Gnutella Forums  

Go Back   Gnutella Forums > Current Gnutella Client Forums > LimeWire+WireShare (Cross-platform) > Technical Support > General Windows Support
Register FAQ The Twelve Commandments Members List Calendar Arcade Find the Best VPN Search Today's Posts Mark Forums Read

General Windows Support For questions about Windows issues regarding LimeWire or WireShare or related questions


Welcome To Gnutella Forums

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, fun aspects such as the image caption contest and play in the arcade, and access many other special features after your registration and email confirmation. Registration is fast, simple and absolutely free so please, join our community today! (click here) (Note: we use Yandex mail server so make sure yandex is not on your email filter or blocklist.)

If you have any problems with the Gnutella Forum registration process or your Gnutella Forum account login, please contact us (this is not for program use questions.) Your email address must be legitimate and verified before becoming a full member of the forums. Please be sure to disable any spam filters you may have for our website, so that email messages can reach you.
Note: Any other issue with registration, etc., send a Personal Message (PM) to one of the active Administrators: Lord of the Rings or Birdy.

Once registered but before posting, members MUST READ the FORUM RULES (click here) and members should include System details - help us to help you (click on blue link) in their posts if their problem relates to using the program. Whilst forum helpers are happy to help where they can, without these system details your post might be ignored. And wise to read How to create a New Thread

Thank you

If you are a Spammer click here.
This is not a business advertising forum, all member profiles with business advertising will be banned, all their posts removed. Spamming is illegal in many countries of the world. Guests and search engines cannot view member profiles.



           Deutsch?              Español?                  Français?                   Nederlands?
   Hilfe in Deutsch,   Ayuda en español,   Aide en français et LimeWire en françaisHulp in het Nederlands

Forum Rules

Support Forums

Before you post to one of the specific Client Help and Support Conferences in Gnutella Client Forums please look through other threads and Stickies that may answer your questions. Most problems are not new. The Search function is most useful. Also the red Stickies have answers to the most commonly asked questions. (over 90 percent).
If your problem is not resolved by a search of the forums, please take the next step and post in the appropriate forum. There are many members who will be glad to help.
If you are new to the world of file sharing please do not be shy! Everyone was ‘new’ when they first started.

When posting, please include details for:
Your Operating System ....... Your version of your Gnutella Client (* this is important for helping solve problems) ....... Your Internet connection (56K, Cable, DSL) ....... The exact error message, if one pops up
Any other relevant information that you think may help ....... Try to make your post descriptive, specific, and clear so members can quickly and efficiently help you. To aid helpers in solving download/upload problems, LimeWire and Frostwire users must specify whether they are downloading a torrent file or a file from the Gnutella network.
Members need to supply these details >>> System details - help us to help you (click on blue link)


Moderators

There are senior members on the forums who serve as Moderators. These volunteers keep the board organized and moving.
Moderators are authorized to: (in order of increasing severity)
Move posts to the correct forums. Many times, members post in the wrong forum. These off-topic posts may impede the normal operation of the forum.
Edit posts. Moderators will edit posts that are offensive or break any of the House Rules.
Delete posts. Posts that cannot be edited to comply with the House Rules will be deleted.
Restrict members. This is one of the last punishments before a member is banned. Restrictions may include placing all new posts in a moderation queue or temporarily banning the offender.
Ban members. The most severe punishment. Three or more moderators or administrators must agree to the ban for this action to occur. Banning is reserved for very severe offenses and members who, after many warnings, fail to comply with the House Rules. Banning is permanent. Bans cannot be removed by the moderators and probably won't be removed by the administration.


The Rules

1. Warez, copyright violation, or any other illegal activity may NOT be linked or expressed in any form. Topics discussing techniques for violating these laws and messages containing locations of web sites or other servers hosting illegal content will be silently removed. Multiple offenses will result in consequences. File names are not required to discuss your issues. If filenames are copyright then do not belong on these forums & will be edited out or post removed. Picture sample attachments in posts must not include copyright infringement.

2. Spamming and excessive advertising will not be tolerated. Commercial advertising is not allowed in any form, including using in signatures.

3. There will be no excessive use of profanity in any forum.

4. There will be no racial, ethnic, or gender based insults, or any other personal attacks.

5. Pictures may be attached to posts and signatures if they are not sexually explicit or offensive. Picture sample attachments in posts must not include copyright infringement.

6. Remember to post in the correct forum. Take your time to look at other threads and see where your post will go. If your post is placed in the wrong forum it will be moved by a moderator. There are specific Gnutella Client sections for LimeWire, Phex, FrostWire, BearShare, Gnucleus, Morpheus, and many more. Please choose the correct section for your problem.

