I got an e-mail from a forum owner, asking about a particular behavior on his forum.

Several people had signed up for accounts and were posting low content posts on lots of threads. Looked like just another “me too” type poster until they saw a broken image link in edit view. The image didn’t show up in the post that he could see. Hence the mail to me.

One of the user names was SEOdeveloping, which made the forum owner do some digging. He turned up a Cookie Stuffing script posted for sale by someone by the same nick.

I checked out the image link, and found there were a couple 302 redirects in place, which made me think something was up - no point in using PHP redirects unless you’re up to something.

So I connected the two dots, and searched for these words:

cookie stuffing images

I found an article by former regular Esrun, explaining the technique. It’s the technique labeled image/2. Basically, they’re shoving a cookie on your system. Presumably they’re an affiliate of some well known site, and if you happen to visit that site and sign up or buy something, the cookie stuffer will get the signup bonus or affiliate percentage.
So time to send out a warning: Be careful about allowing your users to post images pointing to sites other than those you control. Otherwise you might have to check the images carefully.

This time, the domain the image sat on was photo-shack.com, which resembles closely a well known image hosting site. And although the image didn’t work the first time I checked one of the posts, it did the second time. I did receive a cookie from photo-shack.com each time I loaded that forum post, whether or not the smiley was visible. It was a nice Christmas smiley, and I’m guessing that spam campaign has been quite successful - they’re posting manually, the posts are on topic, and they’re behaving themselves. It doesn’t appear to be spam, because there’s no visible payoff.

But they ARE stuffing cookies.

Here’s a random hit from Google, with not one but TWO images loading from his fake image hosting site.

I’ve strayed into Google Groups again, and happened to find a search term that gave me plenty of spam group hits:

pharmacy direct

I’m guessing there are hundreds of letter soup groups, but the MO has evolved since last time there was a cleanup over there (Google removed the groups I complained about last time).

This time many of the groups have several members. I’ve seen up to 14 members (presumably all alternate ID’s of spammers), but there’s no set number of members. It depends on how old the group is. For older groups, there are more members, and in addition to pages, that seem to be created as the group is new, the older the group is, the more likely it’s also got mail messages. Some of these groups have open membership, so it’s possible the mails are from spammers other than the one that started the group.
The groups now also often have a description. I’ve seen “Father Brown” several times, and many of the descriptions look like remixed text from a book, possibly about Father Brown? The text reads like gobbledygook: The sentences make sense when read by themselves, but it looks like sentences have been spliced together without any regard to context. Some groups also have lists of near identical spam terms.

There’s literally no end to the number of spam groups that have included those search terms in at least one message, so one Google technician will have a heck of a job removing all that crap!

There’s a discussion today in Norway about a website set up to funnel people to pay porn sites. The website itself is a discussion forum, where people routinely upload pornographic pictures. Many of those pictures are illegal, such as photos taken of unwitting girls on beaches. There’s also misuse of famous people’s pictures, stolen from various places.

They’ve managed to figure out who owns the website, but part of the discussion is what to do about the website - the server is in another country, and it might be extremely difficult to get it shut down.

I just wanted to suggest another solution:

Block it with DNS.

It’s doable on a national level. Italy did it with pirate bay. Of course, it won’t keep out the persistent pervs, but a DNS ban - after a court process of suitable nature - would at least make the domain less viable commercially - and that’s the point!

I was searching Google Groups for a particular domain (sorry, can’t mention it here).

I was looking for hits in Usenet’s news.admin.net-abuse hierarchy. I did find two examples of spam e-mails.

But what I found next is what surprised me.

Apparently some spammer had at some time posted porn in the forum of this site, and then included that link in lots of spammy porn posts. Either that, or it’s just included as undisputedly “good” content.

But the kicker was where this was posted:

Letter soup groups on Google Groups. These groups were created with one goal: To serve as places to post spam. Let me give you an example:

http://groups.google.com/group/zdhwaaqb/about?hl=en

That’s the about page for the group. Notice there’s just ONE member? And only members can post? No discussions, only pages.

A blog reader e-mailed me and asked for advice. She’d just opened a phpBB forum on her site, and had discovered too late that spammers had started posting porn spam posts full of smutty pictures. The spammers then posted the links to those posts on other forums.

She’s now worried her domain name is tarnished because it appears in Google searches along with porn content. So she’s contemplating abandoning her domain name, even though she’s invested a lot of work into it, since it’s also her moniker.

