A wave of comment spam has been hitting my blog today. Gross! The volume of spam (up to 50+) piqued my curiosity. So let’s check it out!
I receive an email message for each comment that a user submits and so far there is a queue of 50+ comments. Here is an example of a comment I was notified of via email:
A “fitting blog,” you say? I’m flattered!
All of the (attempted) spam comments originated from the IP address 22.214.171.124 and were submitted using the email address firstname.lastname@example.org and author name Seetlox. Each comment also included several URLs, which I’m sure are completely legitimate. Maybe I can get a great deal on a home in Vegas!
The data from Stop Forum Spam show that the email addresses email@example.com and firstname.lastname@example.org have been the most aggressive spammers since December 2015.
In addition to email addresses, the spam report for 126.96.36.199 also includes the author names used to submit spam comments. Unlike the email addresses, a single author name does not stand out as the biggest offender. One interesting pattern does emerge though: a consistent set of author name prefixes with what appear to be to randomized suffixes. For example, many author names use the prefix “Herbert*:”
HerbertAbus HerbertBew HerbertBib Herbertdrax HerbertEr HerbertEt Herbertjaf HerbertMew Herbertnata HerbertNear HerbertSert Herbertsuek
Other author name prefixes include:
“Immy*” is the most popular author name for spam comments from 188.8.131.52.
I was also curious about all of the URLs contained in the more than 50 comments that have been submitted. To do this, I expanded each message in my inbox and simply copied all of the contents into a text file. Next, I used ioc-parser to harvest all of the “indicators” from the text file and write the output to another text file.
iocp.py -i txt -o csv -d /Users/Analysis/Desktop/cyint_blog/spam.txt > spam_urls.txt
After sorting through the output, I was left with the following 53 domain names:
greenparadiseaudumber.com virginiavideohomes.com donaldjthump.com seeallgoals.com foundily-bahasa.com akaunemel.com hinterlandroad.net iluvmyporn.com perplexd.com faildais.com refererfilter.com anadoluitiraf.com grosiranlaris.org karatedudefromsomewhere.com watchallgoals.com siitec-ltda.com iwanbeddecoration.info 12dice.com nevendtech.com tollymania.com humanhelperinitiative.org kuchenhaushalt.biz vegasautobuyers.com redcarpetupdates.com audioetlabora.com carpetcleaningservicejacksonvillefl.com shiojiri.biz drupalre.com womens-healthguides.com deshmukhtowers.com giveom.net roofingjaxfl.com placesamui.com bhu-sattva.com milinumber.com jacquesdesbiens.com hominilupus.com spotmyiq.com mortimerandlucius.com micksbricks.com carthefave.com bitmonedaperu.com westshoreyellowpages.com taskrocketssl.info assistant-construction-helper.com skillfolio.org supercyberman.com lilli.biz barmijli.com ivyortiz.com lifedebug.org sirehq.com bozka.org
These sites are all hosted with Digital Ocean, but I haven’t determined what, if any, other malicious activity these domains may be associated with.
Although I appreciate the attention (and offers for great deals!), hopefully, the spam will wind down. Nothing to see here!