7. If you see a post in the wrong forum or in violation of the House Rules, please contact a moderator via Private Message or the "Report this post to a moderator" link at the bottom of every post. Please do not respond directly to the member - a moderator will do what is required.

8. Any impersonation of a forum member in any mode of communication is strictly prohibited and will result in banning.

9. Multiple copies of the same post will not be tolerated. Post your question, comment, or complaint only once. There is no need to express yourself more than once. Duplicate posts will be deleted with little or no warning. Keep in mind a forum censor may temporarily automatically hold up your post, if you do not see your post, do not post again, it will be dealt with by a moderator within a reasonable time. Authors of multiple copies of same post may be dealt with by moderators within their discrete judgment at the time which may result in warning or infraction points, depending on severity as adjudged by the moderators online.

10. Posts should have descriptive topics. Vague titles such as "Help!", "Why?", and the like may not get enough attention to the contents.

11. Do not divulge anyone's personal information in the forum, not even your own. This includes e-mail addresses, IP addresses, age, house address, and any other distinguishing information. Don´t use eMail addresses in your nick. Reiterating, do not post your email address in posts. This is for your own protection.

12. Signatures may be used as long as they are not offensive or sexually explicit or used for commercial advertising. Commercial weblinks cannot be used under any circumstances and will result in an immediate ban.

13. Dual accounts are not allowed. Cannot explain this more simply. Attempts to set up dual accounts will most likely result in a banning of all forum accounts.

14. Video links may only be posted after you have a tally of two forum posts. Video link posting with less than a 2 post tally are considered as spam. Video link posting with less than a 2 post tally are considered as spam.

15. Failure to show that you have read the forum rules may result in forum rules breach infraction points or warnings awarded against you which may later total up to an automatic temporary or permanent ban. Supplying system details is a prerequisite in most cases, particularly with connection or installation issues.

Violation of any of these rules will bring consequences, determined on a case-by-case basis.


Thank You! Thanks for taking the time to read these forum guidelines. We hope your visit is helpful and mutually beneficial to the entire community.


Reply
 
LinkBack Thread Tools Display Modes
  #31 (permalink)  
Old July 8th, 2005
Unr3485894
Guest
 
Posts: n/a
Thumbs down

This is frustrating me too. It's bad enough that spammers have to take pictures, spray their graffiti all over it making it difficult to edit it and restore the original, but to completely erase the image and substitute their own crap completely is over the top. At least if part of the original, "real" image remains, you can see if some file you have elsewhere is the unadulterated original. And with spoofed search results there is no original. But when there is an original, but it gets completely replaced by crap en route ... how do you recover from that?

And it isn't just spam. Sometimes files download supposedly successfully, but don't work -- exactly how good is Limewire's corruption detection anyway? It seems to miss most cases of corrupt files. I've found perfectly working "CORRUPT-foo" files in my incomplete directory, and gotten lots of supposedly successful downloads that were truncated, sometimes to zero bytes. A download that results in a zero length file was ipso facto NOT successful! (Probably, these happen when the en-route-substitution thing the spammers use goes wrong. Perhaps when the legitimate file sharer isn't busy and the file is big enough and Limewire tries to download the file from both sources in the mesh, the real one and the spammer? I could see that producing all kinds of corrupt files and cut-off files, and if LW relies on the client sending a chunk to send the chunk's hash for verification and the spammer lies, LW will not detect anything amiss...)
Reply With Quote
  #32 (permalink)  
Old July 9th, 2005
smegma
Guest
 
Posts: n/a
Exclamation

I had a conversation with the ipod spammer tonight.

Yup -- one of the fake search results showed chat enabled. And they actually talked to me! Here's what the spammer has to say for himself:

Code:
You: WHY DO YOU SEND THIS SPEW????
24.59.129.174: what spew
24.59.129.174: ?
You: The fake search results!!!
24.59.129.174: Huh?
You: You know ... the ipod picture
24.59.129.174: nothing that i know of is fake
You: You returned a search result for an ipod picture...
24.59.129.174: whats the name 
You: "fetscom super".
24.59.129.174: what file?
You: It's the search query I used.
You: fetscom super.jpg
You: Why are you offering a picture of an ipod named whatever the search was?
24.59.129.174: i wasnt aware that i was
Host is unavailable
Apparently, denial and feigned ignorance are to be preferred over admitting the truth, even in conversation with someone who can't do much about it anyway.
Reply With Quote
  #33 (permalink)  
Old July 20th, 2005
smegma
Guest
 
