P0rn Storm

By Shamus Posted Friday May 12, 2006

Filed under: Rants 8 comments

Comment spam is indeed like weather. Yesterday I think I got one or two spam comments. Today I have several dozen before the morning coffee is gone. But these ones are “interesting”.

Today’s culprit is CTYNN.com. I’m not about to click, but the spams suggest it’s a multi-service porno site, or perhaps just a porno portal made to make a quick buck with banner ads and referrals. All of the comments follow the same pattern:

  1. The commenter name is some fetish or a genre of porn, and links to a related subdomain. So, I’ll get a comment from someone named SEX-WITH-SOMETHING-GROSS and they will link to SEX-WITH-SOMETHING-GROSS.CTYNN.c0m.
  2. The comment itself is mostly harmless, and made to look like a real comment. An example, “*pass it on…post it to your journal and see what others ask YOU!*”. Not exactly Hemmingway, but it looks passable at first glance. I’d have to visit the post in question to see that it’s a non-sequitur. No two comments have the same text so far.
  3. None of the comments has any links in the text, which is another way they are slipping past the filter.
  4. The CTYNN site is not yet listed in the mu.nu blacklist, which suggests that the site is new, or at least new to spamming.

But what really gets me is that every one of them is from a unique IP. These are coming from all over the place. There is no pattern to the numbers.

So what’s going on here? Suddenly, from all over the world, I’m getting spam comments that all point to the same site that follow the same methodology. None of them are dupes. They all link to different subdomains and use different comment text. All of them came within a few hours of each other.

Are these comments coming from malware-infected zombies? From a single guy who is routing his traffic through various sources? If so, has this guy been spamming for a while and I’m only now making it onto his list, or is this a new spammer?

Inquiring (and vengeful) minds want to know…

I know this topic is dull. It’s like hearing someone complain about how hot it is in August. We all feel it, we all deal with it, and bringing it up all the time gets tiresome. I can hear you saying, JUST DELETE YOUR SPAM LIKE THE REST OF US AND SHUT UP ABOUT IT ALREADY!

I don’t know why this facinates me so much, but it does. I’m bothered by the fact that we don’t know more about how spammers work.


From The Archives:

8 thoughts on “P0rn Storm

  1. . says:

    For what it’s worth I’ve been wondering a similar thing about my own spam trends. I seem to be popular among tramadol spammers, and have gotten a slew of spam similar to your own spam, messages to the effect of, “Excellent post, perhaps we can exchange links?” or “Very cerebral! Check out this link I found…”

  2. What they’re doing is to use open proxies. Some of those are just the result of people who don’t know any better. Some of them are the result of hacking. Some are the result of infestation by trojans and worms.

    My server has been getting hit constantly with referer spam from what I’ve been thinking of as the “47 character bandit”, because all the URLs are truncated to 47 characters. Every one comes from a different IP.

    Whoever is doing this, they’re doing it precisely in order to avoid IP blacklists, which means that any kind of automated rejection system would have to be based on content instead of originating IP. (I.e. it would have to use something like a Bayesian filter.)

  3. Pixy Misa says:

    My blacklist only works for trackback spammers at the moment. I’m working on something for comment spam, but it’s not ready yet.

  4. Pascal Monett says:

    I hate spam – like all non-spammers with a mailbox. Recently though, I discovered in the spam I get something that really got under my skin.
    Get this : I am receiving spam from spoofed addresses of my very own domain ! Addresses that don’t exist (of course) !
    So now it’s personal. Send me crap from somebody I don’t know, and I don’t care (much). But if I’m getting spam referring to my own domain, then somebody else is as well.
    Or, at the very least, it’s passing off as a legitimate user on my domain, thus slandering my domain name. That should be a federal offense !
    And I’d be happy to impose the sanction : throw ’em into an arena with a few starving lions, and a few thousand spam victims on the bleachers to cheer on the lions.

  5. Kel'Thuzad says:

    Actually… I NEVER get spam e-mails, which is very good for me. Then again, it’s a college-specific e-mail, so it must have a good spam blocker or something.

  6. Shimmin says:

    Comment #6 is either one of those very spam comments, or a clever parody, possibly by Shamus. I’m not going to try and find out, but you might want to delete it?

  7. Shamus says:

    Shimmin: Wow. I think that one was real. And I’d missed it. It sat there for a whole year.


Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun. Your email address will not be published. Required fields are marked*

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!

You can quote someone like this:
Darth Vader said <blockquote>Luke, I am your father.</blockquote>

Leave a Reply

Your email address will not be published.