Advanced targeted comment spam and FP decision making

recently we’ve had several interesting comment spam attempts which were very advanced. deciding what’s spam is becoming increasingly difficult. further, we caught a comment spam kit.
:)

first example, inter-linked blogs:

“fico scores and its variants are designed to measure the risk of default,
by taking into account various factors

nickname: johnny
in johnny’s nickname website (nickname uri) we have:
http://acceptcreditcard.blogspot.com

^^ anyone have any idea if that blog and all those linked to from it are
legit in any way?

in recent months we have seen an ever increasing number of inter-linked blogs, often at free blog online services, which link to each other for spamming purposes. i wrote on this before.

just last month we had a spam attempt linking to a google group specifically created to have the spam in it so it can be linked to.

i had trouble deciding if it was legitimate as a comment for this post, i tend to think it isn’t:
http://blogs.securiteam.com/index.php/archives/169

second example, comment spam kit:

“personally, i never use more than a single link in the comment i post
because doing so can trigger spam catchers if the user has that plugin activated,
whereas a single link will not.”

nickname: use keyword here
nickname uri: http://www.sag-ci.com/pornarchive/05841.html

previously, we have seen a similar post only with the spamming engine defaults completely unchanged, so that the nickname uri was: http://www.your-domain.com/your-page.htm.

meaning, this was likely a comment spam kit, and somebody forgot to change the defaults before setting it on the world wide web. :)

third example, content-sensitive comment spam:

“these security patches helps to secure some security holes in windows.
this happens due to a poor testing of the product.”

nickname: home
email: cool at csun.edu (csun has no such email, but it’s a good one as edu emails appear to be more reliable than usual fake ones, except for the “cool” part).

nickname uri: http://www.homessecuritysystems.net

the original post this was a comment for
is: http://blogs.securiteam.com/index.php/archives/210

these are older posts, so that’s an indicator too.

anyway, screening these things is becoming increasingly time consuming.

some other examples, not as good though:

nickname: hacker_safa
e-mail: safa_7182@hotmail.com
nickname uri: http://www.gencbiliim.us

ben hacked dediysem odur haced by hacker_safa

well, there’s “hack” in there.

nickname: smart
e-mail: smart@smart.com
nickname uri: http://www.smart.com

have you ever heard ‘sorry’ of madona … hot song. i love c# :)

i suppose “i love c#” is supposed to be on-topic for “computer” type blogs?

i am just thankful that we now finally have a community where we can securely discuss these issues, on the comment spam mailing list.

some of the previous posts i made on this subject:
http://blogs.securiteam.com/index.php/archives/285
http://blogs.securiteam.com/index.php/archives/290

gadi evron,
ge@beyondsecurity.com.

Share

Comments are closed.