I’ve gotten a few of these curious spam comments recently. They’re fairly reasonable-looking, from a proxy IP (the ones I looked at have been associated with Tor, although I don’t know if Tor was used in this case) and they have an arbitrary five-digit number in the comment. Sometimes there’s a link to number-guessing site, sometimes not.
Here are the ones I’ve gotten:
IP Address: 194.109.217.74
Name: Betsy Markum
Email Address: crazygirl@yahoo.com
Comments: I can’t believe it, my co-worker just bought a car for $77335. Isn’t that crazy!IP Address: 157.82.61.22
Name: Courtney Gidts
Email Address: eastcoast@microsoft.com
Comments: I’ve managed to save up roughly $52002 in my bank account, but I’m not sure if I should buy a house or not. Do you think the market is stable or do you think that home prices will decrease by a lot?IP Address: 193.201.54.32
Name: Merideth Carleton
Email Address: traveler@msn.com
Comments: Have you seen this before? It’s a number guessing game: http://www.amblesideprimary.com/ambleweb/mentalmaths/guessthenumber.html. I guessed 48732, and it got it right! Pretty neat.
The last one was the real tip-off; on the ambleweb site the person guesses the number, not the computer.
Googling on the fake realnames used by the spammers shows other blogs getting similar spam, with random-looking numbers — check out the one with the leading zero digit :-)
Google for "Merideth Carleton"
I guessed 73712, and it got it right! Pretty neat. Posted by: Merideth Carleton |
Oct 27, 2005 8:35:52 PM. Post a comment. Name:. Email Address:. URL: …I guessed 42122, and it got it right! Pretty neat. Posted by: Merideth Carleton |
Nov 12, 2005 12:29:05 AM | Email this comment …I guessed 84887, and it got it right! Pretty neat. Posted by: Merideth Carleton |
Friday, November 11, 2005 at 05:32 PM …I guessed 44240, and it got it right! Pretty neat. Posted by: Merideth Carleton |
Monday, November 14, 2005 at 12:52 PM …I guessed 68562, and it got it right! Pretty neat. Posted by: Merideth Carleton
at Nov 11, 2005 5:31:33 PM. Post a comment. Name:. Email Address:. URL: …Merideth Carleton : Have you seen this before? It’s a number guessing : Helping
by · Merideth Carleton : Have you seen this before? …Posted by: Merideth Carleton at November 11, 2005 03:57 PM. Have you seen this
before? It’s a number guessing game: …Merideth Carleton. #25. This is cool, you have to try it. I guessed 26713, and this
… I guessed 84055, and it got it right! Pretty neat. Merideth Carleton …I guessed 10081, and it got it right! Pretty neat. Posted by: Merideth Carleton |
November 11, 2005 at 05:25 PM. Post a comment …Merideth Carleton wrote: Have you seen this before? It’sa number gu… [more].
Do you think the market is stable or do you think that home prices will decrease by a lot? Posted by: Courtney Gidts | Nov 11, 2005 2:05:08 PM …
4- Courtney Gidts. I’ve managed to save up roughly $53602 in my bank account, but I’m not sure if I should buy a house or not. Do you think the market is …
Do you think the market is stable or do you think that home prices will decrease by a lot. Posted by: Courtney Gidts | Oct 27, 2005 11:07:16 AM …
Posted by: Courtney Gidts | Nov 14, 2005 3:12:18 PM. I’ve managed to save up roughly $18827 in my bank account, but I’m not sure if I should buy a house or …
Do you think the market is stable or do you think that home prices will decrease by a lot. Posted by: Courtney Gidts at Oct 27, 2005 12:49:24 PM …
Courtney Gidts said: I’ve managed to save … more Betsy Markum said: I can’t believe it, … more Betsy Markum said: I can’t believe it, … more …
Courtney Gidts · Nov 15, 06:11. › Courtney Gidts · Aug 25, 05:08. › Mike B. Aug 24, 13:08. › inkheart … Courtney Gidts · Sep 08, 22:09 …
Courtney Gidts Nov 11 2005. I’ve managed to save up roughly $63312 in my bank account, but I’m not sure if I should buy a house or not. …
Courtney Gidts said: I’ve managed to save up roughly $10110 i… • Courtney Gidts said: I’ve managed to save up roughly $10110 i… …
Courtney Gidts | 2005-11-15 01:08 | Link. I’ve managed to save up roughly $85272 in my bank … Courtney Gidts 15/11 Frank 19/04 VL Carey, San Diego 28/09 …
Comments. I can’t believe it, my co-worker just bought a car for $81083. Isn’t
that crazy! Posted by: Betsy Markum | Nov 14, 2005 3:47:52 PM …I can’t believe it, my co-worker just bought a car for $83246. Isn’t that crazy.
