Gnutella Forums

Gnutella Forums (https://www.gnutellaforums.com/)
-   General Windows Support (https://www.gnutellaforums.com/general-windows-support/)
-   -   autogenerated spam results (https://www.gnutellaforums.com/general-windows-support/33325-autogenerated-spam-results.html)

Unr3485894 July 8th, 2005 08:40 PM

This is frustrating me too. It's bad enough that spammers have to take pictures, spray their graffiti all over it making it difficult to edit it and restore the original, but to completely erase the image and substitute their own crap completely is over the top. At least if part of the original, "real" image remains, you can see if some file you have elsewhere is the unadulterated original. And with spoofed search results there is no original. But when there is an original, but it gets completely replaced by crap en route ... how do you recover from that?

And it isn't just spam. Sometimes files download supposedly successfully, but don't work -- exactly how good is Limewire's corruption detection anyway? It seems to miss most cases of corrupt files. I've found perfectly working "CORRUPT-foo" files in my incomplete directory, and gotten lots of supposedly successful downloads that were truncated, sometimes to zero bytes. A download that results in a zero length file was ipso facto NOT successful! (Probably, these happen when the en-route-substitution thing the spammers use goes wrong. Perhaps when the legitimate file sharer isn't busy and the file is big enough and Limewire tries to download the file from both sources in the mesh, the real one and the spammer? I could see that producing all kinds of corrupt files and cut-off files, and if LW relies on the client sending a chunk to send the chunk's hash for verification and the spammer lies, LW will not detect anything amiss...)

smegma July 9th, 2005 11:19 PM

I had a conversation with the ipod spammer tonight.

Yup -- one of the fake search results showed chat enabled. And they actually talked to me! Here's what the spammer has to say for himself:

Code:

You: WHY DO YOU SEND THIS SPEW????
24.59.129.174: what spew
24.59.129.174: ?
You: The fake search results!!!
24.59.129.174: Huh?
You: You know ... the ipod picture
24.59.129.174: nothing that i know of is fake
You: You returned a search result for an ipod picture...
24.59.129.174: whats the name
You: "fetscom super".
24.59.129.174: what file?
You: It's the search query I used.
You: fetscom super.jpg
You: Why are you offering a picture of an ipod named whatever the search was?
24.59.129.174: i wasnt aware that i was
Host is unavailable

Apparently, denial and feigned ignorance are to be preferred over admitting the truth, even in conversation with someone who can't do much about it anyway.

smegma July 20th, 2005 09:05 PM

hey
 
*bump*

I thought maybe people would be interested in this? But I guess not.

cynpaap July 23rd, 2005 08:32 AM

Download movies, receive ipod advertisement instead
 
To me it is so rediculous that these stupid companies honestly think they will get us to buy their product if they duke us into downloading their advertisement. It really ****** me off that I am downloading a movie and when I go to open it it's a picture of an ipod. If anything, it makes me want to never have anything to do with them and definitely never buy their product. SO Gay! How do we stop it?!

skunkworks July 23rd, 2005 05:52 PM

with an AK-47 that's how!

ALimewireUser July 26th, 2005 12:38 AM

I'm no computer expert by any stretch, but I do know a thing or two. I've always thought the scenario went something like this...

1) I search for "sndjfrti"
2) Main superspam computer picks up the search term via search monitoring
3) Main superspam computer sends command to 40 other minorspam computers to make a copy of "StupidIPodPic.jpg" and rename it "s_n_d_j_f_r_t_i.jpg"
4) 40 hosts suddenly show up in my search results for the file "s_n_d_j_f_r_t_i.jpg"

Based on your Resident Evil story, I wonder if it's more along the lines of...

1) I search for "sndjfrti"
2) Computer of hacker working for IPodSpamCo picks up the search term via search monitoring
3) Hacker computer orders 40 computers with trojan viruses to rename "HiddenIPodPic.jpg" as "sndjfrti.jpg"
4) 40 hosts suddenly show up in my search results for the file "sndjfrti.jpg"

I've always tended to believe that my first theory is correct, because you can never browse the hosts of these goofball files. When I identify these files, I typically right click, verify that I can not browse host, and block host.

What would be real nice would be if the wonderful people that maintain Limewire would allow us to block ALL of the hosts in one shot.

Dargnoran July 26th, 2005 03:21 AM

One problem with your trojan theory -- none of the hosts returning bogus hits should show chat enabled either. And I talked with the spammer (or one of the spammers). Whoever it was claimed not to know that they were sending bogus search hits, but they did not claim not to know where the chat window suddenly came from. A genuinely innocent, virus-infected computer user would, in the unlikely case the thing had working chat, have freaked out at the opening of an unfamiliar chat app and probably accused me of hacking them -- nothing of the sort happened. Evidently they were using a p2p app and knew exactly what the chat window was. This leaves two possibilities: they're guilty or they have a trojan. If the trojan was a p2p server trojan and they were trying to run a normal p2p app at the same time, I expect something would clash and not work. Probably all p2p traffic would end up at the app or at the virus, and the other would not work. If they remained distinct (different ports?) the search result returned by a virus would not have chat enabled though a legit result from the normal p2p app on the same machine would. That leaves a virus that doesn't actually act as a p2p server itself, but puts spams into the shared folders of any p2p app it detects on one's system. In which case the spams wouldn't be spurious search results, but rather normal search results with spurious file contents. That is happening as well (including with the ipod spams) but this was one of the spoofed search results I chatted to.

