Malware Domain List

Site Related => Site / Forum Discussion => Topic started by: bookmarc on July 11, 2008, 01:12:57 pm

Title: Another New Guy
Post by: bookmarc on July 11, 2008, 01:12:57 pm
I am the Interactivity Manager for a nationwide chain of websites with a huge amount of interactive content. I am not very technical, but I certainly see and investigate a lot of spammers. I found this site this morning following up on an outfit that made 120 accounts on our system overnight, including html ads for a variety of meds--including morphine and hillbilly heroin. Their MO is then to post the links on every interactive site in the known universe. (We also get similar and even worse stuff for porn, kiddy porn and what I assume are phishing sites. I use a Linux computer to check this stuff for that reason.) In general, they do not post on our sites to fly under the radar, I guess. I often find them with google searches. I am working with our techs to put a stop to all of this, and I apologize profusely for my nearly total ignorance in this area, but is this a common problem? I would think that the highly networked profiles on sites with a social networking direction might be even more vulnerable to this kind of thing.

Title: Re: Another New Guy
Post by: sowhat-x on July 11, 2008, 01:27:24 pm
Welcome on board,bookmarc  :)

...and I apologize profusely for my nearly total ignorance in this area,but is this a common problem?
Not entirely sure if I understood the concept/question in specific...
but in short,from what you can also see from the links submitted around here,
spamming and malware spreading nowadays is way more than a "common problem",unfortunately...  :-\
Title: Re: Another New Guy
Post by: bookmarc on July 11, 2008, 02:24:30 pm
I was really asking about the use of profiles and links to profiles in this manner. Believe me, I am in a position to know how much of general problem there is with spam and malware. This just looks like teamwork to me and it looks like we have five or six different groups around the world taking pretty much the same approach with more or less technical sophistication. They work late at night US time and make a whole group of these spam profiles. I am just wondering if anyone else is seeing behavior like this--particularly regarding the use of profile links.
Title: Re: Another New Guy
Post by: bookmarc on July 11, 2008, 02:46:07 pm
I do have one more thoroughly non-technical question about this. In the past, I have tended not to take the spams for pharmacy sites very seriously. Most have been for Viagra, Cialis and the like and we sure do get a lot of them. This morning, though, these guys claim to be selling morphine, valium and hillbilly heroin, and  quite a few meds that could easily kill you if misused. I am assuming that anyone idiot enough to give these people a credit card number gets a handful of sugar pills or nothing at all. I sure hope so. Does anyone know if they will actually ship this kind of thing? They all try to look like American sites, but, as a PhD in English with a background in linguistic analysis, I can tell you for sure that the people who wrote their copy are not native speakers of English, particularly not American English. Since they are offshore, I am assuming that they really could legally send this stuff in their countries. I am just wondering if anyone knows what the story is with these sites. I have asked my wife--another PhD, but she is a  psychologist with a background in addiction treatment. I asked her to ask the people in the programs she supervises if people are using this kind of option to get drugs.
Title: Re: Another New Guy
Post by: Orac on July 11, 2008, 03:20:17 pm
I would suggest their are two things you can do to help your current situation.

Change your board settings so posts can only be made by registered members, and at the same time, Enable visual confirmation for registrations, this Requires new users to enter a random code matching an image to help prevent automated registrations.

Secondly, (assuming you have the staff/time to do it) report every instance of spam you find to the ISP of the orignating IP, and submit details of the spam to a site such as
CastleCops Spam Incident Reporting and Termination (

These spammers actually keep blacklists (or should that be whitelist) of sites that report and remove spammers, all our sites are listed on such sites and whilst we see a few instances a day, its very few compared to most servers (we get attacked by other methods, but thats another story lol) basicly if your known to fight back at the spammers they will avoid you, last thing they want is their latest "efforts" to be passed around to the AV guys.

Title: Re: Another New Guy
Post by: bookmarc on July 11, 2008, 03:54:48 pm
We already do all of the stuff in the first paragraph. Only registered users can post and we have the graphics for registration to avoid the spammers using a script.

We have not been a part of a communal effort to shut these guys down. That is why I am here. I appreciate the information and plan to move us into that kind of posture--working with others on this problem.

Title: Re: Another New Guy
Post by: bookmarc on July 11, 2008, 04:22:33 pm
I should add that I work for a fairly large system of regional sites. I am not going to say what it is, because I am assuming that the spammers may also review the posts on sites like this and I do not want to give anything away. I have to admit that I switched to my Linux computer to sign up here, just because I am not a very trusting soul, I have to admit. I was not sure that it was legit. I am now and I plan to involve several other of our people in this process, from all ten of our large regional sites. I have already given the URL to several people in our organization and I plan to go further with that.

Title: Re: Another New Guy
Post by: Atribune on July 11, 2008, 07:32:34 pm
Pop into the chat room on #mdl  I'm interested in which software you are using. If you are using captchas like Orac described you should be receiving very little spam. If you don't feel like getting on irc PM me here on the site and tell me the software in use. Perhaps there are bugs in it making it so spammers can get around the captchas.

Title: Re: Another New Guy
Post by: bookmarc on July 11, 2008, 09:59:27 pm
Our software is totally proprietary. It was written for us. We are currently looking at some other options.
Title: Re: Another New Guy
Post by: JohnC on July 11, 2008, 10:04:23 pm
There is some software which spammers use, which just basically tries to guess or brute force a form on sites it seems. So that it works with unknown software aswell. At least that is what it seems like, because if you have a contact form on a site, you'll notice if it is crawled by google and doesn't have a captcha it will be spammed by bots. (providing there are no precautions in place to stop it, like entering invalid email etc...)
Title: Re: Another New Guy
Post by: bookmarc on July 11, 2008, 10:09:34 pm
We have a captcha.
Title: Re: Another New Guy
Post by: JohnC on July 11, 2008, 10:10:32 pm
We have a captcha.

Is the captcha custom for you aswell or is it one of the known ones?
Title: Re: Another New Guy
Post by: bookmarc on July 11, 2008, 10:15:18 pm
It is custom.
Title: Re: Another New Guy
Post by: tjs on July 12, 2008, 05:41:02 am
I'm certainly no expert on the matter, but I suppose if you're really getting hammered by this stuff then it may be worth experimenting with more widely used captcha systems for several reasons:

- captcha is like cryptography- based on difficult-to-compute problems
- captcha providers are comitted to keeping the system resilient against the latest attacks
- captcha providers have staff and resources to keep up with latest research and techniques

In case you (or some other reader) is interested, there has been quite a lot of research posted in the past few months on the subject of breaking captchas. Here are some that come to mind:

If you're a member of the IEEE, this is a really good paper:

Just my $0.02...

Title: Re: Another New Guy
Post by: bookmarc on July 12, 2008, 04:41:02 pm
I had a look at those 120 accounts. They were made spread out over an eight hour period and the times between them are uneven. It does not look like a script to me. It looks like they were entered one by one. It sure is not a job I would want.
Title: Re: Another New Guy
Post by: sursmurf on July 12, 2008, 07:09:10 pm
If you haven't seen this already Panda has an interesting article about this and the software they use: (

The video at the bottom of that page is a real live demonstration of what you can do with a software like that. It's very interesting and quite frightening. (