A Fun Saturday Analysis: Comment Spam Attack!

A wave of comment spam has been hitting my blog today. Gross! The volume of spam (up to 50+) piqued my curiosity. So let’s check it out!

I receive an email message for each comment that a user submits and so far there is a queue of 50+ comments. Here is an example of a comment I was notified of via email:

Screen Shot 2016-04-09 at 4.56.54 PM

A “fitting blog,” you say? I’m flattered!

All of the (attempted) spam comments originated from the IP address 46.161.9.2 and were submitted using the email address 343ewcf3pdes@gmail.com and author name Seetlox. Each comment also included several URLs, which I’m sure are completely legitimate. Maybe I can get a great deal on a home in Vegas!

Quick search results on the offending IP are not surprising: both are tied to hundreds of spam reports logged since December 22, 2015, according to Stop Forum Spam.

Screen Shot 2016-04-09 at 5.52.07 PM

The data from Stop Forum Spam show that the email addresses 343ewcf3pdes@gmail.com and support889@gmail.com have been the most aggressive spammers since December 2015.

emailchart

In addition to email addresses, the spam report for 46.161.9.2 also includes the author names used to submit spam comments. Unlike the email addresses, a single author name does not stand out as the biggest offender. One interesting pattern does emerge though: a consistent set of author name prefixes with what appear to be to randomized suffixes. For example, many author names use the prefix “Herbert*:”

HerbertAbus
HerbertBew
HerbertBib
Herbertdrax
HerbertEr
HerbertEt
Herbertjaf
HerbertMew
Herbertnata
HerbertNear
HerbertSert
Herbertsuek

Other author name prefixes include:

  • Immy*
  • Robert*
  • Seet*
  • Takky*
  • Tomcu*

Immy*” is the most popular author name for spam comments from 46.161.9.2.

Screen Shot 2016-04-09 at 8.53.14 PM

I was also curious about all of the URLs contained in the more than 50 comments that have been submitted. To do this, I expanded each message in my inbox and simply copied all of the contents into a text file. Next, I used ioc-parser to harvest all of the “indicators” from the text file and write the output to another text file.

iocp.py -i txt -o csv -d /Users/Analysis/Desktop/cyint_blog/spam.txt > spam_urls.txt

After sorting through the output, I was left with the following 53 domain names:

greenparadiseaudumber.com
virginiavideohomes.com
donaldjthump.com
seeallgoals.com
foundily-bahasa.com
akaunemel.com
hinterlandroad.net
iluvmyporn.com
perplexd.com
faildais.com
refererfilter.com
anadoluitiraf.com
grosiranlaris.org
karatedudefromsomewhere.com
watchallgoals.com
siitec-ltda.com
iwanbeddecoration.info
12dice.com
nevendtech.com
tollymania.com
humanhelperinitiative.org
kuchenhaushalt.biz
vegasautobuyers.com
redcarpetupdates.com
audioetlabora.com
carpetcleaningservicejacksonvillefl.com
shiojiri.biz
drupalre.com
womens-healthguides.com
deshmukhtowers.com
giveom.net
roofingjaxfl.com
placesamui.com
bhu-sattva.com
milinumber.com
jacquesdesbiens.com
hominilupus.com
spotmyiq.com
mortimerandlucius.com
micksbricks.com
carthefave.com
bitmonedaperu.com
westshoreyellowpages.com
taskrocketssl.info
assistant-construction-helper.com
skillfolio.org
supercyberman.com
lilli.biz
barmijli.com
ivyortiz.com
lifedebug.org
sirehq.com
bozka.org

These sites are all hosted with Digital Ocean, but I haven’t determined what, if any, other malicious activity these domains may be associated with.

Screen Shot 2016-04-09 at 8.04.40 PM

Although I appreciate the attention (and offers for great deals!), hopefully, the spam will wind down. Nothing to see here!

2 Comments

  1. This was interesting, and similar to something I’m doing for work. I do have a question for clarification, and on how IOC-parser works.

    1. Clarification: When you say you expanded all the mail in your inbox, and copied them, you mean you just copied the body of each email to a text file?

    2. ioc-parser: Would it have given more data (which was probably outside your scope) if you included the headers? Can it work on headers?

    1. Hi Chris,

      1. That is correct, I expanded each message and then simply copied everything at once into my text editor – it didn’t look pretty, but it worked. Ideally, something a little more automated would have been nice, but that only took a couple of minutes.

      2. I believe the regex in ioc-parser will parse hashes (md5, sha1, sha256), urls, hostnames, domains, IPv4, and CVE numbers. If header information contains that data, then it will parse it. Check it out the GitHub page for it, it’s a handy tool >>> https://github.com/armbues/ioc_parser.

Comments are closed.