Spammers are lazy programmers but one can't deny that they are crafty and cunning.
The spambots they design are often poorly written but it doesn't matter: the spambot is designed to do one very simple task mindlessly, and they do it all across the internet even in places the programmer never intended them to do. But by dint of brute force, they do manage to achieve the desired result in some places.
On the other hand, spammers know perfectly well that we, webmasters are on our guard against spam, and they find ways to put our suspicions to sleep.
Here is a typical example that just happened on one site that I manage.
A new user subscribed two days ago. Straight away, he proceeded with posting a series of 5 comments attached to various articles. Here is the text of those comments in full:
#1~2:
subject: You are absolutely right !!!
comment: You are absolutely right !!!
#3~5:
subject: hello
comment: You are absolutely right !!!
At first glance, for an unsuspecting webmaster, those comments would seem innocuous enough. Here is an eager, overly enthusiastic member who wants to be supportive. Being a bit more suspicious, an administrator would look at the source code of the comment, looking for hidden text. In this particular case, there was nothing concealled. The source code looked exactly like the displayed comment.
So, what do you do in such a case? Do you ban a user simply because he posted five times You are absolutely right !!!?
Still, the occurrence does sound some alarm bells. Such comments are designed to appear on topic in just about any thread. Also, they use (not so) subtle psychology: the original forum post author would feel vindicated, supported. His ego would be boosted. One does not report for abuse a comment from a person who agrees with us!
So, the story goes, the comments are left published on the site. After all, they're just innocent comments without any harmful code.
The next day, our enthusiastic user, a spammer really, comes back, sees his comments posted the previous day are still here, hopes he has successfully managed to get the administrators to lower their guard, and post a bunch of new comments:
#6~7:
subject: Hello
comment: Thanks for sharing!
#8:
subject: Hi
comment: Good info!!
#9:
subject: Thank you!
comment: Good to know.
At this stage, the alarm bell which started ringing the previous day goes off again with renewed vigor. As mentioned already, those comments are crafted so that they can be mindlessly posted in any forum discussion and still look on topic. The giveaway obviously, is that in none of those comments contain at least one key word used during the discussion.
This time, however, looking at the source code of the comment, we see the stowaways:
subject: Thank you!
comment:
Good to know.<a href="http://xxxstartledfrog.comx/power-led-bulb.html"></a><a href="http://xxxvalleydawgs.comx/fleeced.html"></a><a href="http://xxxresultsthroughalignment.comx/500-prix-motorcycle.html"></a><a href="http://xxxy2kbase.comx/cacique-free.html"></a><a href="http://xxxsinolinux.comx/theinen.html"></a><a href="http://xxxrichhaasvideoproductions.comx/flowers-quilting-fabric.html"></a><a href="http://xxxstfanassoc.comx/vintage-rabbits.html"></a><a href="http://xxxversusatl.comx/quart-cast-dutch.html"></a><a href="http://xxxnoroncar.comx/blackberry-pearl-extras.html"></a><a href="http://xxxthedaredevilmovie.comx/landscape-and.html"></a><a href="http://xxxstartpageprofits.comx/woods-pga-new.html"></a><a href="http://xxxthehiphopcipher.comx/playoff-spectrum-100.html"></a><a href="http://xxxq3fortress.comx/mark-messier-card.html"></a><a href="http://xxxrogersattcup.comx/the-experience-dvd.html"></a><a href="http://xxxybreo.comx/cobra-python.html"></a><a href="http://xxxvgivision.comx/timewise-day-spf.html"></a><a href="http://xxxspcaracas.comx/rappen-switzerland.html"></a><a href="http://xxxpoundaflesh.comx/fred-taylor-jersey.html"></a><a