How to spot a stealth spambot

Questions, answers, tips & tricks for newbies and veterans alike
Post Reply
User avatar
Dork
Posts: 2065
Joined: Tue Jan 06, 2004 6:01 pm
Location: Las Vegas

How to spot a stealth spambot

Post by Dork » Tue Oct 30, 2007 1:19 pm

We've been getting a lot of spambots lately that don't actually post any ads. The format is usually like this:
Bot registers using a compound name such as "manicmelanie"
A day or so later, the bot posts an innocuous looking post along the lines of "Hey, I'm new here and just wanted to say hi!"

The way I can usually tell for sure it's a bot is to do a google search on the screen name. If it's a bot, the search will return many, many hits. Most or all of these are user records on php-based forums with either no posts or just one post identical to the one here.

At that point I generally delete the message and any replies, unless the replies were amusing and I feel like leaving them around.

I don't know what the point of these posts are, but I suspect they have something to do with identifying message boards that are vulnerable to the scripts so that further attacks can be run.
Top
User avatar
AntiM
Moderator
Posts: 20301
Joined: Wed Mar 24, 2004 5:23 am
Burning Since: 2001
Camp Name: Anti M's Home for Wayward Art
Location: Wild, Wild West

Post by AntiM » Tue Oct 30, 2007 2:08 pm

Thanks, I needed that.
Top
Toolmaker
Posts: 2511
Joined: Wed Sep 27, 2006 12:44 pm

Re: How to spot a stealth spambot

Post by Toolmaker » Wed Oct 31, 2007 2:02 am

Dork wrote:I don't know what the point of these posts are, but I suspect they have something to do with identifying message boards that are vulnerable to the scripts so that further attacks can be run.
Thats possible.. they could also be to help make the acct look legit. Most boards kill linkfarmer accounts due to the disgusting nature of the commerce often contained within the profile. Having a post that makes it look like a real person keeps the commerce contained in the profile www link around a little longer for google to have in the stats. IMHO these bots are LAME. I gotta wonder do these fuckers ever sell any pills with all this BS they go through?
This account has been closed as demanded by Wedeliver.
Top
User avatar
AntiM
Moderator
Posts: 20301
Joined: Wed Mar 24, 2004 5:23 am
Burning Since: 2001
Camp Name: Anti M's Home for Wayward Art
Location: Wild, Wild West

Post by AntiM » Wed Oct 31, 2007 6:31 am

With these, there often is no www link. Too easy.
Top
spectabillis
Posts: 3527
Joined: Mon Mar 29, 2004 11:07 pm
Burning Since: 2022
Location: black rock city

Post by spectabillis » Wed Oct 31, 2007 9:12 am

excellent forensics herr doktor!
Top
User avatar
phil
Posts: 2936
Joined: Fri Jun 10, 2005 2:10 pm
Location: Codgerville

Post by phil » Wed Oct 31, 2007 9:13 am

Are they spambots testing for weaknesses or DDoS bots testing for weaknesses?
Top
spectabillis
Posts: 3527
Joined: Mon Mar 29, 2004 11:07 pm
Burning Since: 2022
Location: black rock city

Post by spectabillis » Wed Oct 31, 2007 2:19 pm

spambots are usually site oriented, distributed attacks are more protocol based. there are hybrid approaches like hacking smtp but ddos really refers to something different.
Top
User avatar
Dork
Posts: 2065
Joined: Tue Jan 06, 2004 6:01 pm
Location: Las Vegas

Post by Dork » Wed Oct 31, 2007 8:15 pm

We did get hit by a denial of service attack a couple of years ago, which is why we now have that 5 second delay between searches. I don't think these are directly related to that type of thing, but the signature left by these bots could be used to identify php forums.

I think it's probably more like one of these:
Image
Top
spectabillis
Posts: 3527
Joined: Mon Mar 29, 2004 11:07 pm
Burning Since: 2022
Location: black rock city

Post by spectabillis » Wed Oct 31, 2007 8:29 pm

i picked up a couple of those while walking through the woods, they like to get all tangled up in your hair and when you try and yank them they shoot this light thingy that stings like mad.
Top
Post Reply

Return to “Q & A Tips and Tricks”