Figuring out my comment spam

So I come home after a rotten day, feeling really down, and what do I find in my inbox? Twenty-four (yes, that's 24) e-mail notifications for comments on my blogs: all of them spam. Damned degenerate scumbags. I guess it's time to get serious about implementing a content filter, because these sub-human wastes of perfectly good carbon atoms just won't leave me alone. And I'm getting tired of deleting comments and trackbacks by these walking piles of monkey excrement, so my only choice is to get pro-active.

The thing that really pisses me off about today's hit and run is that it isn't even commercial spam. Oh, I hate the assholes who leave that too, but at least I can understand it. Deleting links to online gambling and loan refinancing sites is unpleasant, but at least the act of posting such links on blogs makes sense: more links = better Google ranking = more money. They're still slightly below flesh-eating bacteria on the scale of human worth, but at least their actions aren't completely incomprehensible.

Today's round of comment spam, however, is different. This isn't the first time I've suffered this type of attack, but it is the first time I ever stopped to analyze it. You see, there were two distinct types of comment. The first makes absolutely no sense to me. It is simple something@skepticats.com posted as the name, subject, and body of the comment. That's it. No links or anything. Just an invalid e-mail address at my domain. Does anybody have any clue what the purpose of such a comment could be? Does it have something to do with gaming e-mail harvesters? That's pretty much all I could think of.

The second type of message is significantly more complicated. Like the previous message type, it contains a random e-mail address at my domain in the subject and body of the comment. However, for the name field, it contains some variation on the following text:
to
Content-Type: multipart/alternative; boundary=912124b723a23f3d33ad518075fc69e8
MIME-Version: 1.0
Subject: carelessly. s no one in the hut, no
bcc: real_address_removed@aol.com

This is a multi-part message in MIME format.

--912124b723a23f3d33ad518075fc69e8
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

strove to compete with the steam packet, the dark smoke from which, like some demon, partly rested upon the vessel, partly
--912124b723a23f3d33ad518075fc69e8--

.
I actually had to look at the raw data files on my server to figure out that this was going in the name field. On the comments page, most of it actually showed up in the body. This seems to be because the comment class expects every field except the body to be one line, because that's the only way to enter it on the form.

I could be wrong, but this appears to be an attempt to piggyback on the comment notification system. Apparently the idea is that by injecting mail headers directly into the name field, they can fool the mailer into thinking they're real headers and sending a copy of the message to the address in the BCC line. Fortunately, it doesn't appear to work. However, I'm still concerned that there's no actual commercial content in the messages. They appear to be just text snippets taken at random from a story of some type. Why would anyone want to send that? Is somebody just using this as a test? What on earth is going on with these messages?

You can reply to this entry by leaving a comment below. This entry accepts Pingbacks from other blogs.

Add your comments #

A comment body is required. No HTML code allowed. URLs starting with http:// or ftp:// will be automatically converted to hyperlinks.