href="http://xxxxmenunlimited.comx/sfl.html"></a><a href="http://xxxpeebelsequipment.comx/2005-rickey.html"></a><a href="http://xxxsharewaresucks.comx/100-taupe.html"></a><a href="http://xxxyukcn.comx/party-dress-grown.html"></a><a href="http://xxxpresleytheband.comx/160gb-notebook.html"></a><a href="http://xxxpremiersalesltd.comx/pampered-chef-mint.html"></a><a href="http://xxxstudio8prod.comx/100-dodgers.html"></a><a href="http://xxxspookalicious.comx/combat-tmg.html"></a><a href="http://xxxvbaconference.comx/german-marble.html"></a><a href="http://xxxwqmzyx.comx/armani-jeans-blue.html"></a><a href="http://xxxsutherns.comx/dvi-lcd-ps3.html"></a><a href="http://xxxq8waves.comx/urban-lot.html"></a><a href="http://xxxtenderpawz.comx/milford-county-2006.html"></a><a href="http://xxxsportdobermann.comx/sega-gun.html"></a><a href="http://xxxsakanatako.comx/curly-cute.html"></a><a href="http://xxxmynewageshop.comx/2006-samuel-jackson.html"></a><a href="http://xxxnishanganxi.comx/the-chaney.html"></a><a href="http://xxxpurplejedi.comx/haluska-auto.html"></a><a href="http://xxxzhongtianpu.comx/the-corn.html"></a><a href="http://xxxthedebonaires.comx/metallica.html"></a><a href="http://xxxomcgames.comx/purple-oasis.html"></a><a href="http://xxxpetendom.comx/state-pr69.html"></a><a href="http://xxxsummerdying.comx/marc-chantal.html"></a><a href="http://xxxpixelpolice.comx/vintage-brown-glaze.html"></a><a href="http://xxxstevevanslooten.comx/zentai-spandex-metallic.html"></a><a href="http://xxxtinacaldwell.comx/man-mirror-morley.html"></a><a href="http://xxxsandiegohotelsandrates.comx/rain-girls.html"></a><a href="http://xxxteamherdez.comx/2006-authentics.html"></a><a href="http://xxxpassagerecords.comx/wheels-surf-crate.html"></a><a href="http://xxxsavefirefly.comx/chords-for.html"></a><a href="http://xxxneohybrid.comx/dynamite-poster.html"></a><a href="http://xxxwhipmaintanence.comx/1990-roosevelt.html"></a><a href="http://xxxnorthernligth.comx/glass-juice-pitcher.html"></a><a href="http://xxxxiansnowbird.comx/new-gazelle.html"></a><a href="http://xxxmypasswd.comx/nwt-roxy-raisins.html"></a><a href="http://xxxnorthenarts.comx/smoky-vintage.html"></a><a href="http://xxxyeaparr.comx/biscotti-nwt.html"></a><a href="http://xxxwebwondersnews.comx/silver-dollars-proof.html"></a><a href="http://xxxnodoutt.comx/summer-olympics.html"></a><a href="http://xxxtreasurealleygifts.comx/flare-plug-body.html"></a><a href="http://xxxyedns.comx/wake-and.html"></a><a href="http://xxxsmdmingyang.comx/lot-nickels.html"></a><a href="http://xxxpromotingyourweb.comx/tumi-laptop-bag.html"></a><a href="http://xxxportario.comx/topps-muhammad.html"></a><a href="http://xxxslowcarcrash.comx/unrest.html"></a><a href="http://xxxoneweblink.comx/mail-hanks-meg.html"></a><a href="http://xxxstandupjack.comx/organic-crib.html"></a><a href="http://xxxqtvrworld.comx/secret-sold-out.html"></a><a href="http://xxxrivaextreme.comx/gap-blue-regular.html"></a><a href="http://xxxriotagogo.comx/beanie-with-caps.html"></a><a href="http://xxxoccojournal.comx/lot-movies-dvds.html"></a><a href="http://xxxofficemission.comx/ray-ban-3211.html"></a><a href="http://xxxsutureseven.comx/health-manners.html"></a><a href="http://xxxtsunamiwavs.comx/size-foam-pad.html"></a><a href="http://xxxyugiohgameboy.comx/alien-condition.html"></a><a href="http://xxxrocksolidcorp.comx/sony-ericsson-open.html"></a><a href="http://xxxsimonsandstein.comx/nec-panel-monitor.html"></a><a href="http://xxxsiliconvention.comx/new-pink-checked.html"></a><a href="http://xxxskcheung.comx/outdoor-yearbook.html"></a><a href="http://xxxraokgroup.comx/nolan-breaker.html"></a><a href="http://xxxseanspotting.comx/hush-puppies-tan.html"></a><a href="http://xxxteosband.comx/charming-eye.html"></a><a href="http://xxxpuppypaid2clicks.comx/johnny-lightning-thunder.html"></a><a href="http://xxxy2ksa.comx/elegant-sparkling.html"></a><a href="http://xxxpeachtails.comx/cherry-teardrop-pendant.html"></a><a