Comments on: Five-Digit Blog Spam

By: Thorsten

Thorsten — Thu, 17 Aug 2006 07:58:39 +0000

I had cornflakes for breakfast, I guessed there were 38855 flakes in the bowl.

Ok, now that I got that out I think this is really fascinating. Although I would say that the name is the “tracking number” and the number is (part of)the message itself. Simply because the message is only changing if the number changes aswell. (At least for that Alison)

So yeah, this could be used for transmitting a message.

I also recieve lots of spam mails that doesn’t really contain anything, sometimes just some text but no Links or whatever.

By: PoofBird

PoofBird — Sat, 17 Jun 2006 00:36:14 +0000

I’ve had these things on my wordpress based blog, so I started looking around here, when the following occured.

I run a wiki, a mediawiki-based website that is editable by everyone.
Since two days we’ve had some spammers editing the frontpage, and they only add a series of 24 digits.

eg: 609862507587469905368605

Could this be something similar. Anyone seen this somewhere else?>

By: Greg

Greg — Wed, 07 Jun 2006 05:17:36 +0000

Has anyone else been getting emails that only contain numbers (just 3
or 4) in the subject and body??
the weird thing is the from address is the same as the destination
address ie spoofed.
Several users at work got these messages today, and while i am sure the
users dont have a virus, its hard to convince them of that when i cant
explain the source or reason for the email.

http://groups.google.com.au/group/comp.security.misc/browse_thread/thread/112454fe3ebf2f47/5ee179bc57d5eab6?hl=en#5ee179bc57d5eab6

By: Trevor

Trevor — Wed, 31 May 2006 13:54:53 +0000

The spy angle seems unlikely since this would be a poor way to transmit information. The IP addresses are tracked so posting computers could be determined, and access to the messages / postings could be logged. There are better ways to communicate that are more secure and secret.

SPAM tracking seems like a possible reason, but you have to wonder why is it necessary? Couldn’t spammers just track the posting of actual spam advertising instead of these fake messages?

If you were selling an application that spammed blog sites you might want to do the spidering seperatly so that the end users don’t have to spider sites themselves. In this case you might have it setup so that you spider the sites and spam to them with the identifier, and then the end user spamming application googles for the identifier to get its spam lists. Maybe this is too far fetched.

Maybe google is spamming sites to see which sites are spammable and then it can lower their PR. This would be evil though and unlike google.

Maybe this is a way for zombie / spywared computers to report back information about the infected machine (or info about the bot network etc). Probably not enough information passed over though since 5 digits can only store 16 bits which isn’t even enough for an IP address.

So this leaves the only remaining possibility: aliens are using our blogs as a mechanism to synchronize their invasion and the numbers are a timer counting down to the invasion time.

By: yitz

yitz — Wed, 31 May 2006 06:16:02 +0000

24601 cornflakes…

i’m curious if the women’s initials are actually the usefule part, combined w/ the numbers.. like
Betsy Markum = BM19830
Allison Trump = ATxxxxx etc
the initials would identify which cipher to use.. or something similar .. (shrug)

By: Wim L

Wim L — Tue, 30 May 2006 23:01:42 +0000

Bolt: My interpretation of that is that it’s essentially the same theory as Stephen VanDyke et al: post some stuff that isn’t interpreted as spam or other badness, in order to shift the software’s estmate of your IP address’s badness later. If that’s the reason, then the five digits are probably just there to make each comment different.

(If I were doing it I’d markov-chain the other blog text.)

Oh, and my bowl had 94011 cornflakes this morning.

By: Bolt Upright

Bolt Upright — Tue, 30 May 2006 21:36:16 +0000

I asked a computer network securty geek (with serious cred) what he thought. He said it was probably the following:
“…an innoccuous worm/DoS test–sometimes used as smokescreen
to force an IDS to shorten its window to cover low-and-slow stealth attacks and probes.”

OK. perhaps someone knows what that means?

By: Tripp

Tripp — Tue, 30 May 2006 18:36:26 +0000

Probably just another one of Google’s recruiting tools.

Figure out the puzzle, get a swanky job at the Googleplex.

By: tv

tv — Sun, 28 May 2006 14:15:03 +0000

Clicking randomly through blogger, I like to flag obvious spam blogs, or google pay-per-click blogs that serve only as havens for search-terms — or something.

It gets harder and harder to tell which are legitimate blogs and which are scam-havens Could someone really be tracking all of the “mortgage rates in Talahassee FL” on their blog? So impersonally? Not blogging the true reasons for various rates (regardless of the industry) but instead blogging all of the market spin, without a trace of irony? It’s got to be a breeding ground for something.

Maybe it’s the machines rising up.

By: Flood

Flood — Fri, 26 May 2006 18:18:48 +0000

A friend of mine (math major) once suggested a file system using the comments sections of blogs as storage. Imagine, the numbers are the data and the names are encoded file names.

Maybe he finally implemented a prototype.