random-string spam probe messages?

Question

For years, we've been receiving messages through our contact form in the following format:

name: vlsyekcz
email: jjthiy@toaagq.com
subject: BdsQiWYlYo
body: 2BLgIr <a href="http://aixfhxcynapd.com/">aixfhxcynapd</a>, [url=http://kfsriuqfsuer.com/]kfsriuqfsuer[/url], [link=http://lyiusjazrqvl.com/]lyiusjazrqvl[/link], http://hfxsdwgylvpa.com/

The contact form is a basic HTML with no anti-robot measures whatsoever (we want to maximize user-friendliness here; we don't believe we should make people who are looking for support jump through any additional hoops).

We have, over the years, received many a hundreds (thousands? we didn't count them) messages like the above. All of them follow the exact same format, string lengths may vary a bit, but other than that, format stays the same.

I've always thought that these messages send to see if a system is vulnerable for something. The URLs point to non-existing domains, so they can't check to see if any of the links get clicked. So, I thought it most likely they are checking our website to see if the unique random strings show up so that they then know that they can post spam messages or something close to that. But it doesn't make sense: if you want to post spam links, why not just post the spam directly and be done with it?

I searched online, found: What is the purpose of "gibberish" comments posted to my blog? and decided to start monitoring our traffic log files.

We have been monitoring for a month now, and the IP numbers that post those messages don't come back for anything else. From what we can tell, this is a fire-and-forget script (unless it is part of a larger bot-net of course; but it seems inefficient to delegate the checking to another node?). Also, as pointed out before, we have been receiving those message for years, so I would expect the system sending those messages to have learned that they have a 0% success rate by now...

Does anyone know anything more about those messages? Are they generated by a known bot-net? Are they generated by some sort of spam tool/package?

thanks, Monika

There are no nameserver or whois records for these urls/domains - meaing that the links should have no effect. It might have earlier, or maybe they will in the future. — Dog eat cat world, Aug 15 '14 at 09:25
Those domains are too many to mean anything, other than a signature to check for. — Monika, Aug 15 '14 at 09:39

score 5 · Answer 1 · answered Aug 15 '14 at 09:30

5

It's an automatic probe to see which URL syntax, if any, you support. They're trying raw HTML, two versions of BBCode, and a bare URL, all with unique URLs. They'll then scan your site (either directly or indirectly, eg. through Google) to see which ones, if any, have been turned into working links, in order to guide actual spamming.

Since the whole thing is automated and is probably running on a botnet of hijacked computers, perpetual failure doesn't cost them anything.

answered Aug 15 '14 at 09:30

Mark

34,513
9
86
135

Why would they not just post the spam directly? – Monika Aug 15 '14 at 09:42
1

I can think of a number of reasons, from making the actual spam look good, to not having a customer to spam for right now. – Mark Aug 15 '14 at 09:46

random-string spam probe messages?

1 Answers1

Linked