autogenerated spam results
 

I have been with Limewire Pro for a while and I noticed that there are lots of fake files, wmv and jpeg, that are i-pod ads or ads for download sites.

often you get a result like this:

search: "wierd crap"
result: w_i_e_r_d__c_r_a_p.wmv

(lets put aside the fact that wmv is the most rediculous excuse for a video format that has ever been inflicted on mankind)

My suspicion was that some of these results are autogenerated.

I have verified this. I made up an improbable search. I entered:

traxally impople

and hit a search for video only. no results.

next I hit 'repeat search' for the tab.

Voila! traxally impople.wmv came up.

repeat the search AGAIN and you add:

t_r_a_x_a_l_l_y__i_m_o_p_l_e.wmv and Traxally Impople.wmv

I tried it with a few other improbable names and it always happens after the second search.

So much for my detective work, I am satisfied that these are autogenerated.

Now does anyone out there have any further insight into the mechanisms and implications of this?

Please share what you know.

Thanks!

This issue has been discussed a no. of times on the forum. Depending on which softw you're using you can filter them out. eg: Limewire using keyword filters.

Some interesting reading: Quality of Content on the Network & also Fake Movies & Why! & this wmv files & also this one A Curious Thing Happened...

How would a keyword filter help if the file name morphs to my search query? are you perhaps suggesting I filter *.wmv ? Sounds like a good idea if it works that way. I don't need .jpgs either.

while I thank you for your feedback, I also followed your links, and didn't find the means of blocking this problem that you inferred was about. Nor am any more enlightened on how the files are being generated to mirror search queries. After your search... Which they are as I have demon-strated.

if there is a specific thread that explains the causes, symptoms and or treatment, I would be interested in seeing it.

I'm not in the know personally. So which p2p softw are you using?

There's been discussions about blocking ip addresses that spam since they fall within a range of ip addresses. But there's also been some concern over this b/c they use dynamic ip's not static ip's. So blocking ranges of ip's might help, but might also affect a lot of innocent people along the way.

If you're using Limewire then you can follow the image example below. Keyword filters can be added/removed anytime depending on type of searches - as long as you use the Apply button.

Attachment 1566 (click to see LW 4 sample image)

Edited for LW 5 users: To help reduce spam in search results, keyword filters are a must! LW 5 users will find their keyword filter location: Tools -> Options -> Search (early LW 5 versions Tools -> Options -> Security). Press Filter Keywords button. Type word into keyword box, then press Add Keyword button. Extensions can also be added. If extensions letters are added to Extension filter rather than keyword filter in the new LW 5 version it will also prevent those files being shared & remove them from Library. So it can be safer to add file extensions to the Keyword filter instead of Extension filter. Don't forget to put the dot . before the extension 'if' adding extensions; eg: .wma

If you wish some suggestions on which keywords to filter out, see: Recommended Keywords list to add to filters.

Attachment 5235 (Click thumbnail to see larger view of LW 5 sample image)

More tips on reducing spam in search results: How to download Music & Videos

Attachment 4822 (Early LW 5 versions sample image)

.

I am on Limewire Pro.

well I went and blocked *.wmv, jpg and asf.

I guess these jokers have written some code that monitors incoming searches and churns out files to match.

cheers.

I suppose a worthy late mention is by the forum administrator a long time ago: XXAA is watching, SPAMing the network, proof

The developers of the Gnutella network are on it, so hopefully they'll agree on a way that we can filter those results (they're considering "size" filters now).

See the thread at http://groups.yahoo.com/group/the_gdf/message/20136 to follow their discussions

Hi there,

I have filtered out WMV files (and others that I don't need) but still got something separated like that but it was the words rather than the letters that were separated. E.G This_wierd_crap. Also it was an AVI file.

Could this be a WMV in disguise or might it just be a legit file (the size was right for a movie)

Cheers lots, Lindy x

That's weird then, I haven't seen it happen to avi files. Also being the correct size for a decent file. Personally if I had an alternative choice then I'd choose the other. But it would be curious to find out about the file in question even if you only downld like 1or 2% for preview purposes. I suppose there's always the chance of a hidden extension.

