: Strange spam posts not making sense Possible Duplicate: What kind of spam is this? I'm running a web site with a forum where one small part is open for posting from unregistered
Possible Duplicate:
What kind of spam is this?
I'm running a web site with a forum where one small part is open for posting from unregistered users. The site uses captcha, but still some spam posts get through every day. Here is the thing. All of the messages follow the same pattern, but all also come from different IP's. That makes me thing this is some sort of automated scripted "attack" from a botnet of some sorts.
The strange thing is that all the messages start with six random characters and contains a couple of links. The words have no meaning and the domains in the links does not even exist.
Why would anyone use time and resources spreading these things? Below you can see two of these messages:
A5Zfs6 exrzvrbspntz,
nktqoqllnuab ,
[link=http://wtrenldadvsy.com/]wtrenldadvsy[/link],
[http://rnlrqfgdvdot.com/]
O2oLpL nqeffxhryfdk,
jutyurbpfxow ,
[link=http://jpcdtmdalpow.com/]jpcdtmdalpow[/link],
[http://qopqwqxwjdjx.com/]
Since all the messages come from different IP's I can't see blocking those will help much. For now I'm considering just dropping all messages following this pattern since it's quite easy to match with a regexp.
Have anyone else seen these kinds of messages or know the point of posting them?
More posts by @Samaraweera270
2 Comments
Sorted by latest first Latest Oldest Best
Usually, this kind of behavior can be explained in two ways:
First, it can be a test to discover vulnerabilities of your site, your application or your server. Forms can be really dangerous, they can open the door to your software or your server configuration. Several attacks try to guess whether your system is vulnerable by sending you requests including malicious code or strings.
But in your case, because I can see several [URL= strings, chances are the reason is pure SPAM. This is the typical spam request that is sent to forum, blog and guestbook modules.
In fact, the [URL= string is part of BB code, a common markup language used in blogs and forums used to post URLs. Spammers performs a high number of post request including URLs to generate back-links to their websites or to their clients' websites.
Chances are your contact form has been flagged as a kind of forum or blog.
Note. I originally posted this answer to this question, that was closed as duplicated of the current question.
It's probably a test for a real attack, proof of concept for an attackers new system, or a demonstration of an attack for potential buyers maybe? I would tend to think this was not someone harmless doing it for fun as they would probably just write messages and no be trying to insert URL's.
Either way best to remove it asap to reduce the chance you are marked as an easy target. I would ban those IP's, clean up the messages and put some CAPTCHA on, (doesn't have to be permanent, you can switch it on during periods of attacks).
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.