This is frustrating me too. It's bad enough that spammers have to take pictures, spray their graffiti all over it making it difficult to edit it and restore the original, but to completely erase the image and substitute their own crap completely is over the top. At least if part of the original, "real" image remains, you can see if some file you have elsewhere is the unadulterated original. And with spoofed search results there is no original. But when there is an original, but it gets completely replaced by crap en route ... how do you recover from that?

And it isn't just spam. Sometimes files download supposedly successfully, but don't work -- exactly how good is Limewire's corruption detection anyway? It seems to miss most cases of corrupt files. I've found perfectly working "CORRUPT-foo" files in my incomplete directory, and gotten lots of supposedly successful downloads that were truncated, sometimes to zero bytes. A download that results in a zero length file was ipso facto NOT successful! (Probably, these happen when the en-route-substitution thing the spammers use goes wrong. Perhaps when the legitimate file sharer isn't busy and the file is big enough and Limewire tries to download the file from both sources in the mesh, the real one and the spammer? I could see that producing all kinds of corrupt files and cut-off files, and if LW relies on the client sending a chunk to send the chunk's hash for verification and the spammer lies, LW will not detect anything amiss...)

I had a conversation with the ipod spammer tonight.

Yup -- one of the fake search results showed chat enabled. And they actually talked to me! Here's what the spammer has to say for himself:

Apparently, denial and feigned ignorance are to be preferred over admitting the truth, even in conversation with someone who can't do much about it anyway.

*bump*

I thought maybe people would be interested in this? But I guess not.

To me it is so rediculous that these stupid companies honestly think they will get us to buy their product if they duke us into downloading their advertisement. It really ****** me off that I am downloading a movie and when I go to open it it's a picture of an ipod. If anything, it makes me want to never have anything to do with them and definitely never buy their product. SO Gay! How do we stop it?!

with an AK-47 that's how!

I'm no computer expert by any stretch, but I do know a thing or two. I've always thought the scenario went something like this...

1) I search for "sndjfrti"
2) Main superspam computer picks up the search term via search monitoring
3) Main superspam computer sends command to 40 other minorspam computers to make a copy of "StupidIPodPic.jpg" and rename it "s_n_d_j_f_r_t_i.jpg"
4) 40 hosts suddenly show up in my search results for the file "s_n_d_j_f_r_t_i.jpg"

Based on your Resident Evil story, I wonder if it's more along the lines of...

1) I search for "sndjfrti"
2) Computer of hacker working for IPodSpamCo picks up the search term via search monitoring
3) Hacker computer orders 40 computers with trojan viruses to rename "HiddenIPodPic.jpg" as "sndjfrti.jpg"
4) 40 hosts suddenly show up in my search results for the file "sndjfrti.jpg"

I've always tended to believe that my first theory is correct, because you can never browse the hosts of these goofball files. When I identify these files, I typically right click, verify that I can not browse host, and block host.

What would be real nice would be if the wonderful people that maintain Limewire would allow us to block ALL of the hosts in one shot.

One problem with your trojan theory -- none of the hosts returning bogus hits should show chat enabled either. And I talked with the spammer (or one of the spammers). Whoever it was claimed not to know that they were sending bogus search hits, but they did not claim not to know where the chat window suddenly came from. A genuinely innocent, virus-infected computer user would, in the unlikely case the thing had working chat, have freaked out at the opening of an unfamiliar chat app and probably accused me of hacking them -- nothing of the sort happened. Evidently they were using a p2p app and knew exactly what the chat window was. This leaves two possibilities: they're guilty or they have a trojan. If the trojan was a p2p server trojan and they were trying to run a normal p2p app at the same time, I expect something would clash and not work. Probably all p2p traffic would end up at the app or at the virus, and the other would not work. If they remained distinct (different ports?) the search result returned by a virus would not have chat enabled though a legit result from the normal p2p app on the same machine would. That leaves a virus that doesn't actually act as a p2p server itself, but puts spams into the shared folders of any p2p app it detects on one's system. In which case the spams wouldn't be spurious search results, but rather normal search results with spurious file contents. That is happening as well (including with the ipod spams) but this was one of the spoofed search results I chatted to.

The spoofed results must be coming from an abnormal server: they all show a T1 connection speed, instead of being varied, and the name is always derived in one of a few crude manners from your search terms. Anyway, if a trojan created a spam in a normal p2p app's shared folder named o_v_e_r_t_u_r_e.jpg and another .wmv version, they would probably not match any incoming searches. Who does a search for "o_v_e_r_t_u_r_e"?