Posts: n/a
Cool hey

*bump*

I thought maybe people would be interested in this? But I guess not.
Reply With Quote
  #34 (permalink)  
Old July 23rd, 2005
Novicius
 
Join Date: July 23rd, 2005
Location: Offutt Air Force Base
Posts: 1
cynpaap is flying high
Angry Download movies, receive ipod advertisement instead

To me it is so rediculous that these stupid companies honestly think they will get us to buy their product if they duke us into downloading their advertisement. It really ****** me off that I am downloading a movie and when I go to open it it's a picture of an ipod. If anything, it makes me want to never have anything to do with them and definitely never buy their product. SO Gay! How do we stop it?!
Reply With Quote
  #35 (permalink)  
Old July 23rd, 2005
skunkworks
Guest
 
Posts: n/a
Default

with an AK-47 that's how!
Reply With Quote
  #36 (permalink)  
Old July 26th, 2005
ALimewireUser
Guest
 
Posts: n/a
Default

I'm no computer expert by any stretch, but I do know a thing or two. I've always thought the scenario went something like this...

1) I search for "sndjfrti"
2) Main superspam computer picks up the search term via search monitoring
3) Main superspam computer sends command to 40 other minorspam computers to make a copy of "StupidIPodPic.jpg" and rename it "s_n_d_j_f_r_t_i.jpg"
4) 40 hosts suddenly show up in my search results for the file "s_n_d_j_f_r_t_i.jpg"

Based on your Resident Evil story, I wonder if it's more along the lines of...

1) I search for "sndjfrti"
2) Computer of hacker working for IPodSpamCo picks up the search term via search monitoring
3) Hacker computer orders 40 computers with trojan viruses to rename "HiddenIPodPic.jpg" as "sndjfrti.jpg"
4) 40 hosts suddenly show up in my search results for the file "sndjfrti.jpg"

I've always tended to believe that my first theory is correct, because you can never browse the hosts of these goofball files. When I identify these files, I typically right click, verify that I can not browse host, and block host.

What would be real nice would be if the wonderful people that maintain Limewire would allow us to block ALL of the hosts in one shot.
Reply With Quote
  #37 (permalink)  
Old July 26th, 2005
Dargnoran
Guest
 
Posts: n/a
Default

One problem with your trojan theory -- none of the hosts returning bogus hits should show chat enabled either. And I talked with the spammer (or one of the spammers). Whoever it was claimed not to know that they were sending bogus search hits, but they did not claim not to know where the chat window suddenly came from. A genuinely innocent, virus-infected computer user would, in the unlikely case the thing had working chat, have freaked out at the opening of an unfamiliar chat app and probably accused me of hacking them -- nothing of the sort happened. Evidently they were using a p2p app and knew exactly what the chat window was. This leaves two possibilities: they're guilty or they have a trojan. If the trojan was a p2p server trojan and they were trying to run a normal p2p app at the same time, I expect something would clash and not work. Probably all p2p traffic would end up at the app or at the virus, and the other would not work. If they remained distinct (different ports?) the search result returned by a virus would not have chat enabled though a legit result from the normal p2p app on the same machine would. That leaves a virus that doesn't actually act as a p2p server itself, but puts spams into the shared folders of any p2p app it detects on one's system. In which case the spams wouldn't be spurious search results, but rather normal search results with spurious file contents. That is happening as well (including with the ipod spams) but this was one of the spoofed search results I chatted to.

The spoofed results must be coming from an abnormal server: they all show a T1 connection speed, instead of being varied, and the name is always derived in one of a few crude manners from your search terms. Anyway, if a trojan created a spam in a normal p2p app's shared folder named o_v_e_r_t_u_r_e.jpg and another .wmv version, they would probably not match any incoming searches. Who does a search for "o_v_e_r_t_u_r_e"?

