Spam my blog and I report your site to Google for banning. You've been warned!
« Catching new referrers | Main | Make up of the spammer scripts »
February 20, 2005
New tactic: Invisible comment spam
Today I woke up to two new comments in my moderation queue. New spammer. Topic: adult webcam
And what's more, it's relying on a new technique. It's invisible!
In the moderation queue, it looks a little like the Bulgarians, in that it starts with the HTML code for the biggest headline. But the next codes nested inside those tags are typical of CSS files, and set font size to 1px and line height, margin and padding to 0 px. The headline tag ends just before the final line, which consists of a bland greating with a non-working hyperlink. The result is one line that isn't visible except for the underline of links (and even that won't be visible in some cases, depending on your CSS file). And then one bland visible line that won't tell you anything. The only way to let you figure out that it's spam is if you see the comments in your moderation queue, or from inside your admin interface.
And the spammer? Whois like this:
Registrant:
Almenix inc
Marcus Bellies-Vinterfrost (marcus at freecasinoplay d ot info)
Kalininskiy pr 12
Magadan
null,137501
RU
Tel. +910.21225550861
Registrar: Directi
Webhost: Esthost
DNS: Dnsmadeeasy, however, dig reveals elion.ee, which looks Finnish to me. Ah, it's Estonian.
I also checked out the charcode inside one of the pages. When decoded, it's pointing to a javascript. THAT is what the viewer will see, not what the search engines will see.
And what's interesting, is that the viewer will see this message:
SUSPENDED for SPAM
if the referrer isn't from a list of search engines. And then the page reloads into that of a bland search engine.
BUT, if the referrer is from a search engine, you'll see the webcam page.
How's that for cloaking? It's specifically cloaked for bloggers to not take seriously, yet still serving up the intended page for the search engine produced traffic.
If bloggers were ever unsure of what the tactic was, we know now!
The domain in the e-mail address can be found online in Wiki and forum profile spam.
Heh, I found another of the spammer's domains, and this one had this whois info:
Monika LLC
Monika Levinski (monika7121 at yahoo dot com)
Somestreet 12-11
Cityofdreams
null,12312
AO
Tel. +761.726421
And:
Colanters Ltd
Alexander Makshin (wm at only18plus dot com)
Nevskiy pr 12-54
St. peterburg
Russia,335684
RU
Tel. +910.81223072561
Looks like this one has been at it for at least two months. And the tactic has been the same throughout: Invisible posts.
Posted by Ann at February 20, 2005 10:55 AM
Trackback Pings
TrackBack URL for this entry:
http://www.annelisabeth.com/blog/mt-tb.cgi/241
Comments
Hello Ann , I just spent 3 hrours removing fake members ( URL spamming ) from my forums , the majority of which had @freecasinoplay.info email addressess. Naturally abuse@freecasionplay.info was not an acceptable email address. These ppl seem to be chronic spammers ! we are using phpBB and any assistance you can offer in stopping them spamming my forums would be MUCH appreciated.
Loan
Posted by: loanwolffe at June 27, 2006 05:01 AM