Comment spam and Xanga: create blogs to spam to?

yesterday on a blog i help maintain, we came across a spam post that traversed our filtering:

—–
name: lin | e-mail: lindy_rucker@hotmail.com | uri: http://www.xanga.com/lindy_15 | ip: 209.106.208.131

hey hoe alot of my friends get hit on all the time
—–
^^^ “hit on” is a bit of a give away, but this post was about getting infected with something so it is not clear-cut.

going to that page (at xanga, warning sign), it seems like yet another page created by a kid, and that this is real.

the message may or may not be real, i am just not sure how a 15 year old girl who can only write about her boyfriend in a repeated one-liner gets on a low-level security site.. and comments? why would she even care?

is this site maybe auto-generated to help get by the spam filters? some other ideas?
anything malicious there anyone notices?
is this… legit?!

not me nor my friends can find anything malicious there. further, looking at her blog and some other sites we can relate to her, she seems to have been around for a while. that’s a plus point for legit.

i’ll let you decide if that site has anything malicious on it, but no. this is spam, and the web page (blog) is auto-created (or manually) to give it credibility.
the two most likely scenarios are that this is either a proof of concept to use blog systems as infection seeding grounds, or to train filters to let spam through. at least these would be my best 2 educated guesses.

another educated yet paranoid guess is that someone is pinging us (casing the store for a sting), seeing how sensitive our sensors and filtering systems are.

there is an option i’d call careful; can this be more than just a well orchestrated ping, but rather that the site was created for that specific purpose that long ago (2004)? [hat tip to spam huntress]

i can always be wrong and this is real or a joe job, but for some reason i doubt it. even if the site is real the post is not.
blogs are quick&dirty sites to create and easily fill with content. this is a bit scary.

feel free to enlighten me… i’d love more opinions as this is all just, indeed, only my opinion, especially if yours proves mine wrong! :)

my most recent previous posts on the subject:
blog attacks
comment spam: new trends, failing counter-measures and why it’s a big deal
comment spam: drive-by sites, domains and spyware – analysis, samples and facts

matthew murphy’s post on xanga:
xanga worm

gadi evron,
ge@beyondsecurity.com.

Share
  • John

    So I was googling for “209.106.208.131″, to see what random public logs it turns up in. I am the network administrator at the school district from which this post originated (209.106.208.128/25). Not to ruin your fun, but it’s not a proof of concept for anything. It’s an immature student wasting school computer time to post on your site. Why? I don’t know. Thanks for posting this and giving me a good laugh, though.

    Needless to say, Xanga is now blocked. (No, the IP I posted from does not fall within that range. I’m at home right now.)

  • sunshine

    Thank you, if it’s a bored school kid or not, it’s still spam. :)

    If it’s a legit, why would the kid be in trouble?

  • Pingback: SecuriTeam Blogs » Advanced targeted comment spam and FP decision making

  • Jesse

    This is completely uninformative and uninteresting. How is this spam? Because her posts are immature? wtf? you can’t find a better example of spam?

  • http://www.powerleveling-wowgold.com wow power leveling

    is completely uninformative and uninteresting. How is this spam? Because her posts are immature? wtf? you can’t find a better example of spam?