Phony web-page "comments"

[Pete]

[cross-posted because the apparently most-appropriate group is very
low-traffic!]

I'm curious about the repeated 'malicious' postings the comment handling
software on my web pages is receiving. They never make it all the way
through, because the bots don't understand my particular roadblocks,
but they're logged.

There seem to be three types. The ones I understand are those that
start with a trite 'fortune cookie', followed by kilobytes of hidden
URLs; they are apparently supposed to appear in the page's comments,
and help boost the ranking of the links. Those links are such a strange
mix of blog entries, personal sites and cosmetic ads etc., though, that
I'm still not sure I really understand the point.

More sinister are the ones that just have one or two -- usually disguised or
hidden -- links, to sites with a URL that is an apparently random string
of characters. I would have guessed a trojan-insertion page, but the site
never actually seems to exist! Like this (but on one line):

"gUCy1A <a href=\"http://vpzruwdaatbp.com/\">vpzruwdaatbp</a>,
[url=http://tsn rtgvlqksm.com/]tsnrtgvlqksm[/url],
[link=http://hztmeensennf.com/]hztmeensennf[/link], http://dyqmsjovopcp.com/"

Any info?

Finally, I've been seeing completly random (or encrypted?) strings,
with the appropriate reply-email and subject slots in the post filled in:

email: mt...@hotmail.com
subj: SlvXFakCPvolHanc

owrjkd sk6skN2aP6Vvq18MdGcl

What the heck is *that* all about...?

-- Pete --

--
============================================================================
The address in the header is a Spam Bucket -- don't bother replying to it...
(If you do need to email, replace the account name with my true name.)
============================================================================

[Eli the Bearded]

In comp.infosystems.www.misc, Pete <neve...@GOODEVEca.net> wrote:
> [cross-posted because the apparently most-appropriate group is very
> low-traffic!]

Which one would that be? comp.infosystems.www.misc or alt.spam?

> "gUCy1A <a href=\"http://vpzruwdaatbp.com/\">vpzruwdaatbp</a>,
> [url=http://tsn rtgvlqksm.com/]tsnrtgvlqksm[/url],
> [link=http://hztmeensennf.com/]hztmeensennf[/link], http://dyqmsjovopcp.com/"
> Any info?

Maybe preparation for the future? There is that botnet that searches
non-existant domains for updates to itself (accepting only
crytographically signed updates), so that if/when the control host gets
knocked offline, the master can collect his puppets again.

> Finally, I've been seeing completly random (or encrypted?) strings,
> with the appropriate reply-email and subject slots in the post filled in:
>
> email: mt...@hotmail.com
> subj: SlvXFakCPvolHanc
>
> owrjkd sk6skN2aP6Vvq18MdGcl
>
> What the heck is *that* all about...?

People have used spam for steganography before, but probably just a
broken spam tool.

Elijah
------
understanding the whys of spam is infuriating