A Fun Saturday Analysis: Comment Spam Attack!
A wave of comment spam has been hitting my blog today. Gross! The volume of spam (up to 50+) piqued my curiosity. So let’s check it out!
I receive an email message for each comment that a user submits and so far there is a queue of 50+ comments. Here is an example of a comment I was notified of via email:
[IMAGE]
A “fitting blog,” you say? I’m flattered!
All of the (attempted) spam comments originated from the IP address 46.161.9.2 and were submitted using the email address 343ewcf3pdes@gmail.com and author name Seetlox. Each comment also included several URLs, which I’m sure are completely legitimate. Maybe I can get a great deal on a home in Vegas!
Quick search results on the offending IP are not surprising: both are tied to hundreds of spam reports logged since December 22, 2015, according to Stop Forum Spam.
[IMAGE]
The data from Stop Forum Spam show that the email addresses 343ewcf3pdes@gmail.com and support889@gmail.com have been the most aggressive spammers since December 2015.
[IMAGE]
In addition to email addresses, the spam report for 46.161.9.2 also includes the author names used to submit spam comments. Unlike the email addresses, a single author name does not stand out as the biggest offender. One interesting pattern does emerge though: a consistent set of author name prefixes with what appear to be to randomized suffixes. For example, many author names use the prefix “Herbert*:”
HerbertAbus
HerbertBew
HerbertBib
Herbertdrax
HerbertEr
HerbertEt
Herbertjaf
HerbertMew
Herbertnata
HerbertNear
HerbertSert
HerbertsuekOther author name prefixes include:
Immy*
Robert*
Seet*
Takky*
Tomcu*
“Immy*” is the most popular author name for spam comments from 46.161.9.2.
[IMAGE]
I was also curious about all of the URLs contained in the more than 50 comments that have been submitted. To do this, I expanded each message in my inbox and simply copied all of the contents into a text file. Next, I used ioc-parser to harvest all of the “indicators” from the text file and write the output to another text file.
iocp.py -i txt -o csv -d /Users/Analysis/Desktop/cyint_blog/spam.txt > spam_urls.txtAfter sorting through the output, I was left with the following 53 domain names:
greenparadiseaudumber.com
virginiavideohomes.com
donaldjthump.com
seeallgoals.com
foundily-bahasa.com
akaunemel.com
hinterlandroad.net
iluvmyporn.com
perplexd.com
faildais.com
refererfilter.com
anadoluitiraf.com
grosiranlaris.org
karatedudefromsomewhere.com
watchallgoals.com
siitec-ltda.com
iwanbeddecoration.info
12dice.com
nevendtech.com
tollymania.com
humanhelperinitiative.org
kuchenhaushalt.biz
vegasautobuyers.com
redcarpetupdates.com
audioetlabora.com
carpetcleaningservicejacksonvillefl.com
shiojiri.biz
drupalre.com
womens-healthguides.com
deshmukhtowers.com
giveom.net
roofingjaxfl.com
placesamui.com
bhu-sattva.com
milinumber.com
jacquesdesbiens.com
hominilupus.com
spotmyiq.com
mortimerandlucius.com
micksbricks.com
carthefave.com
bitmonedaperu.com
westshoreyellowpages.com
taskrocketssl.info
assistant-construction-helper.com
skillfolio.org
supercyberman.com
lilli.biz
barmijli.com
ivyortiz.com
lifedebug.org
sirehq.com
bozka.orgThese sites are all hosted with Digital Ocean, but I haven’t determined what, if any, other malicious activity these domains may be associated with.
[IMAGE]
Although I appreciate the attention (and offers for great deals!), hopefully, the spam will wind down. Nothing to see here!