Weird Spam
This site is always deluged with spam, but every once in a while, some very subtly weird spam comes along that just catches your attention. The most recent has been a series of trackback spam from fake blogs. As I’ve mentioned, trackbacks are when other blogs refer to and link to this one, and their site software “pings” mine, or sends a special message to mine alerting me to the reference. Spammers fake such pings in order to get a link on my site to theirs.
But these latest fake pings don’t make much sense. There has been almost one a day for the past several days; all are fake blog posts on fake blog sites; all have an address which would indicate a recent blog post. The address includes “/archives/2005/07/” and then a blog article file name–all looking rather authentic. In each case, the message contained in the trackback ping is very similar: “Excerpt: You can read about it also on my blog page,” “Excerpt: More info can be found on my page,” and “Excerpt: Look at my page for more info….”
Now, I would expect in each case for the bogus blog addresses to be a shell domain with a redirect: go to the address given, and you’re automatically redirected to a different domain with hideous porn spam. Instead, when I visited each site to find out what was going on, a 500 Internal Server Error was returned. For the entire site, not just for the one page. And it’s not a 404 error or a domain not found/doesn’t exist error either.
There is one possible explanation: by ironic chance, these spammers got foiled by the exact same perl scripting bug that’s been plaguing this blog for the past several days. In short, the redirect software which they use to transfer you to the hideous porn site is incompatible with the new perl software, causing the error messages. Which would be both funny and all too fitting.
It’s also possible that these spam are fake fakes–spam which doesn’t connect to a spammer. I’ve gotten these before. In the past, spammers have sent me referrer spam pointing back to the International Atomic Energy Agency, and spammers sent a lot of people referrer spam that claimed to come from the John Kerry web site. My guess is that these are either hoaxers, or they’re spammers testing out a software configuration and not leaving their own address in case something goes wrong. Even fake blogs have been the seeming origin of spam before–although in the past, these fake blogs showed a specific address ending in “/archives.html”, which is not a real location in any blog that I know of.
Nevertheless, it does make it all a bit interesting. For me, the main thing is, none of this gets onto my blog anymore, so it’s just a nuisance or a curiosity. Even my anti-referral patch for AwStats is working well–I’ve been getting almost no referral spam this month so far. A few are leaking through, but can only manage to get one or two hits on my site per day, like a few small leaks in a dam holding back a deluge.
I had a really weird comment attack yesterday, wasn’t like any I had seen before. They came in, posted comments on several enteries, but the comments contained no ads, just didn’t seem logical fits to the posts. 5 of the 6 all came from the same IP, but all with different email addresses. So I traced the IP and it came up as somewhere in the Netherlands, but their nameservers were out of Mexico.
I’m not sure what the heck they accomplished…no links, no ads, nothing overt. I went ahead and improved the comments, but it sure sturck me as odd.
Have you seen anything like this? I am thinking maybe they will show back up in a day or two with true spam junk? Like they used this to be allowed through a filter? (little do they know, WordPress just sends all comments to an approval que.)
Yeah, I get that kind of stuff too. The three fake-blog trackbacks were like that, in that they had the same IP address (216.32.80.98, by the way). And I’ve gotten comment spam with either no URLs, like you mention, no apparent meaning except perhaps as tests. Or ones with URLs that are gibberish–maybe four or five different ones from the same IP, but with URLs like “ruhygfdewks.com” and “oitgnsdhgfs.com”. Other times I will get the gibberish URLs, but the last three to five characters before the domain suffix will be the same, such as “kjfhdoirettyrs.com” and “ewinfdxldttyrs.com”. None of the URLs being real. So some real weirdness out there, yes.
Wonder what they are trying to accomplish…very odd. My IP was 148.244.150.58 There are some people out there with WAY too much time on their hands.