Saturday, October 07, 2006

Vulnerable Tikis Ruthlessly Spammed and Google Indexed

The other day I posted about how VT.EDU's tiki was overflowing with spam so today I went thru my spam filter log to just see how many attempted spams there were last week using tiki redirect pages.

Here's a short list of the most recent attempted spams linking to tikis that hit my server:

http://www.lug-viersen.de/tiki-directory_redirect.php?siteId=136#viagra
http://ipvs.informatik.uni-stuttgart.de/BV/swarmrobot/tikiwiki-1.9.2/tiki-directory_redirect.php?siteId=474#viagra
http://i60p4.ira.uka.de/tiki/tiki-directory_redirect.php?siteId=24#viagra
http://www.xsl-rp.de/tiki-directory_redirect.php?siteId=1018#cialis
http://www.neurotransmitter.net/wiki/tiki-directory_redirect.php?siteId=243#viagra
http://research.cs.vt.edu/advance/tiki/tiki-directory_redirect.php?siteId=3284#viagra
http://meverhagen.nl/tikiwiki/tiki-directory_redirect.php?siteId=19#viagra
http://www.namurantifasciste.be/tiki-directory_redirect.php?siteId=996#viagra
http://www.ee.aston.ac.uk/intranet/tiki-directory_redirect.php?siteId=10#viagra
http://www.xsl-rp.de/tiki-directory_redirect.php?siteId=1015#viagra
http://www.railfuture.org.uk/tiki-directory_redirect.php?siteId=61#viagra
http://www.ee.aston.ac.uk/intranet/tiki-directory_redirect.php?siteId=9#viagra
http://herenaforge.org/tiki-directory_redirect.php?siteId=38#phentermine
http://herenaforge.org/tiki-directory_redirect.php?siteId=51#viagra
http://www.derrychineseschool.org/DCS/tiki-directory_redirect.php?siteId=7#viagra
http://openg.org/tiki/tiki-directory_redirect.php?siteId=54#viagra
http://www.prospace.org/tiki-directory_redirect.php?siteId=2385#viagra
http://www.milwaukeelug.org/tiki/tiki-directory_redirect.php?siteId=1349#viagra
http://www.ee.aston.ac.uk/intranet/tiki-directory_redirect.php?siteId=18#viagra
http://dev.librehwdb.tuxfamily.org/tiki-directory_redirect.php?siteId=18#viagra
What's distressing is that Google and the other SE's really love these spammed pages too, just gobble them up, and it's probably unwittingly passing PR from all these spammed tiki sites on such terms as viagra, cialis, levitra and a whole lot more.

So Google gives spammers a 2-for-1 special by giving them SEO value for their spamming activities, it's just a crying shame, it really is.

What's pathetic is this problem could be stopped on both sides of the coin. The tiki/wiki software developers could get off their lazy asses and implement some tools to allow webmasters to stop this rampant spamming of their software, it's easily doable. Additionally, the search engines like Google can easily identify and stop indexing spammed web pages to eliminate the value they give to the spammer.

Remember, I'm reporting about ATTEMPTED spams, all those links and a shitload more were automatically dumped, it's not rocket science, it's barely programming above a rudimentary level to identify and filter that shit out.

Why does this continue when the solutions are so simple for all involved?

Amazing that it's allowed to continue, simply amazing.

Thursday, October 05, 2006

Podomatic Vulnerability Enables Spammer Redirects

Here's another instance in a rash of reported vulnerabilities in member registration pages being spammed. Never heard of Podomatic before but it appears the spammers sure have and some nitwit registered as a member called Valium to do his spamming.

The link to the member's site is:

http://www.podomatic.com/profile/member/valium
The javascript redirect code appears to be this shit embedded in the memberpage:
<script>
var mbht872 = 'on=';
var bikmr354 = 'qiqyi199';
var zlh171 ='ment';
var k97='.lo';
var ydxglyjedai737='ti';
var bmmp211='docu';
var mzcra833='http://drsearch.net/search.php?aff=15313&q=';
var ertmj632='valium';
var qiqyi199 = 'ca';
var lflx482='"';
if(bikmr354 = 'qiqyi199')eval(bmmp211+zlh171+k97+qiqyi199+ydxglyjedai737+mbht872+lflx482+mzcra833+ertmj632+lflx482);
</script>
Just goes to show you that if you don't secure your sites some spammer will abuse it but people just don't listen.

Wednesday, October 04, 2006

Automatic Detection of Spam Hand Jobs

Sometimes certain anti-spam ideas just hit you upside the head when you least expect them and seem so obvious you wonder what took you so long to figure it out.

I've already blogged about the fact that I've stopped all automated spam dead in it's tracks on my sites, but people manually posting can of course correct all of the errors detected and continue to make an unwanted garbage post.

I have an extensive junk detection filter that rejects anything with the usual suspects like viagra, cialis, gambling, poker, etc. which stops the nastiest of these posts. However, some little pain in the ass SEO aka spammer might slip thru with a hand job posting about his store in India selling magic beetle dung or something that you would never imagine putting in your junk filter in the first place.

A few days ago I decided to review the last 30 days of legitimate submissions and compare them to the few off topic hand jobs that slipped through the cracks and see if I could come up with anything that would allow me to stop the hand jobs of absolutely random and crazy things outside the realm of the typical common auto-spam posts.

Then, like a lightning bolt it suddently hit me, that with these random off topic hand spams it's not what's IN the posts it's what's NOT in the posts that makes them easily identifiable. The concept is to scan for a list of words that SHOULD be in the post, like quotes from anything in the thread or certain keywords related to the topic and automatically set everything to MODERATE that doesn't fit the usual posting patterns.

