The upload spammer
Webspam is constantly evolving. A while ago a spammer told us spammers had long since moved on from what us anti-spammers were writing about. That webspam had moved on from comment spamming blogs. And I was sure he was right. What I’m seeing now, is the newbies spamming my blog. The spammers who don’t yet know what they’re doing, for the most part, with a few comment spammers who rely on inventive wording thrown in.
Today I’ve been on the trail of a spammer who’s constantly trying new things. He’s been at this for a long time. Eugene Blagodarny (some of you are no doubt tired of my talking about him). Lately he’s been using upload scripts to place spammy pages on otherwise clean sites. Not links to spammy pages, but regular throwaways that redirect to his money sites or his affiliate links. There might be other spammers doing the same thing, I just haven’t found their trails yet.
And this guy is using any upload script he can find. He’s not just searching for specific types of scripts. In one case I confirmed that he misused a custom written script that was used on ONE website.
In addition to any upload script he can get to accept his HTML pages (usually with .htm extension), he’ll leave comments or user profiles anywhere his javascript redirects will work. Some of his favorites are HyperNews (comments), Twiki (user profiles) and SnipSnap (userprofiles with uploads). He’s also (I assume) signed up for user accounts at compuserve in Germany.
He then comment spams other websites with links to his upload pages and redirect enabled comments, in order to get them into search engines. They’re often hidden on the websites he’s uploaded them to, so he needs to get them linked by other means.
What does all this mean?
If you’ve got a website that has an upload script that accepts HTML files, you need to be alert. Either recode to not accept HTML files, have a good admin interface and check it for uploads every day. Or remove the script altogether. Another possible option, if you haven’t been targeted yet, is to add a robots.txt file that bans search engine indexing of the directories your uploaded files are deposited in.
If you’ve got an interactive script on your website, make sure they don’t allow javascript redirects. That includes old scripts for guestbooks, forums etc.
If you’ve got a free website service, such as free homepages, free blogs, free groups, free forums, you need to recode those services so javascript redirects won’t work. Disabling iframes and frames pointing to somewhere else would also be proactive. I know of at least one free webhost who runs scripts every night, looking for certain keywords that spammers tend to use, and then disabling pages en masse. Identifying obfuscated redirects would also help you remove other sites with those redirects on them.
August 6th, 2006 at 3:02 pm
I don’t think a robots.txt ban on crawling upload directories will make any difference. Spammers don’t care to check robots.txt to see if the spam they leave will ever be indexed.
August 6th, 2006 at 3:29 pm
To Joe:
Spammers generally find their targets through search engines. We know that for a fact. So they’ll find the upload scripts through search engines as well. The uploaded files are generally in another location than the upload script. It’s quite possible the spammer won’t check for robots.txt. But if the upload directory won’t ever be indexed, then his work will be nearly for nothing. The only thing he can hope for are people following his comment spams.
So far it looks like he’s limiting his uploads to one burst per site. Possibly one burst per month.
In other words, this isn’t like comment spamming, where the spam is coming every day. With upload spamming, his best bet is to stay under the annoyance level. If his spam isn’t detected, it gets to stay. So he’ll throttle it back in order to not be detected.
The robots.txt suggestion was for those who desperately want to keep their upload scripts, yet not embarass themselves in search engines…
Makes sense, right?
August 6th, 2006 at 7:53 pm
Not having the spam on your site show up in search engines certainly makes sense. I was just presuming that was a suggestion to prevent the spam. Even if he can’t search for upload scripts, just finding a site running software that might allow uploads would be enough to try it.
For now this guy may be trying to stay under the radar, but soon all spammers will be doing it and keeping an upload script on your site will just be asking for upload spam.
August 9th, 2006 at 10:26 am
I’ve been noticing increased amounts of spam for stuff like that in the recent weeks. SnipSnap seems to be popular. But the favorite crappy piece of software for your website seems to be “WebBBS”. This master piece seems to accept just any input and will happily give you js redirects.
Seems like two of the spamvertised sites I’ve seen today running WebBBS get some 100-200 posts per day, all of it spam, of course.
August 22nd, 2006 at 3:39 pm
Dear huntress. Thank you for contacting me about the FreeASPUpload and thank you for a great article.
I followed your advice and added some text to my site to warn web masters about the pitfalls of adding upload scripts to their sites. Please find it under the “Considerations about deployment” here:
http://www.freeaspupload.net/freeaspupload/documentation.asp
Best of luck hunting spammers,
Marcelino Martins
October 1st, 2006 at 3:02 pm
Our company provides free website hosting using our own proprietary site design toos, and we recently added a file storage tool to the site. We wrote a pretty sophisticated anti-phishing application that prevents uploads of about 95% of phishing scam pages, but we’ve been running into a recent problem with these redirect/blogspam combos where the perpitrator uploads a deeply obfuscated javascript redirect to a spam site, then blogspams thousands of other peoples insecure blogs with links to our urls where their redirect pages are hosted.
Anyone out there have suggestions of ways we could prevent/detect such junk? Our Terms of Service explicitly prevent such sites (as well as spyware, malware, gambling, viruses, etc.) and we’re trying to do everything we can to keep our hosting environment clean and usable for legitimate sites.