I think there's dedicated spam hosts generating the spoofed results, AND either dedicated hosts or a virus spreading the spams by "normal" sharing -- fixed file name, varying connection speeds, etc. -- this is evidenced by encountering ipod spams whose file names missed a search term from the search that found them, contained a word not in the search, showed only one or a handful of sources, or showed a non-T1 speed. These are presumably not being shared knowingly by normal p2p users, which leaves the spammers and unknowing sharing. The spammers could have copies shared through normal p2p apps from a variety of vendors set up to claim a variety of connection speeds, given an assortment of names likely to match popular searches. And a virus could place spams named to match popular searches unwittingly in peoples' shared directories if it detects they run p2p apps. These can (either of them, or both combined) explain the ipod spams that come from "legit" search results, but not the spoofed ones. The spoofed results are coming from a decidedly abnormal p2p servent, one that always claims a T1 speed and always has browsing disabled and responds with a hit to every incoming query, named based in one of just four ways on the query, and responding to any response to the hit with the same file. There's around 40 of these within one's horizon at any given time; sometimes they show in two groups, if the ones in your horizon that aren't too busy serving spams have more than one variant of the spam among them. There seem to be several variants, at least of the jpegs, probably to defeat or at least make more difficult attempts at filtering. (Currently they are all the same image dimensions, but as soon as any popular client starts enabling filtering on that criterion, they will probably begin varying that too.) And for whatever reason, these bogus servents have chat capability, often enabled. There's rarely a response to trying to chat, probably because the machines are unattended 99% of the time. As to why chat is enabled, that's something of a mystery. Possibly, the chat function is used to leave instructions for the spammers from head office or something, though you'd think they could just use email...

There is one remaining possibility -- a bogus servent that people actually knowingly install. That is, a seemingly-normal p2p app that offers spoofed search results with a claimed speed of T1 in addition to whatever legitimate search results come from what the user is genuinely sharing, which show their own connection speed. And it has chat capability -- and doesn't show it disabled for the bogus results if the user has enabled chat. If that's the case, then the user might be genuinely baffled by a chat like that ... of course, if chat-enabled bogus result senders are asked what p2p app they use they should turn out to all be the using the same one in this case...
Reply With Quote
  #38 (permalink)  
Old July 26th, 2005
ALimewireUser
Guest
 
Posts: n/a
Default

There might be another explaination for the Enabled Chat. Perhaps some hapless soul downloaded one of these files and is now hosting it? It's a bit of a stretch, but possible.

Also, I've always been under the impression that the speed rating in the search results was a combined thing. For example, if 30 modem users had the same file and they came up in search results, would their combined bandwidth potentially be Cable\DSL or T1, based on their upload settings, etc?
Reply With Quote
  #39 (permalink)  
Old July 27th, 2005
Disciple
 
Join Date: May 17th, 2005
Location: Manhattan
Posts: 18
vDave420 is flying high
Default

Quote:
Originally posted by smegma
I had a conversation with the ipod spammer tonight.

Yup -- one of the fake search results showed chat enabled. And they actually talked to me! Here's what the spammer has to say for himself:

Code:
You: WHY DO YOU SEND THIS SPEW????
24.59.129.174: what spew
24.59.129.174: ?
You: The fake search results!!!
24.59.129.174: Huh?
You: You know ... the ipod picture
24.59.129.174: nothing that i know of is fake
You: You returned a search result for an ipod picture...
24.59.129.174: whats the name 
You: "fetscom super".
24.59.129.174: what file?
You: It's the search query I used.
You: fetscom super.jpg
You: Why are you offering a picture of an ipod named whatever the search was?
24.59.129.174: i wasnt aware that i was
Host is unavailable
Apparently, denial and feigned ignorance are to be preferred over admitting the truth, even in conversation with someone who can't do much about it anyway.
Umm...

I put 10 to 1 odds that this person also downloaded the spam. Then, when the spammer responded to your query with your search terms, they included several recent downloaders as Alternate File Locations. The person you chatted with is almost certainly NOT the spammer.

;-)

-dave-
Reply With Quote
  #40 (permalink)  
Old July 27th, 2005
Disciple
 
Join Date: May 17th, 2005
Location: Manhattan
Posts: 18
vDave420 is flying high
Default

Quote:
Originally posted by Dargnoran
One problem with your trojan theory -- none of the hosts returning bogus hits should show chat enabled either. And I talked with the spammer (or one of the spammers). Whoever it was claimed not to know that they were sending bogus search hits, but they did not claim not to know where the chat window suddenly came from. A genuinely innocent, virus-infected computer user would, in the unlikely case the thing had working chat, have freaked out at the opening of an unfamiliar chat app and probably accused me of hacking them -- nothing of the sort happened. Evidently they were using a p2p app and knew exactly what the chat window was. This leaves two possibilities: they're guilty or they have a trojan. If the trojan was a p2p server trojan and they were trying to run a normal p2p app at the same time, I expect something would clash and not work. Probably all p2p traffic would end up at the app or at the virus, and the other would not work. If they remained distinct (different ports?) the search result returned by a virus would not have chat enabled though a legit result from the normal p2p app on the same machine would. That leaves a virus that doesn't actually act as a p2p server itself, but puts spams into the shared folders of any p2p app it detects on one's system. In which case the spams wouldn't be spurious search results, but rather normal search results with spurious file contents. That is happening as well (including with the ipod spams) but this was one of the spoofed search results I chatted to.