Basically it's a 'lack of content filtering' technique and off topic posts, like spam, stand out like a sore thumb.

Using this blog as as example for a topic, you would expect most comments to contain words like bot, spam, IP, host, crawl, firewall, htaccess, apache, etc. or a set of keywords derived from the original post title and text. The absence of any of these words is a clue that the post just might be SPAM or otherwise off topic and should be placed on moderation for the admin to review.

Since I've started using this new 'lack of content filtering' technique it's snared the few hand submissions to my other site that were completely off topic, those that I would've deleted immediately. The beauty is I can continue to leave the posting wide open for humans, not moderate everything, with only those posts that don't match the topic getting instantly set to moderate.

I expect a few false positives but so far 'lack of content filtering' is doing exactly what I expected it do and set a couple of crap submissions last night for shit like "zanaflex information", apparently some pill I've never heard of and "News, Stores, People, Careers at Finditt", some wannabe search engine, to moderate automatically while letting 20 on topic things thru without a hitch.

Another automated weapon in the war on spam!

GoodBidWords.com Scrapes LookSmart

Noticed at hit from one of my scraper probes in GoodBidWords.com which contained the IP address of the original crawler.

Looked up the IP address and guess where it came from:

"Mozilla/4.0 compatible ZyBorg/1.0 (wn-14.zyborg@looksmart.net; http://www.WISEnutbot.com)"
Isn't this precious that GoodBidWords got caught because of all the places to scrape they decided to scrape a search engine that I don't permit to crawl my site!

What a hoot, second-hand scraper busting, this rocks!

Tuesday, October 03, 2006

phpBB Membership Spamming for Authority

We first reported about phpBB spamming the other day when we stumbled upon this "DISY registration spamming script" and since then have had a little time to examine what spammers are doing with phpBB trying to gain authority.

Let's just check a few of these spammers in Google:

pimpdomain.net
thewestgategazette.com
ritalin-pharmacy.com
Hell, just try any of the domains listed in my Technorati Loves Spam post and search for the domain name and phpBB and see what shows up.

Just amazing what these assholes do with this shit cluttering up the net with spam.

Technorati Loves Tasty Cloaked Blog Spam

I've noticed that Technorati has been happily eating up scraped and cloaked blog spam for ringtone sites, among other things, like it's fucking candy.

Let's use a search on my blog name as an example:



Click on those links and it's always to the same spammy page name like these hosted on theplanet.com of course:
http://artinexis.net/#comment-341
http://themetrogiant.com/#comment-329
http://pimpdomain.net/#comment-341
One server is 70.87.88.121 or 79.58.5746.static.theplanet.com with these domains all spewing ringtone ads:
about-levitra.net
acvfa.net
artinexis.net
cariculture.net
catsfive.net
citadel1.net
cloudsite.net
eightonefive.net
rennenmotorsports.net
t3linkcom.net
Another annoying server is 70.87.88.108 better known as 6c.58.5746.static.theplanet.com which has these goddamn domains:
talonpro.com
tempuspercussion.com
terminal34.com
the-god-poll.com
theincrediblesuckingspongies.com
themetrogiant.com
thepulse2000.com
thespinet.org
thewestgategazette.com
thoweu.com
tlc-express.com
Or this fucking spam filled server host 70.87.88.106 hosted by our fucking friends 6a.58.5746.static.theplanet.com:
perseidslive.com
pimpdomain.net
poemnet.net
posses1consent.com
projhind.com
ptcsucks.com
r1g4t2you.com
rbigkitty.com
rep1icas.com
ricohtour.com
rising7.com
ritalin-pharmacy.com

Here's the same shit about ringtones they all show:


Who are the fucking idiots buying all these goddamn ringtones anyway?

How about you just set the phone on buzz, stick it in your pocket, and you'll never miss a call or be confused it's someone else's phone ringing, and best of all you can do it without lining the pockets of the cell companies or perpetuating this spam. Better yet, just shove that phone up your ass as most people that feel the need to never miss a call by using goddamn custom ringtones are probably talking out of their ass anyway. While you're at it, shove some custom phone face plates and a nice blue tooth headset up your ass too, but I digress.

WAIT A FUCKING MINUTE...

I think I see a pattern here 70.87.88.106, 70.87.88.108, 70.87.88.121...

Let's try 70.87.88.120 and see what we find:
asmort.net
bevirusproof.net
conlajusticiaysociedad.net
fabionne.net
friendshipmotorinn.net
macoszone.net
palick.net
phila-ibiz.net
themikecam.net
wesmn.net
More ringtone spam spam spam....

Or let's try 70.87.88.115:
audio-wire.net
buy-cheap-2u.com
chabadofbuffalo.com
cheap-online-buy-free.com
el-condor-pasa.net
ellemtel.net
fairy-wings.net
free-top-sex.net
gotobiz.net
healthcybeline.com
javabooks.net
jemison-nealon.net
lolitasexlinks.net
macromediaseminars.com
netnetn.net
remax-powell-m-corpus-christi.com
stopsundiata.com
wangmatongli.com
xinyifang.net

Yes!

More spam spam spam spam spam!

OK, this is obviously a big operation with lot's of shit domains serving up spam on lots of IP's, I'm bored with this already, if you want to help fill in more blanks with this ringtone spammer go to Domain Tools Reverse-IP page and type in the IP address in that range and see what's on the servers.

Maybe they should change their name to Spamorati as they seem to love these fake blogs reposting old posts.

BTW, if you need help with automating the identification of spam over at Technorati just drop me a line as I'd be more than happy to show you how to automate the process for a small fee!

The things I could teach them on ways to clean up their listings and improve their service would boggle their minds.