this blog is girtby.net

Posted
06 May 2005

Categories
Nerd Factor X Meta Provocation

Tags

1 Comments

Spammer Inferno

If Dante Alighieri were alive and blogging today, I'm sure he would have revised his Divine Comedy to include a tenth circle of hell, just for the spammers.

Check out this one, recieved yesterday:

Author :  (IP: 24.124.126.188 , 188.126.cm.sunflower.com)
E-mail : john_hopkins23@joeblog.com
URL    :
Whois  : http://ws.arin.net/cgi-bin/whois.pl?queryinput=24.124.126.188
Comment:

i search for blog like this long time.you website is very good!i will come next time!

<a href="" title="" rel="nofollow"></a>

The most interesting thing about this is that it's not obviously spam. I mean sure, the english isn't so good, but it may be a second language to someone, and I'm not going to pass judgement based on that. After thinking about it for a little while, I concluded that it actually was spam based on the following clues:

  • It was accompanied by another comment on the same blog post, which contained the text "Thank you, I just wanted to give a greeting and tell you I like your blog very much." but was otherwise identical to the above (including IP).
  • It was a comment on a fairly old blog post (always a bit of a giveaway)
  • The empty link with the "nofollow" attribute. What the hell is that all about, and why would a legitimate comment include it?

The point is that this spammer managed to waste several minutes of my time (which I am now attempting to reclaim by blogging about it).

I assume that this spam is targetting anti-spam measures, because there is no "payload": no obvious mention of any online gambling sites, debt consolidation, or the usual bullshit. Targetting anti-spam is the only other explanation I can think of, although I have no idea specifically what type of anti-spam measures they think they are targetting.

Maybe if they send enough decoy comments like this I will be convinced that my anti-spam defenses are not working, so I turn them off?

Maybe they are assuming I use an IP-address based blacklist/whitelist, and this is the first comment which gets them onto the whitelist?

Maybe they want to obscure a few payload-carrying comments by buring them in a bunch of decoys?

Maybe they just want to waste my time? (Mission accomplished)

1 Comments

Posted by
Alan Green
2005-05-06 14:26:06 -0500
#

Could just be a script kiddie screwing up a spam run.