1

I'm not sure ServerFault is the correct place for such a question: please redirect if another StackExchange site is more appropriate but I think this is the "most correct" one.

On one of the server I'm the admin for, there's a forum. The server itself is a dedicated server used only as a webserver, but with several webapps on it. It's an up-to-date Tomcat + up-to-date JDK (so the recent remote Java DoS can't work), if that matter.

I'm seeing a really weird kind of (unsuccesful AFAICT) attack and I'd like to know more about it.

Basically, I'm getting several forum postings awaiting moderation (every single forum post needs to be validated, because we got spammed in the past by people creating account manually then posting automatically) containing the following text:

Hi there, I dont know if I am writing in a proper board but I have got a problem with activation, link i receive in email is not working...

Now if you Google for that (poorly written) sentence, you'll see there are quite a lot reading (nearly half a million). A lot of people even answer to this message, asking things like "what are you talking about? the email link should work etc.".

Doesn't anyone know from which kind of malware this comes? It is obviously some kind of semi-advanced automated attack because it is bypassing the captcha. (the user couldn't send that message on my board without first having activated his account, and for this he would need to get the activation email, which it did... And you can't get no activation email without breaking the captcha, so this bot can break some captcha for sure). It is a bot because you're not getting half a million hits on Google for that specific sentence without, well, using a bot ;)

Also, I don't really get the point of such an attack: is the goal to then Google on that poor sentence (guaranteed to be unique) to see which forums don't require moderation or don't perform spam-cleaning?

Or someone to appear to post as a valid user so that the attacker gets flagged as "valid user" or whatever?

I just don't get it. Once again, if anyone has info about this, I'm all ears for I'm confuzzabled.

The registration email I've seen used by the low-lifes performing these attacks were both time a .info email address.

Should I start banning .info email addresses?

Are there know IPs to bans? (my target market ain't including China, for example, so banning the entire China would really not affect me the slightest)

I'm not particularly affected seen that I'm getting these message in the "pending activation" status on my forums (which are all requiring moderation: I mean the forum+all the subforums) but I'd still like to know more about his... Seems like a common plague and seems to hit quite a lot of servers.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
YellowSquirrel
  • 205
  • 1
  • 3
  • 9

1 Answers1

1

Hypothetically I suppose they could be posting this as placeholder text, and once they've confirmed that they have a "working" account that can post, they then come back to use this forum account for spam in future.

Doing this allows them to harvest forum accounts that 'work' - then when they get paid for a particular spam campaign, they don't have to post into brand new accounts, which may be subject to tighter spam controls.

I'm clutching at straws, obviously!

Steve Mayne
  • 1,001
  • 6
  • 5