I think there's dedicated spam hosts generating the spoofed results, AND either dedicated hosts or a virus spreading the spams by "normal" sharing -- fixed file name, varying connection speeds, etc. -- this is evidenced by encountering ipod spams whose file names missed a search term from the search that found them, contained a word not in the search, showed only one or a handful of sources, or showed a non-T1 speed. These are presumably not being shared knowingly by normal p2p users, which leaves the spammers and unknowing sharing. The spammers could have copies shared through normal p2p apps from a variety of vendors set up to claim a variety of connection speeds, given an assortment of names likely to match popular searches. And a virus could place spams named to match popular searches unwittingly in peoples' shared directories if it detects they run p2p apps. These can (either of them, or both combined) explain the ipod spams that come from "legit" search results, but not the spoofed ones. The spoofed results are coming from a decidedly abnormal p2p servent, one that always claims a T1 speed and always has browsing disabled and responds with a hit to every incoming query, named based in one of just four ways on the query, and responding to any response to the hit with the same file. There's around 40 of these within one's horizon at any given time; sometimes they show in two groups, if the ones in your horizon that aren't too busy serving spams have more than one variant of the spam among them. There seem to be several variants, at least of the jpegs, probably to defeat or at least make more difficult attempts at filtering. (Currently they are all the same image dimensions, but as soon as any popular client starts enabling filtering on that criterion, they will probably begin varying that too.) And for whatever reason, these bogus servents have chat capability, often enabled. There's rarely a response to trying to chat, probably because the machines are unattended 99% of the time. As to why chat is enabled, that's something of a mystery. Possibly, the chat function is used to leave instructions for the spammers from head office or something, though you'd think they could just use email...

There is one remaining possibility -- a bogus servent that people actually knowingly install. That is, a seemingly-normal p2p app that offers spoofed search results with a claimed speed of T1 in addition to whatever legitimate search results come from what the user is genuinely sharing, which show their own connection speed. And it has chat capability -- and doesn't show it disabled for the bogus results if the user has enabled chat. If that's the case, then the user might be genuinely baffled by a chat like that ... of course, if chat-enabled bogus result senders are asked what p2p app they use they should turn out to all be the using the same one in this case...

There might be another explaination for the Enabled Chat. Perhaps some hapless soul downloaded one of these files and is now hosting it? It's a bit of a stretch, but possible.

Also, I've always been under the impression that the speed rating in the search results was a combined thing. For example, if 30 modem users had the same file and they came up in search results, would their combined bandwidth potentially be Cable\DSL or T1, based on their upload settings, etc?

Umm...

I put 10 to 1 odds that this person also downloaded the spam. Then, when the spammer responded to your query with your search terms, they included several recent downloaders as Alternate File Locations. The person you chatted with is almost certainly NOT the spammer.

;-)

-dave-

I think you need to read the Gnutella specs a little closer, if you really think you were chatting with the spammer. See my prior reply.

I will also say that there are not "trojaned machines" that are the source of the spam.

1st) The spammer is probably no longer serving the file. If (s)he is, (s)he is no longer the only source. Other normal people who have also been tricked by the spammer and have defaulted to sharing downloaded files are ALSO sources.

2nd) Files are not requested by NAME in general, they are requested by HASH. Therefore, even if the file you request from me has a different name that you know of, it won't stop me from being a source for the file. Therefore, if FooledUser01 downloads the spam using the filename 'FooledUser01 search term.wmv" because he searched for "FooledUser01 Search Term", and downloaded the resulting spam, he can still serve the file "Other Query String.wmv" to you if it is the same file. Therefore, only the spammer is responding to your query with your specific query terms, however, (s)he is including as alternate sources those other nodes which have recently downloaded from him/her.

I applaud you on your detective work, but alas, the conclusions you draw with regards to the person you chatted with and the method of spamming (trojaned PCs) are not supported by the protocol's design and available data.


-dave-

No stretch here, this is certainly correct. I'd give 100:1 odds there.

-dave-

And it magically morphs its filename to match every incoming search? Yeah, right.

Besides, when I encounter an ipod spam I delete it rather than share it. I assume any non-spammer does likewise.

I think it's a combination of both situations. Poop-heads are still serving the files on purpose and the unaware who've downloaded them are as well.

I just did a video search for "chrono crusade" and found a 106.7kb .wmv hosted by 2 users, not only with chat enabled, but also available to "browse host". Earlier tonight, the same search yielded 43 hosts without chat enabled.

I've been ignoring / host blocking this spam file for weeks now. In the instance that returned 2 hosts, it's obvious to me that 2 people downloaded it, not realizing it's just a P.O.S., and are unwittingly hosting it. My 43 host result was one of the spam ad crank-o-matics.

I think it's very possible that, depending on the popularity of the search terms, someone else might have downloaded a spam.wmv with the exact name as the one being returned in your search results and be unknowingly lumped in with their file on the search results. And have chat enabled.

As far as encountering and deleting, I'm sure that many people, myself included, click a couple dozen things to download and then go surfthe web or play pogo games for an hour or so before checking the resulting downloads. It's VERY possible to be serving up spam in that time period.

I've done several goofball searches tonight, stuff like "jbbvhtyud nswes", and have gotten numerous results varying from 25 - 50 hosts, with chat enabled.

You'd have to be an idiot to have it automatically sharing files you downloaded. It's not just because that could result in unwittingly sharing spam, but because it could result in unwittingly sharing illegal stuff. Nevermind bootleg mp3s; there are child porn pictures floating around out there, not all of them clearly labeled. It's a very bad idea not to vet all files before making them shared. Even so you might get in trouble for possession of questionable files you got by accident; the penalties for distribution, however, tend to be far worse than those for mere possession.