OH!!
 

Hey there,

I see your point and maybe, just maybe I would like to download a small portion of it and then preview it. Thing is, I can't preview movies cos it wants to use Windows media player and I can't (lets not go in to the codec thingy ma doo dahd, I just can't.)
To play movies (that I've downloaded in full) I use VLC.....suits me, yeh??

Anyroad up I really dare not do anything that I haven't got a clue about (hence the reason I try not to do.....well.....I try not to do anything much, OK :rolleyes: )

I might just give it a go tho...if you don't hear from me in, (hmmmm,..... how long do you think???).....OK think of a number between 2 & erm .......2, multiply by 2, add 2, take away 2. Whatever the number is, if you don't hear from me in that many days call one of your friends and tell them you used to know a loon by the name of Lindyloo.

Oh for crying out loud I'm off on one again (must get my medication changed)

You know what?? I've tried using The( _ )thing, as in t_h_i_s_i_s_r_e_a_l_l_y_h_a_r_d_t_o_d_o

and I can't use it when doing a search of LimeWire so how come this cacky comes up when I'm trying to look for stuff?? (How do these perpetrators do it, if indeed they are doing something intentionally naughty??)

Sorry for waffling,

Hugs, Lindy xxx

I'll tell you this mind, When I first filtered out WMV and WMA files it didn't happen, it's only happened since I installed the newest version of Limewire. (Not saying this is the fault, only it's a coincidence)
Also just in case it is a problem, someone can have a looksee, cos as you may have guessed I haven't a clue.:D

Cheers, Lindy xx

P.S. Please don't take any offense at what I have said above. (I would sign a disclaimer but I seem to have mislaid my pen):D :cool: :rolleyes: :D :rolleyes: :D :cool: :rolleyes:

I haven't had problems prviewing with VLC. Admitedly it can be a little slow to open sometimes.
If you have doubts about the file, then don't downld it. If you can't preview it then you don't know what you might end up with. And that's a long time & effort to find out. I personally wouldn't trust any file named that way. Why would people name files like that in normal circumstances. I believe the name is computer generated.

By the way, may I suggest you investigate some utilities to keep your computer safe.

1. ad-ware http://www.lavasoftusa.com/software/adaware/ (FREE)

2. Spybot - Search & Destroy http://www.safer-networking.org/en/mirrors/index.html (FREE)

3. Peerguardian: http://peerguardian.methlabs.org/pg2.html (FREE)

Ok then,

How do you preview with VLC??

It seems that my default thingy is either Limewire (for Audio) or Windows media player for movies and I'm not sure what I can do about it.

I have Ad-aware and Spybot (also a couple of other things) but not peer guardian.

Thanks for all your help

Hugs, Lindy xxxxx

Peerguardian is a little like a spyware except it stops known organisations like the riaa, fbi, etc, from browsing your computer. It gets updated every now & again with new addresses to block out.

People should stay away from any spam they find be it the clearoutclub site or any other advert. www.clearoutclub is the one for the iPods from memory.

To set up VLC as your default video player, see: Setting Default video app

Great pic by the way, very cute! :D :) (What type are they?)

Just to save me from re-posting this image time & time again, I've included it here as an example. As you can see this was a rubbish search & got back rubbish spam. In the 1st example I had wmv filtered out. Get to recognise the file sizes. Almost always from T1 sources.

http://www.gnutellaforums.com/attach...spam-sizes.gif

_

Downloaded Spam
 

O.K. I've read the thread but it has not answered my question, or I'm too thick to follow the thread, but - I uploaded a straight forward image of my dog. The file name was Dobie X.jpg.
When I searched for that file I found it and downloaded it. And all I got was an advert for iPods!
Now, I have nothing to do with spam and I know nothing about iPods, so how did the image get changed?

alan.fairhurst you haven't read the thread clearly enough & nor have you read the links left by members to explain what happens. ie: automated search results means that any search you do will come up with wmv & jpg results of the same name & of the above sizes. These should be ignored. Recognising this issue is what you need to do. Majority of these results come from T1 sources & are more often than not in the majority of results found.