So, apart from abandoning her domain name, what are her options? Some of the posts pointing to her site are on porn forums, so I doubt she could get those posts deleted.

Would it be possible for Google to drop all posts with links to her forum, if she sent Google a list of specific URL’s that appear in their index? Any Google Guy around to answer that one?

Another alternative: Find out how they’re generating the tiny font, then make a filter that removes all phpBB page that contain that particular code in a particular location! BTW, I identified the code, and it’s (I’ve removed the tags, or Wordpress goes nutso): span style font size 1px and line height normal. Could someone give some feedback on where inside a phpBB post that code would be used legitimately?
And since I’m addressing this ball of wax, I’ll also do a short analysis on the spam.

First of all, they include loads of pictures. They’re loading from this site: trafflow.com

If you load that site, you get a message that there’s nothing to see there, and to go on to freerhost.com, which is a free hosting site. Both sites are owned by the same person - previewtgp.com. That e-mail address is on a list of owners of Malware domains. One of his domains are tagged for distributing Zlob.

Below the pictures, there’s a long porn text, and under that is a list of links in tiny font (not human readable) that points to other forum posts where they’ve posted porn.

Under that, there’s a list of links that link to keyword rich URL’s promising different types of video related software. Anything from keygen to porn. Same tiny font.

I’ve checked the domains in these links, and so far they all belong to the same IP subnet (except one), and they’re all connected by whois identity, dns servers or subnet:

207.176.39.228
207.176.39.230
207.176.39.232
207.176.39.235
207.176.39.238
68.178.232.99

Normally, I’ll need to put in a disclaimer, saying that the spammer and owner of the domains may not be one and the same. The same is true here, but I’d like to add one more fact: The non-porn spam links at the bottom of the posts point to page where I’ve found links to trafflow.com.

I’ve got an old Invision forum. The latest free version. And yes, I know, it’s a bad idea. But it’s been the only solution for having a decent featured pre-moderated forum for a while, unless you want to pay for the software.

So, it’s gotten hacked a few times. And this last time it was embarassing:

They posted AS ME!

The topic title was “please help”, and the content was one link:

blueice77.com/server.exe

I haven’t checked out the program. I’ll leave that to the security geeks. My forum wasn’t the only one that got hacked like that. They always post as one of the admins, and there’s nothing more than the link in the post.

IP used: 195.22.229.24

It’s an open proxy, so doesn’t help much. And the user agent is the latest English language Firefox version.

The website with the exe file on it appears to have been hacked. The file existed on the server when I tested it, though I don’t know what it contains. Since it’s been hacked, I won’t post the whois here, and I’ll contact the owner.
And on the topic of pre-moderation (I only checked for php software): vBulletin and Invision has pre-moderation. But they’re both commercial software (except for the old version of Invision, that’s got more security holes than a sieve), so not an option for all. Simple Machines and phpBB have promised pre-moderation in the next major version. phpBB has a release candidate with pre-moderation currently available. miniBB has pre-moderation currently, but the new posts will show - you just can’t see the content until approved.

Someone posted this on a forum I own:

Hi everyone, I am new on your forum www.nameofsite.com, I’ve been reading it for a while, and decided to try my luck asking a few questions
Who can tell me more in detail about the “name of subforum”. Please Mail Me..!!
Best Regards..!!

To me that sounds like a spammer. Either an attempt to get a specific wording on to a forum, and then spam a forum that accepts the post like crazy. Or an attempt to harvest e-mail addresses?

The username was MelliFobian.

I found this thread in my referrers: Botmaster software discussion at Theadminzone.

I’m still a bit snowed under with work. Hopefully I’ll get time to do some investigation soon.

Just totally precious. Read what this forum administrator did to a spammer. Said spammer seemed to believe in recycling of passwords…

Ownage time

For the record: I’ve never done anything like that. Not into “ownage”.

Thanks to evariste for the tip

I was just stumped when moderating a forum I own. I got the same post that was posted here, except the post on my forum didn’t have the text pasted in several times:

Nonsense post

And I’ve been getting several of them lately. I’ve found the best way to deal with them is to search for specific sentences in the posts. If they can be found on several forums, the posts are fake - they’re not entered by users, but by bots.

Question is, what’s the point? A test run to see what forums the posts stick to?