A massive amount of web spam has been hitting the internet over the weekend, all sourced from a single user on an IP originating in Moldova.
Using the name “KattyBlackyard” and posting through the IP 22.214.171.124, the blog spam attack is one of the most extensive we’ve ever seen, with most if not all of our huge range of honeypots hit by the same comment over the weekend.
More than this, the same user has autoregistered at thousands of internet forums, regardless as to whether they are running vbulletin, phpbb, or IPB.
The IP 126.96.36.199 was first noticed as being a source of spam four weeks ago by Project Honey Pot, and Stop Forum Spam also has a record of the different ID’s and emails associated with spam from the IP.
The weekend’s spam attacks are the most extensive and comprehensive to date.
The following is the original message posted to blogs as a comment over this weekend:
Author : KattyBlackyard (IP: 188.8.131.52 , 89-28-14-35.starnet.md) E-mail : email@example.com
URL : http://www.google.com
Hi, very nice post. I have been wonder’n bout this issue,so thanks for posting
A new message was released this morning, with the same details and single message “Original post by Dmitri Gromov”.
Perhaps more disturbing is that unlike a lot of blog spam, which attempt to get links on blogs for SEO purposes, the only links so far from this profile are to Google.com.
That fact that the current wave of spam attacks from this IP does not link to a spam site suggests that it may be being used to identify potential future targets - with those blogs and/or forums publishing the spam compiled into a list for unrelenting spam attacks later on.
The surprise is just how extensive these waves have been so far, as if someone is making every effort to sniff out a huge chunk of the web, in order to catalogue every possible opportunity for publishing web spam.
The irony is that most blogs will not autopublish the spam, and any that is published is almost certainly using the nofollow attribute to devaue the links for SEO purposes.