These spams don't just come from spurious search results. Sometimes one gets legitimate search results (i.e. they are not from a T1 source, have only one or a handful of sources, and the filename isn't a simple derivative of your query) but downloading them results in a spam. It looks like the download "mesh" gets polluted too, and when you try to download a file from a "real" search result, sometimes a spammer gets in at that point and substitutes junk.

If Limewire sent hashes with search results and checked files against search result hashes it would catch these with "File corrupted", but it doesn't -- and lots of other broken files don't get detected either. Looks like it trusts the host sending the file to be honest about the hash and the file. :(

Thank you
 

Thanks for the replies. I'm not very PC savvy but with your help I'm learning.

(Corrupt files is a different topic.) Um the images I posted on page 1 seem to show differently. But everybody for their own experiences. I've never seen any spam of any other size than those listed (well within 1 KB.) If you're looking for small wmv files then you're probably looking for porn. If that be the case then good luck. Sounds like you've unwittingly selected the wrong file to downld & then been surprised at the end to find it's spam. Either filter it out or be aware of the file size. It really is too obvious to the average user who has been using LW for any length of time.

Spurious search results need to be dealt with by ultrapeers rejecting them, not by end users blocking hosts. Blocking the spammers is a band-aid -- they've shown themselves able to move around and acquire a lot of network addresses -- somehow -- and anyway, the bogus results compete with legitimate results for limited network bandwidth. Ultrapeers need to start doing some sort of automated bitzi lookup or something, and when they have to pass on only a subset of the search results they've received, they can then dump the n lowest-rated results. So when search results get dropped, the spam will get dropped first.

Looks like Blarg's right about how to handle bogus search results, but he's left how to deal with spoofers polluting the mesh as an exercise for the reader. ;P

There was a thread I very almost linked to this one but without proof of the results I thought it best not to at this time. One person traced the ipod ads back thru several sections/links to a major telecommunictions company ... the largest one in that country. And so has it they were offering discount iPods (about 20-30% normal price) to those who joined one of their mobile phone plans (well it was either mobile phones or internet or cable or digital TV services. I found the latter out for myself b/c I was offered one. I just can't remember what it was they were selling off hand.

Perhaps that might be the reason (corrupted downld mesh) which certainly does or was known to in the past to have at least some issues. But I'd tend to disagree. How in all heck could it give auto-feedback with spam adds to the same websites & always the same sizes. It just looks to well setup & organised to have this effect for the benefit of those sites or their parent/ relative companies. Who has invested interests in www.clearoutclub.com or is it just a lolly pop to attract people to their business. Just a thought! lol :D :p

Some links to someone who knows what the spam is 1. Diallers (click on link), 2. Spam 2 ,
3. Spam 3 , 4. Spam 4 , 5. Spam 5 , 6. Spam 6 . All of these point to what these files are & why they should be either filtered out or ignored, but never opened!!! Some interesting discussions if you're interested! ;)

It would explain how they have access to send those search results from such a huge variety of IP addresses.

I personally think it's AOL though. :P

I guess one just have to avoid downloading files that are extraordinarily too small for the file they are looking for. Like say for example a 364 KB Smallville EP4.wmv. Also try checking the "Browse Host" button if its on or lit if you click the file from the selection of downloads. If it's not then you can suspect that it may be a spam. And perhaps if we ever downloaded these type of files we should delete it right away so it won't be downloaded by other unsuspecting victims.

Filtering These Results
 

So that you are all aware I've been working on a solution to this problem solution by for filtering out results for those hosts. I've tested in my lab and it's pretty effective. I will keep you posted

Too small works for the wmvs, but not the jpegs, as they are a typical size for legit jpegs. The spoofed results all have a name that's just your search term, perhaps with the capitalization changed and/or underscores inserted after every letter. It's easy to avoid them. Harder to avoid are spoofed files -- the search result is legit, but the file you end up with is bogus due to a spoofer participating in the mesh for the file. For example, you search for "foo" and go to get foo1.jpg, foo2.jpg, ..., foo15.jpg and all of them look normal except foo2.jpg and foo11.jpg, which are corrupt, or ipod spams, or those damaged-and-spammy sara18 or michelle18 images, or whatever. AFAIK the only thing you can do about those is delete them after the fact and retry downloading them until you get the genuine foo2.jpg and foo11.jpg that actually fit into the sequence with the others instead of the spoofed files.

I also recommend you make your shared and download directory separate and move files to the former only after previewing them. This avoids inadvertently sharing spam and damaged files, but moreover, it might keep your *** out of jail if you inadvertently download some mislabeled material that proves to be ... unacceptable. If you accidentally share something like that, you could end up in a bad situation trying to prove your innocence. To be sure you don't, don't share any file you haven't pre-screened for being acceptable. Preview media; virus scan executables. Anything unacceptable, secure-delete the file if you can, and definitely delete it.

I avoid downloading wmvs under 1 meg (or any wmvs for that matter, yuk) or jpegs that show dozens of sources, a T1 speed, and whose name contains all and only the words in my search query.

Despite this, I still occasionally get one of those ipod spams, as a jpeg that had not matched any of the warning criteria above -- it may well have shown only one modem source and been named with a query term missing and a word not in my query.

These can't be spoofed search results, but they are not legitimate either. So how can a legitimate search result not result in getting the intended file when downloading? Is it possible for a spammer to insert their garbage into a download without having generated the search result you used to start that download? How can they be stopped? I'm getting sick of this crap!

I get this too. It used to be easy to avoid that ipod crap -- don't download anything with a zillion T1 hosts whose name doesn't contain any words except only and exactly the ones in your search query. If it was from a cable host it was safe. If it had only 3 sources it was safe. If its name didn't contain a word from your search it was safe. If its name contained a word you never used in your search it was safe.

Not anymore. Now it seems the mesh is being polluted too -- every batch of files I get contains at least one ipod spam that looked like a legitimate, normal, non-spoofed result in the search I did.

How do I keep these F*#!ING THINGS OFF MY F&*!ING HARD DRIVE! It's MY COMPUTER! I DECIDE! I WANT THESE THINGS GONE! NEVER AGAIN! HOW DAMMIT?!

I could Bitzi lookup all the files in every single search, but that would TAKE FOREVER, not to mention Bitzi isn't very dependable -- I checked a bunch of known spams and maybe half of them had bad ratings on Bitzi and the rest were simply "unknown".

I NEED A BETTER SOLUTION. NOW GODDAMMIT!

Has anyone noticed that the spammer seems to be on at certain times of day? It's enough to make a guess that they live in the eastern time zone of north america.

In fact it's rather strange -- surely the spam operation is automated and could operate 24/7 with a minimum of supervision? Yet the spammer disappears shortly after midnight eastern time, which suggests otherwise. Only one type of computer system is that incapable of remaining up for any length of time unassisted by a human. The spammer is running Microsoft Windows ME without any service packs.

GAAAAHHH

Can anyone tell me how the hell this is being done?

Isn't it enough to send 40 or so bogus results for every search? Now the *******s have to start substituting their spew for normal images as well?

I just found an ipod spam in my download directory titled "Resident Evil Front Cover.jpg". I did not do a search for "resident evil front cover" or any permutation thereof. It can't possibly have been me accidentally clicking on on of those bogus results. So where the HELL did it come from? It seems the following has occurred...

1. Someone that isn't the spammer has a file titled Resident Evil Front Cover.jpg. Presumably, this file is legitimate, since they aren't the spammer and therefore wouldn't be sharing it if it weren't.
2. My search finds this file. (It was for generic cover art.)
3. I go to download the file.
4. Somehow something goes wrong at this stage, and it starts downloading from the spammer instead of from the guy with the real "Resident Evil Front Cover.jpg" file.

How does step 4 happen? How does the spammer hijack downloads for normal files and not just put in their own spoofed search hits for their not so normal files? And how the hell can this attack be stopped? Avoiding the bogus search results is easy. But if any ordinary jpeg or wmv whatever can get hijacked en route and substituted with the dreaded ipod, there is no escape is there???

This is frustrating me too. It's bad enough that spammers have to take pictures, spray their graffiti all over it making it difficult to edit it and restore the original, but to completely erase the image and substitute their own crap completely is over the top. At least if part of the original, "real" image remains, you can see if some file you have elsewhere is the unadulterated original. And with spoofed search results there is no original. But when there is an original, but it gets completely replaced by crap en route ... how do you recover from that?

And it isn't just spam. Sometimes files download supposedly successfully, but don't work -- exactly how good is Limewire's corruption detection anyway? It seems to miss most cases of corrupt files. I've found perfectly working "CORRUPT-foo" files in my incomplete directory, and gotten lots of supposedly successful downloads that were truncated, sometimes to zero bytes. A download that results in a zero length file was ipso facto NOT successful! (Probably, these happen when the en-route-substitution thing the spammers use goes wrong. Perhaps when the legitimate file sharer isn't busy and the file is big enough and Limewire tries to download the file from both sources in the mesh, the real one and the spammer? I could see that producing all kinds of corrupt files and cut-off files, and if LW relies on the client sending a chunk to send the chunk's hash for verification and the spammer lies, LW will not detect anything amiss...)

I had a conversation with the ipod spammer tonight.

Yup -- one of the fake search results showed chat enabled. And they actually talked to me! Here's what the spammer has to say for himself:

Apparently, denial and feigned ignorance are to be preferred over admitting the truth, even in conversation with someone who can't do much about it anyway.

hey
 

*bump*

I thought maybe people would be interested in this? But I guess not.

Download movies, receive ipod advertisement instead
 

To me it is so rediculous that these stupid companies honestly think they will get us to buy their product if they duke us into downloading their advertisement. It really ****** me off that I am downloading a movie and when I go to open it it's a picture of an ipod. If anything, it makes me want to never have anything to do with them and definitely never buy their product. SO Gay! How do we stop it?!

with an AK-47 that's how!

I'm no computer expert by any stretch, but I do know a thing or two. I've always thought the scenario went something like this...

1) I search for "sndjfrti"
2) Main superspam computer picks up the search term via search monitoring
3) Main superspam computer sends command to 40 other minorspam computers to make a copy of "StupidIPodPic.jpg" and rename it "s_n_d_j_f_r_t_i.jpg"
4) 40 hosts suddenly show up in my search results for the file "s_n_d_j_f_r_t_i.jpg"

Based on your Resident Evil story, I wonder if it's more along the lines of...

1) I search for "sndjfrti"
2) Computer of hacker working for IPodSpamCo picks up the search term via search monitoring
3) Hacker computer orders 40 computers with trojan viruses to rename "HiddenIPodPic.jpg" as "sndjfrti.jpg"
4) 40 hosts suddenly show up in my search results for the file "sndjfrti.jpg"

I've always tended to believe that my first theory is correct, because you can never browse the hosts of these goofball files. When I identify these files, I typically right click, verify that I can not browse host, and block host.

What would be real nice would be if the wonderful people that maintain Limewire would allow us to block ALL of the hosts in one shot.

One problem with your trojan theory -- none of the hosts returning bogus hits should show chat enabled either. And I talked with the spammer (or one of the spammers). Whoever it was claimed not to know that they were sending bogus search hits, but they did not claim not to know where the chat window suddenly came from. A genuinely innocent, virus-infected computer user would, in the unlikely case the thing had working chat, have freaked out at the opening of an unfamiliar chat app and probably accused me of hacking them -- nothing of the sort happened. Evidently they were using a p2p app and knew exactly what the chat window was. This leaves two possibilities: they're guilty or they have a trojan. If the trojan was a p2p server trojan and they were trying to run a normal p2p app at the same time, I expect something would clash and not work. Probably all p2p traffic would end up at the app or at the virus, and the other would not work. If they remained distinct (different ports?) the search result returned by a virus would not have chat enabled though a legit result from the normal p2p app on the same machine would. That leaves a virus that doesn't actually act as a p2p server itself, but puts spams into the shared folders of any p2p app it detects on one's system. In which case the spams wouldn't be spurious search results, but rather normal search results with spurious file contents. That is happening as well (including with the ipod spams) but this was one of the spoofed search results I chatted to.

The spoofed results must be coming from an abnormal server: they all show a T1 connection speed, instead of being varied, and the name is always derived in one of a few crude manners from your search terms. Anyway, if a trojan created a spam in a normal p2p app's shared folder named o_v_e_r_t_u_r_e.jpg and another .wmv version, they would probably not match any incoming searches. Who does a search for "o_v_e_r_t_u_r_e"?

I think there's dedicated spam hosts generating the spoofed results, AND either dedicated hosts or a virus spreading the spams by "normal" sharing -- fixed file name, varying connection speeds, etc. -- this is evidenced by encountering ipod spams whose file names missed a search term from the search that found them, contained a word not in the search, showed only one or a handful of sources, or showed a non-T1 speed. These are presumably not being shared knowingly by normal p2p users, which leaves the spammers and unknowing sharing. The spammers could have copies shared through normal p2p apps from a variety of vendors set up to claim a variety of connection speeds, given an assortment of names likely to match popular searches. And a virus could place spams named to match popular searches unwittingly in peoples' shared directories if it detects they run p2p apps. These can (either of them, or both combined) explain the ipod spams that come from "legit" search results, but not the spoofed ones. The spoofed results are coming from a decidedly abnormal p2p servent, one that always claims a T1 speed and always has browsing disabled and responds with a hit to every incoming query, named based in one of just four ways on the query, and responding to any response to the hit with the same file. There's around 40 of these within one's horizon at any given time; sometimes they show in two groups, if the ones in your horizon that aren't too busy serving spams have more than one variant of the spam among them. There seem to be several variants, at least of the jpegs, probably to defeat or at least make more difficult attempts at filtering. (Currently they are all the same image dimensions, but as soon as any popular client starts enabling filtering on that criterion, they will probably begin varying that too.) And for whatever reason, these bogus servents have chat capability, often enabled. There's rarely a response to trying to chat, probably because the machines are unattended 99% of the time. As to why chat is enabled, that's something of a mystery. Possibly, the chat function is used to leave instructions for the spammers from head office or something, though you'd think they could just use email...

There is one remaining possibility -- a bogus servent that people actually knowingly install. That is, a seemingly-normal p2p app that offers spoofed search results with a claimed speed of T1 in addition to whatever legitimate search results come from what the user is genuinely sharing, which show their own connection speed. And it has chat capability -- and doesn't show it disabled for the bogus results if the user has enabled chat. If that's the case, then the user might be genuinely baffled by a chat like that ... of course, if chat-enabled bogus result senders are asked what p2p app they use they should turn out to all be the using the same one in this case...

There might be another explaination for the Enabled Chat. Perhaps some hapless soul downloaded one of these files and is now hosting it? It's a bit of a stretch, but possible.

Also, I've always been under the impression that the speed rating in the search results was a combined thing. For example, if 30 modem users had the same file and they came up in search results, would their combined bandwidth potentially be Cable\DSL or T1, based on their upload settings, etc?

Umm...

I put 10 to 1 odds that this person also downloaded the spam. Then, when the spammer responded to your query with your search terms, they included several recent downloaders as Alternate File Locations. The person you chatted with is almost certainly NOT the spammer.

;-)

-dave-

I think you need to read the Gnutella specs a little closer, if you really think you were chatting with the spammer. See my prior reply.

I will also say that there are not "trojaned machines" that are the source of the spam.

1st) The spammer is probably no longer serving the file. If (s)he is, (s)he is no longer the only source. Other normal people who have also been tricked by the spammer and have defaulted to sharing downloaded files are ALSO sources.

2nd) Files are not requested by NAME in general, they are requested by HASH. Therefore, even if the file you request from me has a different name that you know of, it won't stop me from being a source for the file. Therefore, if FooledUser01 downloads the spam using the filename 'FooledUser01 search term.wmv" because he searched for "FooledUser01 Search Term", and downloaded the resulting spam, he can still serve the file "Other Query String.wmv" to you if it is the same file. Therefore, only the spammer is responding to your query with your specific query terms, however, (s)he is including as alternate sources those other nodes which have recently downloaded from him/her.

I applaud you on your detective work, but alas, the conclusions you draw with regards to the person you chatted with and the method of spamming (trojaned PCs) are not supported by the protocol's design and available data.


-dave-

No stretch here, this is certainly correct. I'd give 100:1 odds there.

-dave-

And it magically morphs its filename to match every incoming search? Yeah, right.

Besides, when I encounter an ipod spam I delete it rather than share it. I assume any non-spammer does likewise.

I think it's a combination of both situations. Poop-heads are still serving the files on purpose and the unaware who've downloaded them are as well.

I just did a video search for "chrono crusade" and found a 106.7kb .wmv hosted by 2 users, not only with chat enabled, but also available to "browse host". Earlier tonight, the same search yielded 43 hosts without chat enabled.

I've been ignoring / host blocking this spam file for weeks now. In the instance that returned 2 hosts, it's obvious to me that 2 people downloaded it, not realizing it's just a P.O.S., and are unwittingly hosting it. My 43 host result was one of the spam ad crank-o-matics.

I think it's very possible that, depending on the popularity of the search terms, someone else might have downloaded a spam.wmv with the exact name as the one being returned in your search results and be unknowingly lumped in with their file on the search results. And have chat enabled.

As far as encountering and deleting, I'm sure that many people, myself included, click a couple dozen things to download and then go surfthe web or play pogo games for an hour or so before checking the resulting downloads. It's VERY possible to be serving up spam in that time period.

I've done several goofball searches tonight, stuff like "jbbvhtyud nswes", and have gotten numerous results varying from 25 - 50 hosts, with chat enabled.

You'd have to be an idiot to have it automatically sharing files you downloaded. It's not just because that could result in unwittingly sharing spam, but because it could result in unwittingly sharing illegal stuff. Nevermind bootleg mp3s; there are child porn pictures floating around out there, not all of them clearly labeled. It's a very bad idea not to vet all files before making them shared. Even so you might get in trouble for possession of questionable files you got by accident; the penalties for distribution, however, tend to be far worse than those for mere possession.

By default, Limewire has you sharing your download folder, if not more. So no, you wouldn't have to be an idiot, just a member of the larger segment of the P2P community. By the way, the term for those who are not sharing is "leech".

As far as the whole child porn red herring, sure, that's possible. The word unwitting means unknowing or unaware, like by accident. Nearly ANYTHING is possible by accident. For example, someone could unwittingly let the forums know that they are part of the IPod spammers by continually butting into a conversation regarding said spammers with a bunch of non sequitur comments intended to derail the discussion.

So anyway, the bottom line is it looks like the spammers have changed their tactics and are now enabling chat. I currently have an open search query with a 122.4 kb .wmv file and 29 hosts, chat enabled.

Any meaningful information, opinions, experiences, or tactics would be appreciated.

I don't know anything about computers, and can't offer a solution to this problem; Just add to it's mystery.
On a search for a specific movie, "God's army" with Christopher Walken,
for once the search turned up completely blank!
NOT ONE SINGLE HIT (without any filters turned on).
Even the second search produced the same result!
However, when i turned it around and searched for "army of god",
i got a lot of suspicious looking hits, all of which from T3 connections.
If the "fake i-pod" is auto generated, one would at least expect one or two hits in any search? :confused:

The "turned around" search came up looking like this.:

Sorry. Same post was sent twice??

I've seen the same thing. Sometimes you get them, sometimes not. This can be hours apart or even within a few minutes of each other.

I think it's either that...

...the spammers aren't always online.
...they can only do so many search terms at a time, or have certain words they key in on.
...Limewire doesn't always return all possible search results (maybe I don't have access to all possible nodes, etc).