The spoofed results must be coming from an abnormal server: they all show a T1 connection speed, instead of being varied, and the name is always derived in one of a few crude manners from your search terms. Anyway, if a trojan created a spam in a normal p2p app's shared folder named o_v_e_r_t_u_r_e.jpg and another .wmv version, they would probably not match any incoming searches. Who does a search for "o_v_e_r_t_u_r_e"?

I think there's dedicated spam hosts generating the spoofed results, AND either dedicated hosts or a virus spreading the spams by "normal" sharing -- fixed file name, varying connection speeds, etc. -- this is evidenced by encountering ipod spams whose file names missed a search term from the search that found them, contained a word not in the search, showed only one or a handful of sources, or showed a non-T1 speed. These are presumably not being shared knowingly by normal p2p users, which leaves the spammers and unknowing sharing. The spammers could have copies shared through normal p2p apps from a variety of vendors set up to claim a variety of connection speeds, given an assortment of names likely to match popular searches. And a virus could place spams named to match popular searches unwittingly in peoples' shared directories if it detects they run p2p apps. These can (either of them, or both combined) explain the ipod spams that come from "legit" search results, but not the spoofed ones. The spoofed results are coming from a decidedly abnormal p2p servent, one that always claims a T1 speed and always has browsing disabled and responds with a hit to every incoming query, named based in one of just four ways on the query, and responding to any response to the hit with the same file. There's around 40 of these within one's horizon at any given time; sometimes they show in two groups, if the ones in your horizon that aren't too busy serving spams have more than one variant of the spam among them. There seem to be several variants, at least of the jpegs, probably to defeat or at least make more difficult attempts at filtering. (Currently they are all the same image dimensions, but as soon as any popular client starts enabling filtering on that criterion, they will probably begin varying that too.) And for whatever reason, these bogus servents have chat capability, often enabled. There's rarely a response to trying to chat, probably because the machines are unattended 99% of the time. As to why chat is enabled, that's something of a mystery. Possibly, the chat function is used to leave instructions for the spammers from head office or something, though you'd think they could just use email...

There is one remaining possibility -- a bogus servent that people actually knowingly install. That is, a seemingly-normal p2p app that offers spoofed search results with a claimed speed of T1 in addition to whatever legitimate search results come from what the user is genuinely sharing, which show their own connection speed. And it has chat capability -- and doesn't show it disabled for the bogus results if the user has enabled chat. If that's the case, then the user might be genuinely baffled by a chat like that ... of course, if chat-enabled bogus result senders are asked what p2p app they use they should turn out to all be the using the same one in this case...
I think you need to read the Gnutella specs a little closer, if you really think you were chatting with the spammer. See my prior reply.

I will also say that there are not "trojaned machines" that are the source of the spam.

1st) The spammer is probably no longer serving the file. If (s)he is, (s)he is no longer the only source. Other normal people who have also been tricked by the spammer and have defaulted to sharing downloaded files are ALSO sources.

2nd) Files are not requested by NAME in general, they are requested by HASH. Therefore, even if the file you request from me has a different name that you know of, it won't stop me from being a source for the file. Therefore, if FooledUser01 downloads the spam using the filename 'FooledUser01 search term.wmv" because he searched for "FooledUser01 Search Term", and downloaded the resulting spam, he can still serve the file "Other Query String.wmv" to you if it is the same file. Therefore, only the spammer is responding to your query with your specific query terms, however, (s)he is including as alternate sources those other nodes which have recently downloaded from him/her.

I applaud you on your detective work, but alas, the conclusions you draw with regards to the person you chatted with and the method of spamming (trojaned PCs) are not supported by the protocol's design and available data.


-dave-
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Search results disappointing ... biased results with Spam ChrisAvalon Open Discussion topics 63 April 5th, 2008 06:07 PM
confused(spam showing in results) xand_scenex Download/Upload Problems 2 February 11th, 2007 02:38 PM
no results, just spam dapork Open Discussion topics 3 August 30th, 2006 08:43 PM
autogenerated spam results superesonator General P2P Network Discussion 8 February 12th, 2005 07:23 PM
Spam or What? Unregistered Open Discussion topics 2 June 26th, 2002 05:52 PM


All times are GMT -7. The time now is 03:39 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.