What is all this Zune comment spam about?

People running popular blogs are often targeted by comment spammers – this blog gets hit with at least 10,000 a year (and very useful for botnet research) – most of it is semi-literate drivel containing a link to some site being “promoted”. Idiots pay other idiots to do this because they believe it will increase their Google ranking. It doesn’t, but a fool and his money are soon parted and the comment spammers, although wasting everyone’s time, are at least receiving payment from the idiots of the second part.

But there’s a weird class of comment spam that’s been going for years which contains lucid, but repeated, “reviews” about something called a “Zune”. It turns out that this is a Microsoft MP3 player available in the USA. The spams contain a load of links, and I assume that the spammers are using proper English (well, American English) in an attempt to get around automated spam filters that can spot the broken language of the third-world spam gangs easily enough. But they do seem to concentrate on the Zune media player rather than other topics. Blocking them is easy: just block any comment with the word “Zune” in, as it doesn’t appear in normal English. Unless, of course, your blog is about media players available in the USA.

This really does beg the question: why are these spammers sicking to one subject with a readily identified filter signature? I’ve often wondered if they’re being paid by a Microsoft rival to ensure that the word “Zune” appears in every spam filter on the planet, thus ensuring that no “social media” exposure exists for the product. Or is this just a paranoid conspiracy theory?

An analysis of the sources shows that nearly all of this stuff is coming from dubious server hosting companies.  A dubious hosting company is one that doesn’t know/care what its customers are doing, as evidenced by continued abuse and lack of response to complaints. There’s one in Melbourne (Telstra!) responsible for quite a bit of it, and very many in South Korea plus a smattering in Europe, all of which are “one-time” so presumably they’re taking complains seriously even if they’re not vetting beforehand. It’s hard to be sure about the Koreans – there are a lot but there’s evidence they might be skipping from one hosting company to the other. Unusually for this kind of abuse there are very few in China and Eastern Europe, and only the odd DSL source. These people don’t seem to be making much use of botnets.

So, one wonders, what’s their game? Could it be they’re buying hosting space and appearing to behave themselves by posting reasonable-looking but irrelevant comments? Well any competent server operators could detect comment posting easily enough, but in the “cheap” end of the market they won’t have the time or even the minimal knowledge to do this.

I did wonder if they were using VPN endpoints for this, but as there’s no reverse-lookup in the vast majority of cases it’s unlikely to be any legitimate server.

Spammer without a Motive

Anyone who knows what I’m about will have guessed that I’d take an interest in the spamming attempts on this blog site. And indeed I have. However, a couple of weeks ago I had a slew of comments for which I can’t deduce a motive.

They took the form of meaningful comments to half a dozen posts – the sort of thing you’d normally let through even they they didn’t add any useful knowledge. They were also well written, by someone who clearly spoke English. But they didn’t add up.

The author purported to be an American cleric, and the comments were written from that viewpoint. However, they didn’t smell quite right – there were a few slips that suggested they weren’t written by a west-coast American priest. Investigation revealed they were, in fact, sent from a computer in Manchester or thereabouts.

So what’s the game? Well there were no links or other nasties in any of the posts. The web site of the poster (which may well have been blocked anyway) was a religious blog in the USA, but it hadn’t seen any activity since mid-2006.

Could this person have been creating an identify for a sock-puppet? Well having waited a couple of weeks, the name hasn’t appeared anywhere else. It could be that the poster failed to convince anyone, but the Internet is a big place and most blogs aren’t posted by computer security experts.

The only explanation I can think of is someone trying to create an identity with enough rights that subsequent posts could get through unmoderated. This would have taken a great deal of further work, especially as the email address provided was an anonymised temporary one.

So, I’m still stumped!

Some of the comments were quite funny, so I might let them through anyway and see what happens.