Wandering Thoughts archives

Empirically, modern mailing list services are spam senders

I still run a mailer on my office workstation, handling email to addresses that I've had for a very long time and which I used to use a lot in public (back in the days when the Internet was a much nicer place). To a very good approximation the only email that gets sent to it any more is spam.

(I have systematically transfered all legitimate email to other addresses elsewhere and I no longer subscribe to mailing lists and so on from it.)

Which leads to the punchline: I think I've gotten spam email sent to this machine by most if not all major providers of mailing list services. Many of them keep trying to send email to the machine over time, too.

This is what I mean when I say that empirically modern mailing list services are spam senders: they send spam. To me, from my particular vantage point, their spam sending activities outnumber their legitimate activities directed at me. These companies can protest all they want that they have plenty of legitimate customers too, but for me it is a ratio of all spam and no ham.

By the way, of course I don't bother to send complaints to these companies. It's a waste of time. From a global perspective sending complaints to these companies is what's called 'list washing'; I'll maybe get removed from this particular list or this particular spammer's collection of lists (because the spamming customer gets canceled) but they'll be back to sending me spam next week or next month or next year on behalf of the next spammer that they sign up. The only effective cure for me is to block them entirely, so that's what I do.

(I've touched on this issue before but not quite in these blunt terms. Extensions to the morality of running a mailing list service provider are left as an exercise for the reader.)

(This rant was sparked by a recent conversation with someone I know.)

Today's comment spammer trick: regurgitated comments

I log the contents of some attempted spam comments here on Wandering Thoughts (the concise summary of when is when the spammer seems to be trying hard). Usually this doesn't get anything, but today my trawl through the logs turned up a succession of bizarre and odd comment attempts. The text had misspellings and typos but it generally made sense and most of the comment attempts were even about technical things that are vaguely on topic for here. But they were invariably attempts to comment on very inapplicable entries.

When I looked at the logs in detail, one of the most striking was a series of comment attempts that looked very much like a conversation between two or more people about using git on home directories. This was very odd since none of the comments were being posted, yet the people were pretty clearly replying to each other; I began to develop all sorts of theories about disturbingly intelligent content auto-generation. Finally I noticed something in one of the comment texts and the penny dropped:

[...] Possibly related posts: (automatically generated)Heroku, the Rails app.

There is a really simple way to get this text into a spam comment: you can be scraping content from existing blog posts and/or blog comments. So my new theory is that the would-be comment spammer is is scraping comment text from other blogs, mangling them somewhat, and then spam-posting them on other blogs (including mine).

The mangled text doesn't seem to have any links or other spam-relevant text so I'm not sure why the spammers are doing this. Maybe they're fishing to see what blogs will allow their comments through moderation and will follow up with more active content on blogs where this works.

Sidebar: source details and other things

So far 30 different IP addresses have tried this here today; most IP addresses have made only one attempt each. The IP addresses cover a large range of source networks. A few of them are CBL listed but that's pretty much it as far as DNBLs are concerned. Four of the IP addresses actually belong to Microsoft (168.63.43.185, 168.63.62.182, 168.63.76.184, and 168.63.84.217; all four are currently listed on the CBL). I'm assuming that these are compromised machines, VPS servers, or both.

Many of the IP addresses also made a burst of GET requests for various other URLs here. Maybe they're scraping text from Wandering Thoughts for use in their corpus for their next spam run somewhere else.