mekodinosad, spam? Sad dinosaur? the Terrorists?

2 10 2007

My post on UNIX permissions received an odd comment “Hola faretaste mekodinosad”, at the time I didn’t think much of it other than wonder what I did to make Dino sad, however I recently did a Google search of it.

That came up with over 7,000 hits with the same phrase including a post from another blog who noticed it, it seems to be down from 17,000 hit from when they searched for it possibly because its being filtered out as spam.

According to the comments on the other post, the first 2 words apparently translate as Hello westerner (fair skinned), the 3rd word seems to be some kind of holy threat if you interpret the results the other post found from the Quran search tool. However I’m not too sure of the translation posted above or that fact that it is in Arabic since the phonetic translator doesn’t match anything from the phrase above.

Searching for the username “AnferTuto” returns 50,000 results.
There are thousands of profiles from various blogs, social networking sites and forums. As well as posts with the phrase above.

Most of the profiles don’t seem to have any posts linked with them.

The email address “hfiifiihhiir@gawab.com” is linked to it and returns 19 results, from various profiles (nice to know these websites show the email address publicly and in plain text format, spammers fire up your harvesters).

The ip address 62.231.243.138 from the original post shows up on search results in various antispam sites, also quite a few wiki user pages listed as a vandal. Also project honeypot shows it is being used as a spam relay here. It would indicate that the address itself is an open relay, a nmap port scan of the system shows similar ports open to the ones that spammers leave filterd from when I have port scanned addresses from spam emails in the past.

The other ip address listed in the comments “71.90.130.103”, only returns search results form the other blog comment and also a list of proxy servers.

The ip addresses are most likely both relays or public proxies.

In addition to “Hola faretaste mekodinosad” the phrase “Hola mardena! falikotrepat” is used in some places and returns about 4,000 results.

Chances are this is just a spammer, but why send that phrase, there aren’t any links to anything and the username is used only for these obscure posts, possibly they are some kind of test phrases to see how well the software is working and the time it takes things to get indexed by google or blocked by antispam, still you might as well test it with real content, maybe some kind of spammers tag. Maybe the software was supposed to attach some links after the message but broke (I would assume you would test it once or twice before posting to 50,000 sites).

As for the theory that its some message to terrorist sleeper agents, they would have to know to look for it and be able to workout the specific details from the message which would mean it would have needed to be worked out before hand. If you where going to do something like that it would be better to plan some form of secure communication such as Tor, encrypted messages or a darknet like Freenet. Also the shear number of posts would make it very easy to miss any other messages such as the 2nd one.

Its also possible that it is some kind of anti-internet/religious hate message.


Actions

Information




%d bloggers like this: