Why would a spammer do this?

I am not asking for advice on blocking spam, I have a pretty good idea how to do that but it is generally not a problem for me luckily. I occasionally get the usual ones - I have won the lottery, disaster relief, they have intimate photos of me, click on this link - you know the stuff - no problem.

But I quite frequently get very similar spams via a contact form that I assume are from a bot. Simply a fake email address and a single or short comment of random words like ‘reasons’ or ‘ultimate view’ or ‘wood’ or ‘total container’.

My question is - What is the point? There is no link, obviously spam, I couldn’t reply if I wanted because it is a false email address. I just delete. But my curiosity is roused, is there an ulterior motive I am missing, is there some hidden threat.

As far as I can see - no problem - but - why do it ?

It could just be the kind of “failed Spam” we sometimes see here. We get posts which are clearly intended as Spam, but the poster has either forgotten to add the link, or malformed the link so it doesn’t work.

Aaah OK, makes sense, it’s kind of the ultimate negative commendation really, bad enough to be a spammer - but a failed spammer - love to see that on their resume ! :smiley:

Perhaps the poster purchased thousands of links and any that bounced would be reported. These could be removed from to the list.

Good point !

Any email that you put submitted data into can contain html, css, javascript. If you didn’t apply htmlentities() to the values, that content will get executed if you are using a browser to read the email. At a minimum, this would give your ip address to someone (via request(s) to a 3rd party server to fetch an image or similar) and if you happen to be reading the email on the same domain as your web site, cross site scripting can read and send your web site’s cookie values too.

OK, getting more sinister… thanks for the info, didn’t know that !

Pretty much what happened here: https://news.softpedia.com/news/Webmail-Service-CEO-Hack-My-E-mail-Get-10-000-113478.shtml

:slight_smile:

I once had a client who woke up one day with 39,000 viagra+soft porn spams added to their Wordpress comments. Good question though. The spams were pretty incoherent, certainly worthless from a commercial point of view. My guess is that it was some high school ‘script kiddie’s’ bot project that has been floating around the net for years… part of a botnet maybe. Some people have way too much time on their hands. Some defenses include a ‘captcha’ validator on the form. Also, some throttling on the HTTP Posts would help. No human can submit 39,000 form submissions in 10 seconds.

Well I guess I should just be thankful for the small amount I get. Just seems like such a sad pathetic waste of time

Often these are encoded commands from a C&C server to a compromised machine within your network. I strongly suggest that you investigate the possibility of malware being present on one of the systems on your local network. It could be any host. There are variants of the malware available for Windows, OSX and Linux. It could even be present in an embedded device, such as an IoT device or router.

Here are a series of older, but enlightening papers on one of the many groups that operate this way
https://www.eset.com/afr/about/newsroom/press-releases-afr/research/dissection-of-sednit-espionage-group-1/

Many thanks, I really have a network as such, just a hosted site with email. But I will investigate your suggestions thank - you

In these cases, the bot’s intention is to check if there is a weakness in your “contact form”. It is not uncommon these forms do not protect against header injection, so “spammers” use bots that just spider websites and automatically try forms it locates.

When they locate one which they can exploit, they will use it to send out as many spam emails as they can until it is shut down.

If this happens, it usually means that the ip on the server and any domains attached to it will be blacklisted as sending spam and it can be quite difficult to sort out afterward.

With this in mind, if you only get one of these from time to time, your form is most probably secure. But if they keep filling your inbox, I would strongly recommend reviewing the form code.