The spoofed results must be coming from an abnormal server: they all show a T1 connection speed, instead of being varied, and the name is always derived in one of a few crude manners from your search terms. Anyway, if a trojan created a spam in a normal p2p app's shared folder named o_v_e_r_t_u_r_e.jpg and another .wmv version, they would probably not match any incoming searches. Who does a search for "o_v_e_r_t_u_r_e"?

I think there's dedicated spam hosts generating the spoofed results, AND either dedicated hosts or a virus spreading the spams by "normal" sharing -- fixed file name, varying connection speeds, etc. -- this is evidenced by encountering ipod spams whose file names missed a search term from the search that found them, contained a word not in the search, showed only one or a handful of sources, or showed a non-T1 speed. These are presumably not being shared knowingly by normal p2p users, which leaves the spammers and unknowing sharing. The spammers could have copies shared through normal p2p apps from a variety of vendors set up to claim a variety of connection speeds, given an assortment of names likely to match popular searches. And a virus could place spams named to match popular searches unwittingly in peoples' shared directories if it detects they run p2p apps. These can (either of them, or both combined) explain the ipod spams that come from "legit" search results, but not the spoofed ones. The spoofed results are coming from a decidedly abnormal p2p servent, one that always claims a T1 speed and always has browsing disabled and responds with a hit to every incoming query, named based in one of just four ways on the query, and responding to any response to the hit with the same file. There's around 40 of these within one's horizon at any given time; sometimes they show in two groups, if the ones in your horizon that aren't too busy serving spams have more than one variant of the spam among them. There seem to be several variants, at least of the jpegs, probably to defeat or at least make more difficult attempts at filtering. (Currently they are all the same image dimensions, but as soon as any popular client starts enabling filtering on that criterion, they will probably begin varying that too.) And for whatever reason, these bogus servents have chat capability, often enabled. There's rarely a response to trying to chat, probably because the machines are unattended 99% of the time. As to why chat is enabled, that's something of a mystery. Possibly, the chat function is used to leave instructions for the spammers from head office or something, though you'd think they could just use email...

There is one remaining possibility -- a bogus servent that people actually knowingly install. That is, a seemingly-normal p2p app that offers spoofed search results with a claimed speed of T1 in addition to whatever legitimate search results come from what the user is genuinely sharing, which show their own connection speed. And it has chat capability -- and doesn't show it disabled for the bogus results if the user has enabled chat. If that's the case, then the user might be genuinely baffled by a chat like that ... of course, if chat-enabled bogus result senders are asked what p2p app they use they should turn out to all be the using the same one in this case...

ALimewireUser July 26th, 2005 08:58 PM

There might be another explaination for the Enabled Chat. Perhaps some hapless soul downloaded one of these files and is now hosting it? It's a bit of a stretch, but possible.

Also, I've always been under the impression that the speed rating in the search results was a combined thing. For example, if 30 modem users had the same file and they came up in search results, would their combined bandwidth potentially be Cable\DSL or T1, based on their upload settings, etc?

vDave420 July 27th, 2005 11:41 AM

Quote:

Originally posted by smegma
I had a conversation with the ipod spammer tonight.

Yup -- one of the fake search results showed chat enabled. And they actually talked to me! Here's what the spammer has to say for himself:

Code:

You: WHY DO YOU SEND THIS SPEW????
24.59.129.174: what spew
24.59.129.174: ?
You: The fake search results!!!
24.59.129.174: Huh?
You: You know ... the ipod picture
24.59.129.174: nothing that i know of is fake
You: You returned a search result for an ipod picture...
24.59.129.174: whats the name
You: "fetscom super".
24.59.129.174: what file?
You: It's the search query I used.
You: fetscom super.jpg
You: Why are you offering a picture of an ipod named whatever the search was?
24.59.129.174: i wasnt aware that i was
Host is unavailable

Apparently, denial and feigned ignorance are to be preferred over admitting the truth, even in conversation with someone who can't do much about it anyway.

Umm...

I put 10 to 1 odds that this person also downloaded the spam. Then, when the spammer responded to your query with your search terms, they included several recent downloaders as Alternate File Locations. The person you chatted with is almost certainly NOT the spammer.