Posted by: Betsy Markum | Oct 27, 2005 6:26:05 PM …Posted by: Betsy Markum | Nov 14, 2005 12:19:18 PM. I can’t believe it, my
co-worker just bought a car for $61861. Isn’t that crazy! …Betsy Markum said: I can’t believe it, … more Betsy Markum said: I can’t believe
it, … more · penis enlargement pill review said: …Posted by Betsy Markum at November 14, 2005 03:13 PM. I can’t believe it, my
co-worker just bought a car for $13684. Isn’t that crazy! …Comments. I can’t believe it, my co-worker just bought a car for $71874. Isn’t
that crazy. Posted by: Betsy Markum | October 27, 2005 at 08:21 PM …Betsy Markum wrote: I can’t believe it, my co-worker just bought… [more].
Doctor, Doctor, Give Me the News (3) Betsy Markum wrote: I can’t believe it, …Posted by: Betsy Markum | Oct 27, 2005 10:26:05 AM. I’ve managed to save up
roughly $03521 in my bank account, but I’m not sure if I should buy a house or …Hamlet Linden on I need a hero · Jim Anderson on Duping (and sploits) · Betsy Markum
on Contradictions (1) · Courtney Gidts on Wired on Virtual Greed …Betsy Markum: I can’t believe it, my co-worker just bought a car for $44076.
Isn’t that crazy!… [go] · Betsy Markum: I can’t believe it, my co-worker just …
So, I’ve added this to my “SpamLookup – Keyword Filter / Keywords to Moderate” settings:
# five-digit spammers
/\b\d{5}\b/
Comments (47)
Peter,
Would love to hear your additional thoughts on the 5 digit mystery. Brian McWilliams wonders (over at Spamroll) whether these digits could be used to foil spam-hashing algorithms. Unfortunately, I don’t know if SpamLookup works that way, and I have received none of the same in my junk folder (so I cannot see how it was scored).
I keep getting this spam as well. It’s so mysterious. And bothersome.
Forget filtering, how about using a blunt instrument?
Thanks for the code, I’ll give it a try.
I just got an comment from Betsy Markum (though her friend only paid $23357 this time). I thought it quite odd. Obviously spam since it had nothing to do with the post, but I’m stumped as to the purpose since there’s no link to anything. Curious. Anyway, I’m not approving the comment…
Reminds me of the shortwave numbers stations that have puzzled SWLs for decades.
Have you got to the bottom of the 5 digit mystery yet ?
This is like a Philip K. Dick novel.
I speculate that there is some kind of exploit in some kinds of blog comment software that’s vulnerable to some sort of hidden data in the POST sent them. To mitigate suspicion from failed exploits (ie successful comments) the worm generates reasonable text.
I speculate that there is some kind of exploit in some kinds of blog comment software that’s vulnerable to some sort of hidden data in the POST sent them. To mitigate suspicion from failed exploits (ie successful comments) the worm generates reasonable text.
You’ve just boosted their search engine ranking enormously. They thank you.
I just got one:
“i would like to enter this number hope that i am a winner ?mmt 4?QF mw4a”
No URL, the email looks legit, from a university address.
I don’t know whether to delete it or not (it’s on an old post)
Hi!
It looks like those messages have been automatically (via script)
posted on blogs and forums so that those people can harvest email
addresses. Later the addresses will be used for spamming and various
scams, mostly Nigerian variety.
They used to sign them Prof. Mugu (Nigerian for idiot) so that they
can easily google for them later and collect more email addresses..
Best of luck!
Vadym
I am getting alot of these on my PHPBB msgboard. These are also accompanied by fake signups as well.
This is an old spammer trick that I’ve been seeing from time to time on my own well-trafficked site.
The idea is to post a comment that sneaks through the spam filters and white-lists an IP or email address, then come back later and crap up your comments with a newly registered URL before we can blacklist them and run a little SQL to clean out the old comments.
my theory is that they post them to your blog, remember the ##### then check back later to see how spam friendly it is in terms of moderation. just a hunch.
I can’t believe it, my co-worker… nevermind.
I believe it’s a marker so they can test/find open blog comments later for automated spam. It’s usually a precursor to getting a whale-load of spam.
