Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Bank of America Phisher Wants it All! | Main | Another Confused Spammer »

January 04, 2009

About "podmena traffica test"

It seems that I'm not the only one receiving spammy messages whose body contains nothing but the following:

podmena traffica test

The Subject: lines are of the typical medz/watchez variety, and not always in well-constructed English:

  • New products supersite for you to find product you need.
  • Always be ready.
  • Get rid of terrible pounds!
  • Security and privacy guaranteed.
  • Worldwide delivery instantly to your home
  • Affordable prices on quality medications.
  • Don't pay a fortune for your watch.
  • the best presents for Christmas and Sylvester party

The From: plain-language names are, for the most part, realistic-sounding—although "Mohamed Clifford" might be a stretch. The sending machines are from all over the place, typically indicating that they come from infected PCs acting as members of a botnet.

So, what does the message or the existence of this message mean?

The text appears to have a Russian-language heritage. I'm no Russian expert, but some have suggested that the first word is transliterated from a Russian word having the meaning of "spoofing." Interestingly, I have found many instances around the Web in which blog comment posters—legitimate members of a blog, not blog spammers—have had their messages invisibly modified upon sending, so that the "podmena traffica test" phrase appears at the very beginning of the message they posted.

Affected posters, of course, blame the blog hosting software, but if that were so, then more than the odd message in an active thread would be affected. No, it has to be an infection embedded within the poster's PC...the same types of infected PCs sending out otherwise blank spam, but whose empty body has this phrase inserted at the start.

Receiving such spam messages is harmless (except for the aggravation), and because the botnet controller keeps sending these things, it makes it easy for spam filters to block them and report infected IP addresses to their providers. If you find that one of your blog comments had the phrase inserted without your knowledge, you are in deep doodoo. Shut 'er down, and clean 'er up.

UPDATE (5 Jan 2009): The "test" is over, and spam is spewing.

Posted on January 04, 2009 at 02:07 PM