View previous topic :: View next topic |
Author |
Message |
xo Site Admin
Joined: 09 Feb 2002 Posts: 466 Location: Los Angeles [comcast]
|
Posted: Fri Jun 14, 2002 1:29 am Post subject: What's with the bot messages? |
|
|
Not that they are annoying me per se; I find myself checking Gorunova's comebacks more than anything.
Still, they pique my curiosity. Any theories?
-xo |
|
Back to top |
|
|
(inc)
Joined: 18 Feb 2002 Posts: 356 Location: San Diego
|
Posted: Fri Jun 14, 2002 8:01 am Post subject: |
|
|
Is it a bot as has been speculated? Would a bot indicate so much varience in the posting software? It's all over the map, old versions of OE, old versions of Agent, Free Agent, Gnus, etc. Originating isps have varied, but a lot is out of Mindspring. Some are obviously from the same source -- maybe it's just a new Usenet fad, or are the members of one of the irc groups just letting each other know that they are present.
It may be starting to wear a little thin for me, though....
(inc) |
|
Back to top |
|
|
(inc)
Joined: 18 Feb 2002 Posts: 356 Location: San Diego
|
Posted: Fri Jun 14, 2002 10:14 am Post subject: |
|
|
On the other hand, anime is _always_ the last word, so I guess it smells like a bot... Don't know why I bothered, but a size sort in Easynews (they're all 1 line) and a field export in Agent makes it easy ==> the abma nonsence posts. Note, one actually got repeated:
Subject: I can't find pics of anime
From: Carol Devan
<cdevan@alltel.net>
NNTP-Posting-Host: 63.11.20.149
Date: Sun, 02 Jun 2002 15:12:28 GMT
X-Mailer: Mozilla 4.77 [en] (Win95; U)
X-Complaints-To: abuse@verizon.net
I can't find pics of anime
Subject: REQ: more pics of anime
From: Mckinley Whitcomb <coffechuck@attbi.com>
NNTP-Posting-Host: a5.f7.d7.55
Organization: MindSpring Enterprises
Date: 4 Jun 2002 00:21:05 GMT
User-Agent: Xnews/03.02.04
REQ: more pics of anime
Subject: The best group is anime
From: Ostrohl <ostrohl@comcast.net>
NNTP-Posting-Host: 158.252.242.111
Organization: EarthLink Inc. -- http://www.EarthLink.net
Date: Tue, 04 Jun 2002 16:00:31 GMT
X-Newsreader: Forte Agent 1.8/32.548
X-Complaints-To: abuse@earthlink.net
The best group is anime
Subject: Good Times anime
From: Cole Scott <jeanninea@cpdns.net>
NNTP-Posting-Host: a5.f7.d8.4d
Organization: MindSpring Enterprises
Date: 4 Jun 2002 20:37:11 GMT
X-Newsreader: Forte Agent 1.8/32.548
Good Times anime
Subject: 6 2002 is the best day for anime
From: Palmer Olsen <deec@cpdns.net>
NNTP-Posting-Host: 63.11.20.45
Date: Wed, 05 Jun 2002 21:27:58 GMT
X-Newsreader: Forte Free Agent 1.21/32.243
X-Complaints-To: abuse@verizon.net
6 2002 is the best day for anime
Subject: My favorite group is anime
From: Beondthblu <beondthblu@attbi.com>
NNTP-Posting-Host: 158.252.217.106
Organization: EarthLink Inc. -- http://www.EarthLink.net
Date: Thu, 06 Jun 2002 17:50:30 GMT
X-Newsreader: Microsoft Outlook Express 5.00.2014.211
X-Complaints-To: abuse@earthlink.net
My favorite group is anime
Subject: REQ: more pics of anime
From: Robert Y. Dzewski <rydzewski@comcast.net>
NNTP-Posting-Host: 63.11.20.24
Date: Sat, 08 Jun 2002 17:31:45 GMT
X-Newsreader: Forte Free Agent 1.21/32.243
X-Complaints-To: abuse@verizon.net
REQ: more pics of anime
Subject: Ain't no porn like the anime
From: Jimgilmore <jimgilmore@sisna.com>
NNTP-Posting-Host: a5.f7.cc.c1
Organization: MindSpring Enterprises
Date: 9 Jun 2002 15:34:19 GMT
X-Newsreader: Forte Free Agent 1.11/32.235
Ain't no porn like the anime
Subject: Any more anime
From: Kenneth Page <cobe2play@attbi.com>
NNTP-Posting-Host: 63.11.20.90
Date: Tue, 11 Jun 2002 02:57:23 GMT
User-Agent: Xnews/03.02.04
X-Complaints-To: abuse@verizon.net
Any more anime
Subject: how much anime
From: Cynthia Y. Berads <cyberads@centurytel.net>
NNTP-Posting-Host: 158.252.208.69
Organization: EarthLink Inc. -- http://www.EarthLink.net
Date: Thu, 13 Jun 2002 12:15:32 GMT
X-Newsreader: Microsoft Outlook Express 4.72.3155.0
X-Complaints-To: abuse@earthlink.net
how much anime
Subject: More more more more anime
From: Lizzie Cantrell <d90-two@attbi.com>
NNTP-Posting-Host: a5.f7.ca.64
Organization: MindSpring Enterprises
Date: 14 Jun 2002 03:26:34 GMT
X-Mailer: Mozilla 4.7 [en] (Win98; I)
More more more more anime
Subject: Most of the great anime
From: Ajaremnant <ajaremnant@attbi.com>
NNTP-Posting-Host: 63.14.250.144
Date: Fri, 14 Jun 2002 11:31:33 GMT
X-Newsreader: Microsoft Outlook Express 5.00.2314.1300
X-Complaints-To: abuse@verizon.net
Most of the great anime
Subject: like to have anime
From: Cinamon <cinamon@thevision.net>
NNTP-Posting-Host: 63.11.20.95
Date: Fri, 14 Jun 2002 11:33:09 GMT
X-Mailer: Mozilla 4.03 [en] (Win95; I)
X-Complaints-To: abuse@verizon.net
like to have anime
Subject: I want more anime
From: Obrazil <obrazil@docspace.com>
NNTP-Posting-Host: 63.14.250.119
Date: Fri, 14 Jun 2002 16:34:52 GMT
X-Newsreader: Microsoft Outlook Express 5.00.2919.6600
X-Complaints-To: abuse@verizon.net
I want more anime |
|
Back to top |
|
|
xo Site Admin
Joined: 09 Feb 2002 Posts: 466 Location: Los Angeles [comcast]
|
Posted: Fri Jun 14, 2002 11:50 am Post subject: |
|
|
Excellent detective work!