Yeah, another vote here for the “see if the message gets through” theory. I’m guessing that the spambot tries to post the message, and then comes around to the front door a few minutes|hours later and sees if the comment (identified by the number) has made it through. If so, I suppose you go on the “sucker list.” Or something.
These posts are designed to appear benign, so they raise the “Spam Karma”, if you will, in a Bayesian filter. That way, when the same IP posts again, the filter will allow the spam to pass through.
This may or may not be related, but I found lots of weird blogs that had no content but things like this:
“Zyloprim for sale. February, is likely to pick up again in outlined the proposal after efforts at zyloprim for sale has one, good for when you go on seized at a fake checkpoint manned by ZYLOPRIM FOR SALE nationwide.”
Different blogs had different products, (often casinos). None of them were grammatical or had any links. I couldn’t figure it out.
Ever heard of “number stations” on shortwave radio? wikipedia has a thorough description… maybe this is the internet version…
These messages might be trying to defeat good ol’ Bayesian spam filters. By increasing the frequency of phrases like “buy a house” in otherwise innocuous looking text, the spammers are hoping to fool bayesian spam filters into letting the real spam through later.
Pardon me for pop-cultering this one, but the person who mentioned number stations kinda reminded me of the whole LOST television show which is based around the mysterious appearance of numbers.
While I personally believe this one to be a bot checking its post dropped on a list, who knows? Maybe it is part of a marketing scheme for ABC.
;)
‘Designed to appear benign’. It’s clear to me that computers themselves have begun to brazenly fuck with us (bastards)
or they’ve simply decided to open communications with us in a form they assume we must understand – spam emails clearly being one of the most international and widely spoken of languages (geniuses). The singularity is nigh.
One effect no one has noted is the search engine dilution of whatever phrase or name they use.
They can’t be diluting something so notorious as to be a world famous brand. But think smaller.
What’s splashed all over regional and local TV ads and stuck in the minds of consumers?
Crap like “Call Meridith Carleton at Century 21 today to sell your home!” or “Come on down to Markum Used Cars for a great deal on our selection of certified pre-owned! Betsy’ll cut you a deal!”
So if I were either of those folks, I would have been just ratfucked off the first page of Google by white noise.
Then again, in the current climate it’s pretty common for a potential employer to Google you. Perhaps these are folks spamming their way out of their employers finding them online?
The numbers all seem to be legit US zip codes. Make of that what you will.
I think they are just testing whether your blog’s comment system is spamable.
I’d tend to agree with Yohanes. Set a bot free, then Google to get your results instead of having results transmitted back to you. A blind drop that can’t be traced.
As for the ZIP code theory, I just ran the Meredith set posted above and only 5 of the 9 were valid.
A common trick here, as I think I understand it, is to get just one successful comment accepted by your blog.
That paves the way for more/easier acceptance down the road in some blogging engines.
I use dr Dave’s Spam Karma 2 on my blog and it rocks! Seriously, I was using Akismet before, which was very good but nothing like dr Dave’s.
If it’s available to you, I’d recommend at least a quick look.
Regards!
I think the white noise theory is interesting, that’s what occurred to me at first as well. The problem with that is that the stray comments seem to appear at least as far back as September of 2004 and run fairly randomly from then on. That seems like a lot longer than someone would be willing to take for such a project. Also, not to be sexist, but the names (There seems to be an Allison Trump in the mix as well as the three listed above) are all female; wouldn’t statistics lead us to believe that men would be more likely to either want to disappear from google or to have miffed someone enough to make them try and erase them? As far as tracking goes, I can’t see how they’re doing that either. If you search for the names with a posted number, you get multiple sites returned (example: search for ‘”Allison Trump” 23063′ and you get 59 results on different sites) How can those be tracking numbers if they aren’t distinct? I tend to think the Bayesian karma solution is the correct one, combined with being able to google for the name to get a ranked list of results to pick out the best targets.
I had cornflakes for breakfast, I guessed there were 1,249 flakes in the bowl.
Start of the new blog virus, please spread.
;)
I had cornflakes for breakfast, I guessed there were 23432 flakes in the bowl.
I had cornflakes for breakfast, I guessed there were 01697 flakes in the bowl.
And a meme begins.
What about time-independent markers for monitoring software, like e.g. a keyword tracker? Not spammers, per se, but something from the NSA.
