|
11.26.07
Reverse Engineering Spammers Testing The Water
 By
Dan Morrill
Spammers are annoying, and generally can cause problems, what is worrying is when spammers are busy out there testing the water, and no one seems to notice.
This handy little test got caught up in a spam filter from mail.ru. In general as spam goes this is pretty harmless, what makes it interesting is the Google search afterwards. The spam reads:
This is a test. Please ignore it. http://google.com - google 34n710
The Google search should make everyone stop for a moment, - the Google search is here
The whole search string only finds 10 responses, but there are a lot of things that Google didn't understand here. With variations that number grows from 10 to 78 to 1010, and so on as you vary around the key phrase to take out things that Google didn't search on.
This is a test. Please ignore it google 34n710
This is a test. Please ignore it. http://google.com
This is a test. Please ignore it.
The last one is pretty much so a bust, seems that a lot of people will send hello world messages with that text string, this is a test please ignore it.
Here is why this is interesting.
A quick Google search reveals all the people that accepted or otherwise let the spam message through their system. From there you have a viable set of URL's and web sites where it is now possible for what ever system you used to send your spam, to simply do its job without having to worry, process, or spend time at sites that have good spam filters in place. 76 returns is not bad for a small spammer, 1010 returns is even better, and given the tracking number 34n710 the spammer can see how other people's systems work, or like any good lab, each batch has its own tracking number.
There are also similarities in the topic number as if that was also part of the message, many of the Google returns have the view topic number of 6747774 as their code for the topic. Across hundreds of sites that is also an anomaly and is probably part of the sequence that is being used to get their message into the forums or blogs, comments, or systems.
The quick Google search also shows that it is not just abandoned web sites that are prone to what ever method was used to push the spam message. The I-mockery forum, bsdforum, and others are prominent on the first page (maybe not if they read this) of the Google search.
While spam looks simple when it hits a filter, it makes a great exercise in seeing who all has been tagged and cataloged as vulnerable within the spammers system.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing
Intellectual Property & IT Security, and is an active participant in the ITtoolbox
blogging community.
|
