Spamhuntress

Trac 0.10b1 ticket system by Edgewall Software is susceptible to spammy redirects.

Check out this ticket (Update: The administrator removed the attachments) on the lighthttpd site.

Two of the attachments are placed by spammers.

When ?format=raw is placed behind the URL, the redirects work. And that’s what the spammers spamvertize.

In this case, the spammers seem to use regular javascripts on another host to do the redirect.

The developers have been notified.

Check out the scope of the problem by using this Google search.

I had some comment spam in July that proposed to sell credit card skimmers for ATM’s. The kicker is that he’s then proposing to buy the information gathered by the skimmers.

He’s operating with an e-mail address and an ICQ address. That ICQ address is still operational.

I mean, come on, can we have some law enforcement types lay a trap for this guy? Let me know and I’ll send you the ICQ number.

Sunday Times broke a story on stolen identities (credit card details etc) sold on a Russian website.

The website, carder.info, is now offline.

There was an earlier story, and I found a long version of it on an Infosec discussion list.

We’ve had comment spam on here that offered skimmers for sale, and also (if I remember correctly) credit card details.
It’s also interesting to note that only some of the victims of this site knew something was wrong with their computer.

I’ve found a number of spam pages on Plone installations that include protection against spamfighters and other irate people.

Simply put, if you access the documents uploaded by the spammers directly, or not from a search engine link, you’re treated to a message that insists the page doesn’t exist.

It’s fake. Done by javascript.

There are still a lot of susceptible installations there. Go visit the Plone community NOW for an update, and block search engine spiders from your Member uploads directory by using robots.txt, now!

Other people discuss this:

Performancing

Plone-website list 

I checked a spamvertized domain (freshly spammed today from host168.canaca.com).

It responded with this text:

SERVER ERROR

Trouble is, I saw that text in a text browser, that also transmitted the status code: 200, which means OK. That means in essense, there’s no server error. A(n internal) server error has status code 500. So, it’s just a ploy to throw off irate bloggers. That domain will later on serve up content.

I just checked a random blogspot spam URL. It had a working redirect. And I realized several webservices could block by a pattern I recognized:

This is the code for document.location:

100, 111, 99, 117, 109, 101, 110, 116, 46, 108, 111, 99, 97, 116, 105, 111, 110

Spammers usually change it, so it might look like this:

100!111!99!117!109!101!110!116!46!108!111!99!97!116!105!111!110!

Scan and block by that pattern, and you tag quite a lot of spam, but not all

What’s the best way to protect your windows computer while checking risky sites? Like spamvertized sites.

Those who want to study what the malware does, tend to use a virtual machine. Such as VMware. Also check out the Wikipedia article on virtual machines. There’s also something called a Browser Appliance from VMware.

Regular people who just want to protect their computers seem to like Sandboxie.

What do you guys use?

I found some spam for uploads on a forum powered by the anyboard forum software. Here’s an example of a working redirect (will probably be removed by tomorrow):
strongisland.com/anyboard9/si-anyboard/uploads/cheap-fioricet.html

The developers have been notified.

It should be possible to ban search engine spiders from the uploads directory via robots.txt. The forum would still be indexed. If you own a forum like that, please consider doing that, even if the developers make a fix available.

I created a Gmail account for my mom a few months ago. We gave the address to one other person, and then forgot about it. I found it again today and logged in.

She had 6 messages from her friend, and 46 spam messages (anything from before August 2 had been auto-deleted).
This for an address that’s never been in circulation.

Why? Her username is in the Norwegian dictionary…

I found this referrer:

http://localhost/spamit/index.php

That presumably means there’s a script on that IP (212.13.99.14) that spams.

I found some referrer spam, with spam pointing to other people’s blogs and galleries with lots of spam comments on them. That spamit referrer preceded what looked like a human looking at my blog, with a different user agent than the spamming that preceded it (by less than ten minutes).