Well there was this one time I read a book where coments using numbers and repeated phrases was used to bet on horses. This is different though, becausce its on a lot of sites. So yeah. Not connected then, just odd.
I get the Betsy Markham comments and a few of the other names posted above. I agree with the person who suggests it’s a way to prime the site to be open to more posts from the IP.
I had mixed grain bran and dried fruit with a splash of full cream milk and a dollop of low fat black cherry yoghurt for breakfast.
then I had a glass of orange juice and went for a skate.
A friend of mine (math major) once suggested a file system using the comments sections of blogs as storage. Imagine, the numbers are the data and the names are encoded file names.
Maybe he finally implemented a prototype.
Clicking randomly through blogger, I like to flag obvious spam blogs, or google pay-per-click blogs that serve only as havens for search-terms — or something.
It gets harder and harder to tell which are legitimate blogs and which are scam-havens Could someone really be tracking all of the “mortgage rates in Talahassee FL” on their blog? So impersonally? Not blogging the true reasons for various rates (regardless of the industry) but instead blogging all of the market spin, without a trace of irony? It’s got to be a breeding ground for something.
Maybe it’s the machines rising up.
Probably just another one of Google’s recruiting tools.
Figure out the puzzle, get a swanky job at the Googleplex.
:)
I asked a computer network securty geek (with serious cred) what he thought. He said it was probably the following:
“…an innoccuous worm/DoS test–sometimes used as smokescreen
to force an IDS to shorten its window to cover low-and-slow stealth attacks and probes.”
OK. perhaps someone knows what that means?
Bolt: My interpretation of that is that it’s essentially the same theory as Stephen VanDyke et al: post some stuff that isn’t interpreted as spam or other badness, in order to shift the software’s estmate of your IP address’s badness later. If that’s the reason, then the five digits are probably just there to make each comment different.
(If I were doing it I’d markov-chain the other blog text.)
Oh, and my bowl had 94011 cornflakes this morning.
24601 cornflakes…
i’m curious if the women’s initials are actually the usefule part, combined w/ the numbers.. like
Betsy Markum = BM19830
Allison Trump = ATxxxxx etc
the initials would identify which cipher to use.. or something similar .. (shrug)
The spy angle seems unlikely since this would be a poor way to transmit information. The IP addresses are tracked so posting computers could be determined, and access to the messages / postings could be logged. There are better ways to communicate that are more secure and secret.
SPAM tracking seems like a possible reason, but you have to wonder why is it necessary? Couldn’t spammers just track the posting of actual spam advertising instead of these fake messages?
If you were selling an application that spammed blog sites you might want to do the spidering seperatly so that the end users don’t have to spider sites themselves. In this case you might have it setup so that you spider the sites and spam to them with the identifier, and then the end user spamming application googles for the identifier to get its spam lists. Maybe this is too far fetched.
Maybe google is spamming sites to see which sites are spammable and then it can lower their PR. This would be evil though and unlike google.
Maybe this is a way for zombie / spywared computers to report back information about the infected machine (or info about the bot network etc). Probably not enough information passed over though since 5 digits can only store 16 bits which isn’t even enough for an IP address.
So this leaves the only remaining possibility: aliens are using our blogs as a mechanism to synchronize their invasion and the numbers are a timer counting down to the invasion time.
Has anyone else been getting emails that only contain numbers (just 3
or 4) in the subject and body??
the weird thing is the from address is the same as the destination
address ie spoofed.
Several users at work got these messages today, and while i am sure the
users dont have a virus, its hard to convince them of that when i cant
explain the source or reason for the email.
http://groups.google.com.au/group/comp.security.misc/browse_thread/thread/112454fe3ebf2f47/5ee179bc57d5eab6?hl=en#5ee179bc57d5eab6
I’ve had these things on my wordpress based blog, so I started looking around here, when the following occured.
I run a wiki, a mediawiki-based website that is editable by everyone.
Since two days we’ve had some spammers editing the frontpage, and they only add a series of 24 digits.
eg: 609862507587469905368605
Could this be something similar. Anyone seen this somewhere else?>
I had cornflakes for breakfast, I guessed there were 38855 flakes in the bowl.
Ok, now that I got that out I think this is really fascinating. Although I would say that the name is the “tracking number” and the number is (part of)the message itself. Simply because the message is only changing if the number changes aswell. (At least for that Alison)
So yeah, this could be used for transmitting a message.
I also recieve lots of spam mails that doesn’t really contain anything, sometimes just some text but no Links or whatever.