Spametry…

5 10 2008

For a while I received one of these emails a week, they where spam but there was no links, products or requests to lend money to Nigerian princes or offers for pills that promise to increase the size of my manhood. I guess the spam bot wasn’t configured correctly, maybe a neural network that had discovered the best way to avoid spam filters was to simply not send spam but instead a form of abstract poetry.

They where just words, I can only assume expertly crafted to circumvent Bayesian spam filters. Designed to appear to be legitimate conversations without conveying information, words with no meaning but an odd structure all the same.

I noticed them initially because they got past the Gmail spam filters, later ones got filtered to the spam folder but unfortunately they have since stopped arriving. It helps if you think of a suitable voice reading them in your head such as Christopher Walken, or just out loud to yourself.

——————-

from: Basil Mccall – FedericomilitateWinters(AT)cbot.com
date: Mon, Jul 28, 2008 at 4:32 AM
subject: croft extensor

cinder sneaky shutdown

byword byword curve? concurred, ethane louse.
concurred militate monroe concurred scarify rand, handwaving
inhuman admiration inhuman inhuman taos.

rand rand.

——————-

from: Dannie Kaufman – ChaunceypostMcfadden(AT)balibago.com
date: Tue, Jul 29, 2008 at 4:55 PM
subject: doublet disparate

nighttime dang scurrilous

local plasma grad? subpoena, farmhouse vexation.
conclusive conley intrude subpoena sell apostolic, irredeemable
constructible post dam sony nighttime.

local local.

——————-

from: Irene Jamison – JanelateraDodd(AT)dfcint.com
date: Mon, Aug 4, 2008 at 6:39 AM
subject: havoc multiplexor deteriorate garrison houston

thermal mccallum lichen? gypsy, referring lichen.
houston sorry supply neuroanotomy moore sorry, supply
pabst garrison cubic referring checkerberry.

carob lieutenant houston

lichen aitken wishful? gypsy, hs list.
quote causate lichen beribbon wattage sorry, havoc
thresh abrasion checksummed neuroanotomy multiplexor.

synaptic moore causate

cargo checksummed sorry? hs, gypsy titan.

checksummed supply.

——————-

This one oddly enough pretends to come from lifehacker

from: Sandy Hannah – KaylacareyCoker(AT)lifehacker.com
date: Tue, Aug 5, 2008 at 11:44 PM
subject: prismatic satiate allspice dichotomize carey

oppression temperance spontaneity? tribulate, oppression swage.
tel traverse revelry carey tun buttonhole, information
approbation resign spontaneity information squalid.

eternal robust lookup

expositor information spiritual? picayune, resign resign.
eternal swage patrician azerbaijan tel carey, picayune
patrician swage diabase hey river.

picayune upland vivid

any any spontaneity? temperance, approbation insouciant.

river satiate.

——————-

From: Boyd Allison – DominicksstAllison(AT)breitbart.com
date: Wed, Aug 13, 2008 at 2:51 AM
subject: stringy linus phil warrior butterfield

rest waller contusion? stewart, ammunition shoemake.
contusion shoemake tangy ammunition huber warrior, obrien
warrior adventurous initiate tangy biracial.

toot canopy penitentiary

stool alden bite? obrien, alden dummy.
butterfield biracial cpu fray huber linus, catalpa
shoemake dutch stringy dummy bite.

ammunition dummy warrior

stool canopy apply? errancy, adventurous wilson.

wilson adventurous.

——————-

Also of interest is this person turning the subject lines of spam into poetry, the Spam Poetry Institute, and The Registers collection.





mekodinosad, spam? Sad dinosaur? the Terrorists?

2 10 2007

My post on UNIX permissions received an odd comment “Hola faretaste mekodinosad”, at the time I didn’t think much of it other than wonder what I did to make Dino sad, however I recently did a Google search of it.

That came up with over 7,000 hits with the same phrase including a post from another blog who noticed it, it seems to be down from 17,000 hit from when they searched for it possibly because its being filtered out as spam.

According to the comments on the other post, the first 2 words apparently translate as Hello westerner (fair skinned), the 3rd word seems to be some kind of holy threat if you interpret the results the other post found from the Quran search tool. However I’m not too sure of the translation posted above or that fact that it is in Arabic since the phonetic translator doesn’t match anything from the phrase above.

Searching for the username “AnferTuto” returns 50,000 results.
There are thousands of profiles from various blogs, social networking sites and forums. As well as posts with the phrase above.

Most of the profiles don’t seem to have any posts linked with them.

The email address “hfiifiihhiir@gawab.com” is linked to it and returns 19 results, from various profiles (nice to know these websites show the email address publicly and in plain text format, spammers fire up your harvesters).

The ip address 62.231.243.138 from the original post shows up on search results in various antispam sites, also quite a few wiki user pages listed as a vandal. Also project honeypot shows it is being used as a spam relay here. It would indicate that the address itself is an open relay, a nmap port scan of the system shows similar ports open to the ones that spammers leave filterd from when I have port scanned addresses from spam emails in the past.

The other ip address listed in the comments “71.90.130.103”, only returns search results form the other blog comment and also a list of proxy servers.

The ip addresses are most likely both relays or public proxies.

In addition to “Hola faretaste mekodinosad” the phrase “Hola mardena! falikotrepat” is used in some places and returns about 4,000 results.

Chances are this is just a spammer, but why send that phrase, there aren’t any links to anything and the username is used only for these obscure posts, possibly they are some kind of test phrases to see how well the software is working and the time it takes things to get indexed by google or blocked by antispam, still you might as well test it with real content, maybe some kind of spammers tag. Maybe the software was supposed to attach some links after the message but broke (I would assume you would test it once or twice before posting to 50,000 sites).

As for the theory that its some message to terrorist sleeper agents, they would have to know to look for it and be able to workout the specific details from the message which would mean it would have needed to be worked out before hand. If you where going to do something like that it would be better to plan some form of secure communication such as Tor, encrypted messages or a darknet like Freenet. Also the shear number of posts would make it very easy to miss any other messages such as the 2nd one.

Its also possible that it is some kind of anti-internet/religious hate message.