what I said was that given that 99.9% of all the comment spam I get is about link hoarding, what evidence is there that the Bing (and also Yahoo) links were not cut from the same cloth? To me it looks like someone is trying to get some link action happening for those sites.

Except…

This morning I was inundated with a whole lot of spam such as this one from ‘Datherine’:

Here’s where Datherine is linking:

Now, is that not totally bizarre? Firstly, I will acquiesce: it’s fairly conclusive evidence that my first hypothesis was incorrect. I doubt that ALL the search engines are attempting to up their ranking like this. That would just be ridiculous. But what IS going on, then?

One thing that I can tell you is that Akismet (my spam filter) is on top of this – look at the stuff that was scooped up overnight:

There were dozens like this. These, of course, are all generated by bots and are easy to screen, unlike the spumans I mentioned yesterday. But look at those links! Way to add some pile carpet to the noise floor. Why would anyone want to generate lots of links to just any search engine? What are we seeing here? Are the big search engines involved in some kind of clandestine link deluge war? Is there any relevance in the fact that all the attempted links from yesterday and the day before were exclusively Bing and Yahoo, and this morning, for the first time, it’s Google? Wow.

Another thing I can tell you is that this spam was targeting my most visited pages, such as the FAQ, the Rasputin contests and some of my Peter Popoff posts. There is definitely some method behind this madness…

For most of you, Tetherd Cow is an unfolding story of antics in Cow World that plays out on a fairly linear daily or weekly basis. You know how it goes – I post a story, you comment, we have a some fun repartee and then we move on. Very civilized. But because I have an expansive overview of The Cow (a Cowish ‘omnipotence’ as it were) the Cowiverse looks somewhat different to me. I see a whole lot of stuff to which you are not privvy. There is, for example, activity that occurs way back in time, in posts that have had their moment in the sun and are never visited again except by the occasional lost web traveller. Or by spammers. Spammers discovered long ago that the vast hinterland of forgotten blog comments provides another fertile venue for their pathetic attempts to hawk various car insurance/viagra/cheap mortgage/locksmith ((Yes. A New York locksmith and his pals were, apparently, touring the blogosphere and leaving comments in an attempt to boost their linkability. Rather sad, really.)) schemes. Because visiting millions of blogs and posting comments is (quite obviously) a tedious and time consuming task, the spammers have mostly relegated this drudgework to bots. Sometimes very clever bots, but bots all the same. Bots are mostly pretty easy to defeat, and these days most bot comments get swept up by blog spam utilities and never see the light of day. ((My spam tools automatically shift such comments into the spam graveyard without me even being aware of them. On average, TCA gets about forty of these a day.))

Recently, though, a new spamming ruse appears to be on the rise. This technique requires real people to spend time browsing around blogs and posting comments and linking their names to some crap or other. ((The technical reason they do this is to increase the number of legitimate websites ‘linking’ to their garbage product. This, in turn, increases their search ranking in various engines. Search engines find it easy to defeat standard spambot link farming, but this kind of ‘human’ bot requires (so far) human brains to intercept. And not only that, human brains that understand the context of their own blogs.)) Here’s one that I got yesterday:

This was a comment left on my post Ooze which you may remember concerned the curious fungus that once appeared in my backyard. On the face of it, ‘Jeff’ appears to be taking an interest in the post and leaving a pertinent comment – he is obviously not a bot.

What the spammers don’t appear to understand, though, is that when a commenter leaves his or her mark on TCA comments, I can tell all kinds of things about them other than just their email address and their name. I know, for instance, that while Jeff Morgan is (most likely) a real person, with a real Bigpond email address, it is not the real Jeff Morgan who has visited my blog. Someone has stolen his name and email address for the purposes of making their spam look legitimate. The clue to Fake Jeff’s real agenda is written clear in two places – one is in his IP address which comes out of Pakistan, and the other is in ‘his’ website which is easily recognizable ((By a person, at least.)) as a ‘front-door’ for a spam operation linking off to various kinds of crummy products. ((Typically, these ‘front’-door’ sites are set up as link farms into products that the spammer has been paid to ‘advertise’. They are disposable sites that will be abandoned as soon as they are busted, only to spring up somewhere else in a matter of minutes. The spammers probably have thousands of them on the shelf, ready to go.))

As is usual in these cases, I leave the comment intact and ‘repair’ the weblink to take it somewhere a little more useful. ((I usually redirect it to the JREF, because I think if there’s one thing we could do with a whole heap more of in this world, it’s some rational thinking. Can’t ever have too many links to the JREF. Did I mention the JREF?)) This morning though, I got a rather intriguing one of these ‘comments’ from ‘Mircea’:

This one appeared in my post We’re All DOOMED! as a reply to Cissy Strutt. Unlike Jeff’s comment, it only half makes sense, but I have had far more incomprehensible legitimate comments in my time. ‘Mircea’ evidently thinks that by embedding it in the flow of commenting (he/she would have to have physically clicked the ‘Reply’ button) that it would go unnoticed. ((And I guess on a lot of blogs maybe it would have.)) But I don’t see comments the same way as commenters do, and for me it’s a trivial exercise to spot it as spam. Here’s part of what I see:

Did you see the very interesting thing here, Cowpokes? ‘Mircea’ appears to be spamming for Microsoft. Oh, I’m sure that Microsoft would deny having anything to do with such a practice. They would, most likely, claim that anyone can type any URL in the web field and that they can’t be held responsible for random punters being fans of their search engine. But It is easy for me to see that ‘Mircea’ is not a legitimate entity: she/he has an IP in Quebec and an ISP in Germany – a very curious and probably impossible combination. Additionally, this is not the only one of these I’ve had in recent times.

There is a bit of discussion going on about this elsewhere, and one suggestion has been that the Bing URL is being truncated in some way and that Bing (and Yahoo as it turns out) ((I’ve also had several linked off to Yahoo.)) are just victims of a software snafu. But I want to point out that the way these blog commenting systems work does not support that conclusion – if people are physically reading the posts and entering comments, they are also physically entering the URLs they have been given to promote. To put it in clear terms, ‘Mircea’ is a fraudulent identity who has visited an historically distant Tetherd Cow Ahead post with the sole intention of leaving a link to Bing.

« Previous PageNext Page »