Sophos Cloud Optix
For a bit of festive season fun, we thought we’d look at some spam.
Long-term readers will know that we have a tongue-in-cheek list of spam categories, taking us well beyond just unsolicited email.
Over the years, we’ve added the following spam variants to our menagerie:
- SPIT – spam using internet telephony
- SPIM – spam over instant messaging
- SPASMS – spam via SMS
- SPATTER – spam via Twitter
- SPEWS – spam through electronic web submissions
SPEWS, of course, often end up converted into emails and directed inwards by the form submission page on your webserver.
→ It’s generally a good idea to treat your web server as an untrusted email sender, even if it is inside your network, and to put any emails that it generates (especially if they might contain content entered online by someone outside your network) through your usual email filtering process.
SPEWS are also common on blogs and and forums where commenting is allowed, not least because many forums allow web links to be entered into comments.
A site that can easily be tricked into re-publishing clickable links for free is a useful resource to spammers (or to bots working on their behalf).
That’s what the spammer was trying to do in the examples below.
We’re saying “spammer,” even though numerous IP addresses were used and a range of topics covered, because the “comments” we’ve chosen in this case all follow a very similar pattern.
The formula is pretty simple.
There’s a short, generic and not terribly grammatical burst of praise, like this:
An interesting discussion is worth comment. I think that you simply really should write a lot more on this topic, it could possibly not be a taboo topic but normally people aren't sufficient to speak on such topics. To the next. Cheers.
Then there’s a URL.
It’s hard to imagine why anyone (except perhaps another spammer wanting to see what the competition was up to) would click on any of the URLs we’ve seen in this campaign, as the links have no relevance to computer security at all, let alone to the article on which they claim to be commenting.
Nevertheless, this spammer has been quite persistent in his or her flattery.
We “made certain nice points,” apparently:
There is noticeably a bundle to know about this. I assume you made certain nice points in features also.
And we received “a huge thumbs up,” too:
Hello! I just would like to give a huge thumbs up for the great info you have here on this post. I will be coming back to your blog for more soon.
Occasionally, the spammer gets rather caught up in it all, and bigs us up enormously:
Youre so cool! I dont suppose Ive read anything like this before. So nice to find somebody with some original thoughts on this subject. realy thank you for starting this up. this website is something that is needed on the web, someone with a little originality. useful job for bringing something new to the internet!
But once in a while, the flattery stops and we are confronted with criticism instead:
The next time I read a blog, I hope that it doesnt disappoint me as much as this 1. I mean, I know it was my option to read, but I really thought youd have some thing intriguing to say. All I hear is often a bunch of whining about something that you could fix if you happen to werent too busy looking for attention.
Ouch! Take that, Naked Security!
Perhaps the spammer hopes to be taken more seriously by unleashing some tough love in amongst the toadying remarks?
But what if we had approved the comment anyway, and retained the suspicious-looking URL it contained?
The URL that was added to this comment included the text string rolexwatches in its domain name, while the path part of the URL mentioned Air Jordan footwear.
That might seem a curious combination, but it was the footwear that was the the sales goal this time.
Clicking the URL takes you to an astonishing piece of prose on a free blog hosting service:
Possibly me and my teammates aloof bought pairs from a abnormal shipment? One guy alternate them and exchanged them for the atramentous and blah colorway and had no troubles.
If you end up motivated to click through by the admittedly confusing text above you will indeed be offered Air Jordans for sale:
And if you’ve had any misgivings about how you got this far, you can relax!
You’re on a secure site, at least according to the site itself:
And there you have it.
It seems that flattery alone doesn’t get you everywhere, after all.
US residents can report those fake merchandise links to http://www.iprcenter.gov/referral
I imagine there’s something similar in UK?
This might be a good place to start: http://www.actionfraud.police.uk/
“toadying”? x
From my Oxford American Writer’s Thesaurus…
toadying: verb
“she imagined him toadying to his rich clients”: grovel to, ingratiate oneself with, be obsequious to, kowtow to, pander to, crawl to, truckle to, bow and scrape to, curry favor with, make up to, fawn on/over, slaver over, flatter, adulate, suck up to, lick the boots of, butter up.
🙂 there is a point where I presumed you meant toadying, but have put todaying instead..
Oh, errr, NOW I get why everyone is asking me about “toadying” 🙂
I guess “todaying” is just a more up-to-date sort of flattery.
Fixed, thanks.
And how doth thou wish me to toady today, oh gracious, just and compassionate leader. PS: wanna buy a Rolex?
Oh, come on Paul, His posts were sharp and to the point: No need to get bogged down with Symantec’s.
I thanks you…{takes bow}.
Boom, tisch.
Great article, guys! Put the spammers in their place!
Isn’t comment spam something completely different to normal spam, not trying to get people to click links but instead something to do with SEO (search engine optimisation)?
If only there was a well respected computer security blog that could fully explain this 😛
I’m not sure just how different it is…sure, links in web pages may attract “search engine juice,” but the mainstream search engines are unlikely to be fooled by links in comments, because they’re easy to distinguish (and the poster doesn’t get to choose how they get presented).
But links in web pages generally are clickable, or made to be so.
Anyway, in this case the spammers still have a “call to action,” namely to trick us into approving the comment in the first place…and telling the Naked Security team we’re a whinging disappointment is a strange way to win friends and influence people 🙂
Actually, I believe they’re looking for sites which they can just post a comment on and have it stay there. Preferably on high-PR sites.
Google for ‘backlink packets’ and you’ll see people either giving away or selling just a bunch of links to sites that they can just put into their spambot.
And if you’re wondering, a lot of these people got affected by Google’s algorithm updates. There’s a forum, the Warrior Forum, which quite a lot of these people visit regularly; a couple of years ago there were plenty of posts there about “waaa my income was destroyed because google panda/penguin/whatever”. Yeah, boo hoo. Go get traffic by *legitimate* means. (Funnily enough, some of them ended up doing just that haha)
This looks like SEO link spamming. The never ending effort to feed search engine appetites with illegitimate sites.
I wonder how many more variations of Spam we will come up with in 5 years’ time……
We get a lot of those on our site. The funniest ones are the “critiques.” Yeah, sure, I’m going to click on a link after you’ve insulted me, Mr. Spammer.