href="http://xxxspousesofpoliceofficer.comx/wishbone-new.html"></a><a href="http://xxxreckonwithone.comx/wdw-castle-pin.html"></a><a href="http://xxxttscomputer.comx/ladies-neckline.html"></a><a href="http://xxxpillowcasey.comx/series-ornaments.html"></a><a href="http://xxxsolpics.comx/acuity.html"></a><a href="http://xxxuaeqa.comx/antique-drawer-pull.html"></a><a href="http://xxxwire02.comx/the-root.html"></a><a href="http://xxxpumpkineaterrecords.comx/f33.html"></a><a href="http://xxxplanetplague.comx/sheepskin-fur-jacket.html"></a><a href="http://xxxniche2000.comx/the-extraterrestrial.html"></a><a href="http://xxxmultimediawtm.comx/nib-3n2-cleat.html"></a><a href="http://xxxspiritualjourneybook.comx/schwinn-chainguard.html"></a><a href="http://xxxwooyaywebworks.comx/aurora-blue.html"></a><a href="http://xxxtrisquad.comx/silver-dolphin.html"></a><a href="http://xxxquestry.comx/bahama-cayman.html"></a><a href="http://xxxrhodeislandhotspots.comx/creamer-and.html"></a><a href="http://xxxpursebuilding.comx/zack-small.html"></a>
Obviously, I added some xxx's in the links. The four new comments all had such a long list of links, all different.
If you look carefully at the code, you'll notice that all links are empty, so nothing would show on the web page. All those links are completely hidden in the source code. If the webmaster had thought the source code had looked the same way on the second day as they did on the first, he would have left them published. The benefit obviously is that those hidden links still increase the search engine ranking (?) for the targeted pages.
Another thing to consider: many forums and web sites have a "subscriptions" feature, whereby regular users are notified by mail of new comments. Sometimes even, the content of the new comment is sent my mail to the forum topic subscribers. Within the mail client, the links would all have been visible.
For this precise reason, I coded an entire module meant to be used together with Drupal's subscriptions.module. Subscriptions.module is an implementation for Drupal of this particular feature: regular users are alterted each time there is a new comment or post on the site. Precisely because I foresaw this kind of problem, I have coded a sister module called moderate_content_notifications.module that is now shipped together with subscriptions.module. The purpose is to allow the moderators to stop the delivery of subscription mails when an untrusted user post any comment. The moderator has then the time to review the comment (and its source code!) before deciding whether the email notification can be sent or not.
Lastly, I would like to apologize to the spammers. I said they were lazy coders. After further investigation, it seems that this series of comments were not posted by a human, but by a spambot. I am not fully sure, but it seems the bot managed to register, retrieve the email with the password to login, and was programmed to post a few comments over several days, starting with completely innocent ones, and moving on the next day to the Trojan Horse ones.
The targeted site had not yet configured its captcha, so this might have prevented it.
As an added bonus, the spammer use the username virgilwalker. His email address is: virgilwalker@pprotect.net. Searching the net for pprotect.net, I found that the domain is already in a few 'shit lists' (as I just saw one web site calling it). It is also in this quite comprehensive list:
http://opensourceactivism.blogivists.com/files/2008/04/keyword_emaildoma...
I'll keep a private reference of all the sites listed in the comments by this spammer. If someone has any use for it (to include in a block list, for example), just ask me.
Are you interested in OBEs, dreams, lucid dreams, etc?
Si vous avez besoin d'aide ou si vous avez une question au sujet de Drupal, vous pouvez le dire sur le forum Drupal sur ce site. J'ai une grande expérience avec Drupal. Veuillez lire