{"id":38910,"date":"2017-05-31T06:00:10","date_gmt":"2017-05-31T10:00:10","guid":{"rendered":"http:\/\/www.shamusyoung.com\/twentysidedtale\/?p=38910"},"modified":"2017-05-31T03:40:24","modified_gmt":"2017-05-31T07:40:24","slug":"messages-from-spammers-part-6","status":"publish","type":"post","link":"https:\/\/www.shamusyoung.com\/twentysidedtale\/?p=38910","title":{"rendered":"Messages from Spammers Part 6"},"content":{"rendered":"<p>Wednesday&#8217;s usual Nan O&#8217; War episode will appear later this week. I was going to post about <a href=\"https:\/\/www.youtube.com\/watch?v=lHLpKzUxjGk\">the latest talk from John Carmack<\/a>, but I feel like that kind of post needs to simmer for a few days. So rather than leave this spot blank, I thought we might look at the work of a new spammer to the site. <\/p>\n<p>All of the messages in this post arrived from the same IP address, and all of them within a few minutes of each other. All of them bypassed the various spam filters and appeared on the site where the public could see them. (I manually took them down once I spotted them, obviously.) They managed to properly handle the &#8220;Check here if you&#8217;re not a spammer&#8221; checkbox. They managed to spoof <a href=\"https:\/\/akismet.com\/\">Akismet<\/a>, which is my main software-based defense against spam. They also successfully got by the common stuff like keyword filters. One or two of them almost got past the ultimate filter, which is my human brain. That&#8217;s a pretty good night&#8217;s work for a spam bot. (Or perhaps a shameful night&#8217;s work for my spam filters.)<\/p>\n<p>Let&#8217;s meet our first contestant&#8230;<br \/>\n<!--more--><\/p>\n<blockquote><p>\n<strong>javascript obfuscator<\/strong><br \/>\nVery funny. Keep up the good work!<\/p><\/blockquote>\n<p>The text of this comment is totally legit. It&#8217;s not word salad. It doesn&#8217;t have screwball formatting or extraneous non-English characters. It&#8217;s actually IN English. It&#8217;s even been left on a funny post, so it checks out. The giveaway here is the name. Now, on any other site the name &#8220;javascript obfuscator&#8221; would immediately get you busted as a spam bot. But around here it could plausibly be some programmer&#8217;s self-deprecating handle. Something like:<\/p>\n<p>Q: So what&#8217;s a javascript obfuscator?<\/p>\n<p>A: Anyone who writes javascript for a living, because JS is self-obfuscating.<\/p>\n<p>But the giveaway here was that the name &#8220;javascript obfuscator&#8221; was also in their domain name. Still, it was a nice try.<\/p>\n<p>So how did this bot manage to post a coherent comment in the proper context? They cheated and copied off of someone else&#8217;s work. That same comment had <a href=\"http:\/\/www.shamusyoung.com\/twentysidedtale\/?p=5015#comment-132463\">already appeared<\/a> on the post.<\/p>\n<blockquote><p><strong>192.168 ll<\/strong><br \/>\nThe ending of Mass Effect 3 is where the problems culminated, not where they began<\/p><\/blockquote>\n<p>The bot tried again just three minutes later. Again, they managed to post a coherent thought. The mistake here was that they quoted the post and not another commenter. Even that might have slipped by if I was being inattentive, but then they used a gibberish name that drew attention to itself. 192.168 is the first part of the default IP of a home router, and it&#8217;s just screaming out &#8220;someone has configured their spambot incorrectly&#8221;. <\/p>\n<blockquote><p><strong>spanish to english<\/strong><br \/>\nVery funny indeed<\/p><\/blockquote>\n<p>Two minutes later. That pattern here is pretty obvious by this point. Again, this comment is simply quoting <a href=\"http:\/\/www.shamusyoung.com\/twentysidedtale\/?p=612#comment-8957\">someone else<\/a>. It would have skated right through, except &#8220;spanish to english&#8221; makes no sense as a username and it matches their URL. If they were named &#8220;The Translator&#8221; &#8211; and if it didn&#8217;t come in this rapid-fire bundle of spam &#8211; I wouldn&#8217;t have given it a second look. &#8220;Oh. This guy translates stuff for a living. Good for him.&#8221;<\/p>\n<blockquote><p><strong>bullet force<\/strong><br \/>\nCan&#39;t wait for the next entry!<\/p><\/blockquote>\n<p>Same mistakes. The name is odd enough to grab my attention, where I notice that it matches the URL<span class='snote' title='1'>Don&#8217;t bother looking it up. It&#8217;s a garbage multiplayer shooter for mobiles.<\/span>. Also, the ripped-off comment doesn&#8217;t make sense this time. &#8220;I can&#8217;t wait for the next entry&#8221; made sense <a href=\"?p=36555\">four months ago<\/a>, but that is no longer a plausible response to that post because the next entry has already been posted. 17 of them, in fact.<\/p>\n<p>Last one:<\/p>\n<blockquote><p><strong>json formatter<\/strong><br \/>\nIt was ridiculous. Even without being able to read the code on the slides, you could tell the steps varied widely in operation count, were often split up and in different order, and just looked different.<\/p><\/blockquote>\n<p>Same thing again: Nonsense name that matches the URL posted too soon after other messages with the same M.O. Also, this one repeated the mistake of quoting the post rather than a comment. That&#8217;s actually a spam bot quoting me quoting John Carmack. <\/p>\n<p>I&#8217;ve never seen a spambot behave quite like this one before. If I look in my spam filter nearly everything falls into one of these categories:<\/p>\n<ol>\n<li>Word salad gibberish.\n<li>Giant walls of meandering text unrelated to my site or the spammer&#8217;s URL.\n<li>Non-English.\n<li>Just a big list of URLs.\n<\/ol>\n<p>So this one was kind of refreshing. Hopefully Askismet catches up soon so I don&#8217;t have to sort through too many of these by hand.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Wednesday&#8217;s usual Nan O&#8217; War episode will appear later this week. I was going to post about the latest talk from John Carmack, but I feel like that kind of post needs to simmer for a few days. So rather than leave this spot blank, I thought we might look at the work of a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-38910","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/38910","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=38910"}],"version-history":[{"count":0,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/38910\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=38910"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=38910"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=38910"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}