Looking at the review you provided, the first thing that popped into my head is "virus", but I couldn't find mention of a virus on Symantec's site that triggered Usenet posting thru such a variety of user agents.
Your theory about coded communications between irc members is interesting- have you heard of this kind of thing being done before?
-xo |
|
Back to top |
|
|
Gorunova
Joined: 10 Feb 2002 Posts: 318 Location: Burnaby, B.C., Canada
|
Posted: Fri Jun 14, 2002 8:54 pm Post subject: |
|
|
Note that the X-Newsreader header may not be authentic. It could be a bot or a virus impersonating various newsreaders to throw off analysis attempts like this. That still doesn't cover the multiple source angle though.
At first I thought it was just an unusually high number of illiterate morons posting incomplete sentences and expecting others to be able to read their minds. It happens all the time.
But this is way too consistent for that. It may indeed be a signal flare of some kind - if the last word of the sentence is contained in the newsgroup name, then some condition is true. |
|
Back to top |
|
|
(inc)
Joined: 18 Feb 2002 Posts: 356 Location: San Diego
|
Posted: Fri Jun 14, 2002 10:55 pm Post subject: |
|
|
The strangest part of the news-reader list is how obsolete they all are. Where is Agent 1.9x? And it's the same in the aba messages. But the headers are filled in appropriately for the given posting software. If it is a bot making dummied headers from real posts, the info would seem about a year old.
And none in abmar as far as I could see. How about some other groups? I haven't done much else then quick scans outside of aba/abma for the last week or so.
I'm just afraid at how easy it looks like it would be to turn it into real spam.
(inc) |
|
Back to top |
|
|
Firecaster
Joined: 24 Feb 2002 Posts: 43 Location: Edmonton, Alberta, Canada
|
Posted: Fri Jun 14, 2002 11:08 pm Post subject: |
|
|
I know that this probably won't help, but I've been seeing these in other groups as well... alt.binaries.mp3.sounds.video-games, alt.binaries.sounds.anime, and alt.binaries.sounds.jpop. I've never bothered clicking on them, though, because I'm paranoid about viruses. ^^;
[EDIT: Just thought I'd like to mention that the ones in jpop and mp3.video-games don't have "anime" in them... they go something like "i need pics of jpop" or "My favorite is video games".] |
|
Back to top |
|
|
user
Joined: 19 Feb 2002 Posts: 72
|
Posted: Sat Jun 15, 2002 3:07 pm Post subject: |
|
|
Hmm. Sounds like someone's playing around with regexp "\.(\[a-zA-Z\]+$)" in a spambot... |
|
Back to top |
|
|
Melchior
Joined: 19 Feb 2002 Posts: 190 Location: Vancouver, BC, Canada
|
Posted: Sun Jun 16, 2002 8:30 pm Post subject: |
|
|
(inc) wrote: |
I'm just afraid at how easy it looks like it would be to turn it into real spam.
|
Of course, the day these messages start appearing as spam is the day people start reporting them as spam to the ISPs they were posted through, which should result in the termination of the accounts used to send the spams...
Here's a scary thought, though: what if some obscure virus is causing this, and the virus' author decides to modify the virus to spam, and then the virus starts spreading? Suddenly, ISPs would be more reluctant to TOS their users, since they weren't *trying* to spam-- they were simply infected with a virus, and the virus was spamming... |
|
Back to top |
|
|
Gorunova
Joined: 10 Feb 2002 Posts: 318 Location: Burnaby, B.C., Canada
|
Posted: Mon Jun 17, 2002 8:31 pm Post subject: |
|
|
Melchior wrote: | Here's a scary thought, though: what if some obscure virus is causing this, and the virus' author decides to modify the virus to spam, and then the virus starts spreading? Suddenly, ISPs would be more reluctant to TOS their users, since they weren't *trying* to spam-- they were simply infected with a virus, and the virus was spamming... |
That's easy: Just change the TOS to forbid Microsoft email clients. |
|
Back to top |
|
|
|