;-)

-dave-

vDave420 July 27th, 2005 11:46 AM

Quote:

Originally posted by Dargnoran
One problem with your trojan theory -- none of the hosts returning bogus hits should show chat enabled either. And I talked with the spammer (or one of the spammers). Whoever it was claimed not to know that they were sending bogus search hits, but they did not claim not to know where the chat window suddenly came from. A genuinely innocent, virus-infected computer user would, in the unlikely case the thing had working chat, have freaked out at the opening of an unfamiliar chat app and probably accused me of hacking them -- nothing of the sort happened. Evidently they were using a p2p app and knew exactly what the chat window was. This leaves two possibilities: they're guilty or they have a trojan. If the trojan was a p2p server trojan and they were trying to run a normal p2p app at the same time, I expect something would clash and not work. Probably all p2p traffic would end up at the app or at the virus, and the other would not work. If they remained distinct (different ports?) the search result returned by a virus would not have chat enabled though a legit result from the normal p2p app on the same machine would. That leaves a virus that doesn't actually act as a p2p server itself, but puts spams into the shared folders of any p2p app it detects on one's system. In which case the spams wouldn't be spurious search results, but rather normal search results with spurious file contents. That is happening as well (including with the ipod spams) but this was one of the spoofed search results I chatted to.

The spoofed results must be coming from an abnormal server: they all show a T1 connection speed, instead of being varied, and the name is always derived in one of a few crude manners from your search terms. Anyway, if a trojan created a spam in a normal p2p app's shared folder named o_v_e_r_t_u_r_e.jpg and another .wmv version, they would probably not match any incoming searches. Who does a search for "o_v_e_r_t_u_r_e"?

I think there's dedicated spam hosts generating the spoofed results, AND either dedicated hosts or a virus spreading the spams by "normal" sharing -- fixed file name, varying connection speeds, etc. -- this is evidenced by encountering ipod spams whose file names missed a search term from the search that found them, contained a word not in the search, showed only one or a handful of sources, or showed a non-T1 speed. These are presumably not being shared knowingly by normal p2p users, which leaves the spammers and unknowing sharing. The spammers could have copies shared through normal p2p apps from a variety of vendors set up to claim a variety of connection speeds, given an assortment of names likely to match popular searches. And a virus could place spams named to match popular searches unwittingly in peoples' shared directories if it detects they run p2p apps. These can (either of them, or both combined) explain the ipod spams that come from "legit" search results, but not the spoofed ones. The spoofed results are coming from a decidedly abnormal p2p servent, one that always claims a T1 speed and always has browsing disabled and responds with a hit to every incoming query, named based in one of just four ways on the query, and responding to any response to the hit with the same file. There's around 40 of these within one's horizon at any given time; sometimes they show in two groups, if the ones in your horizon that aren't too busy serving spams have more than one variant of the spam among them. There seem to be several variants, at least of the jpegs, probably to defeat or at least make more difficult attempts at filtering. (Currently they are all the same image dimensions, but as soon as any popular client starts enabling filtering on that criterion, they will probably begin varying that too.) And for whatever reason, these bogus servents have chat capability, often enabled. There's rarely a response to trying to chat, probably because the machines are unattended 99% of the time. As to why chat is enabled, that's something of a mystery. Possibly, the chat function is used to leave instructions for the spammers from head office or something, though you'd think they could just use email...

There is one remaining possibility -- a bogus servent that people actually knowingly install. That is, a seemingly-normal p2p app that offers spoofed search results with a claimed speed of T1 in addition to whatever legitimate search results come from what the user is genuinely sharing, which show their own connection speed. And it has chat capability -- and doesn't show it disabled for the bogus results if the user has enabled chat. If that's the case, then the user might be genuinely baffled by a chat like that ... of course, if chat-enabled bogus result senders are asked what p2p app they use they should turn out to all be the using the same one in this case...

I think you need to read the Gnutella specs a little closer, if you really think you were chatting with the spammer. See my prior reply.

I will also say that there are not "trojaned machines" that are the source of the spam.

1st) The spammer is probably no longer serving the file. If (s)he is, (s)he is no longer the only source. Other normal people who have also been tricked by the spammer and have defaulted to sharing downloaded files are ALSO sources.

2nd) Files are not requested by NAME in general, they are requested by HASH. Therefore, even if the file you request from me has a different name that you know of, it won't stop me from being a source for the file. Therefore, if FooledUser01 downloads the spam using the filename 'FooledUser01 search term.wmv" because he searched for "FooledUser01 Search Term", and downloaded the resulting spam, he can still serve the file "Other Query String.wmv" to you if it is the same file. Therefore, only the spammer is responding to your query with your specific query terms, however, (s)he is including as alternate sources those other nodes which have recently downloaded from him/her.

I applaud you on your detective work, but alas, the conclusions you draw with regards to the person you chatted with and the method of spamming (trojaned PCs) are not supported by the protocol's design and available data.


-dave-


All times are GMT -7. The time now is 12:41 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.