What are these strange random strings spamming my blog?

I recognize that IP address! Your site is being used as a pawn in a rather sneaky attack, and I was hit by it recently. Those email addresses belong to the victims—like me.

Let’s say I’m a hacker. I’ve gotten into Alice’s Amazon account and want to place a bunch of orders using her payment info. However, I don’t want her to notice until after I’ve received the ill-gotten goods.

To ensure she doesn’t notice the email notifications from Amazon, I want to “bury” those emails with spam. I can do this by entering her email into tons of online forms. Most will only send a single email—for example, your blog will probably only ask Alice to confirm her email—but once is enough.

This happened to me a couple weeks ago with Apple. Someone used the default billing and shipping info on my Apple account to place an order for an iPhone 14 Pro Max. I woke up to hundreds of emails from various blogs and other sites asking me to confirm my email. Being a security researcher, I knew that meant someone didn’t want me to see something else that had landed in my inbox.

I went through each one by hand. One included the IP address that submitted the form, which was interesting but not particularly useful. Eventually I found the receipt from Apple.

It’s not clear how the attackers intended to intercept the package; presumably, they would’ve tried to convince the courier to redirect it or retrieved the package from my doorstep, but Apple intervened and was able to stop the delivery before either of those happened.

It’s also not clear how the attacker got my billing and shipping info. Apple was able to confirm that my account wasn’t compromised and that nobody had contacted support pretending to be me. That billing info wasn’t used with many other companies.

Edit: You can see what this looks like from the victim’s side here: https://imgur.com/a/DHEJwKh Note that the usernames have the same sort of gibberish.

Everyone's coming up with hollywood style explanations (it's encryption! it's AI!) but as a former pentester, one of the more likely explanations is that it's probably just looking for vulnerabilities in an automated way. The first thing you do when you get an account somewhere as a pentester is to try to stuff as many strings as possible into weird places just to see what happens.

I don't think automated techniques are very effective (or weren't in 2016) but it seems more likely to be vuln hunting than choosing your Wordpress blog for encrypted comms vs established places like Twitter.

EDIT: faizshah https://news.ycombinator.com/item?id=34866169 points out that https://perishablepress.com/block-random-string-comment-spam... observes the same phenomenon, and the author notes that all of the IP addresses come from Russia. This seems to lend credence to the idea that it's looking for vulns, since, well, lots of traffic from Russia is looking for vulns.

Its unlikely, but this reminds of this story [1], where hackers used public posts on Twitter to send commands to a botnet.

Kind of genius, as it doesn't matter what the user is, and becomes impossible to track or prevent messages being relayed to some botnet somewhere.

These could be encrypted messages like that... Or it could just be a glitch in a spam bot...

[1] https://www.darkreading.com/endpoint/tool-controls-botnet-wi...

To control a botnet, you need a command & control server. Those servers usually get taken down quickly, so you need some way to tell your botnet what the new server is. One option is to post the new IPs on Reddit, where the bots can find them, like the iWorm did: https://support.intego.com/hc/en-us/articles/207113608-iWorm...

Forums would be another option.

Note that this is just a guess. Might also be something completely different.

FWIW all of those IP's are in FireHol 30 day netset [1] from the FireHol Repo [2] They are known abusers and safe to null route if you happen to run your own mail servers, blogs, etc...

    wc -l firehol_abusers*          
     7260 firehol_abusers_1d.netset
     184010 firehol_abusers_30d.netset

    # first grep for any IP's you care about and then:
    for Ip in $(cat firehol_abusers_30d.netset);do ip route add blackhole "${Ip}" 2>/dev/null;done

If that cuts down on the noise then create a startup script to do this on reboot. The first time this should be done from a web console vs. ssh in case the list contains your own IP address or gateway. Why ip route vs ipset or iptables? Far less CPU load than netfilter.

A more generic way to keep many bots out is to redirect anything other than HTTP/2.0 to a password protected listener. This will block Google bots as they still do not support HTTP/2.0 but will also block a majority of the problematic bots.

[1] - https://github.com/firehol/blocklist-ipsets/blob/master/fire...

[2] - https://github.com/firehol/blocklist-ipsets

I found a recent blog post on what seems to be the same phenomena: https://perishablepress.com/block-random-string-comment-spam...

They didn’t find a motive though for the spam.

To me what’s interesting is that the strings are variable length and the emails appear to be real emails rather than randomly generated ones.

I can't, but I've seen it, and have a pet theory that it's encrypted communication. You can't identify the recipient. There may be some communication network running on blogs with weak spam protection.

Possibly unique strings that can later be checked on Google to see whether submitted comments make it into the SERPs. If they do, spammers will come back and fire from all barrels.

Script kiddies doing vuln probes. Definitely not worth much of your energy to try to figure out root causes. For what it's worth, if you activate the Akismet plugin that comes with WordPress, you'll get Automattic's crowdsourced spam-comment detector and almost none of this kind of rubbish will get through.

WordPress also has an xml-rpc feature, originally set up to allow a thing called a "pingback". That's a way of inserting a comment on your blog post if I mention its URL on my blog post. An attempt at community-building, it was. But very vulnerable to scripting attacks. There are plugins to control (restrict) that functionality.

Here's my guess. Wordpress allows you to enter the url of your website for a free link to it if it's approved. There are probably enough people who auto approve with a blacklisted set of key phrases for the comment body. A random string is human recognizable but somewhat hard to pattern match.

Maybe someone "fishing" to get comments approved so they can post comments in the future from the same alias and get auto approved?

There's a WordPress setting to auto approved comments from previously approved authors

WPCFS - wordpress comments as a filesystem :P

Try running the input on CyberChef [0]

[0] https://cyberchef.org/

I also receive strings like this as submissions to a form on my website. One dumb trick you can do is check for too many capital letters in a word and block it. Of course you should check if the word is just all caps and not block that but you'll catch most things like sIlaA.sfOlkWFfslIOILD.

Have you tried running it all through a base64 decoder just to see what happens? Some of the strings are the wrong length but maybe if you concatenate them together...

A long time ago, I discovered a bunch of websites that had their search bar feeding back your previous searches as suggestions. You would for example search for "abc 1234 xyz 2345" once, and upon next search, typing "abc 1234" would then suggest "abc 1234 xyz 2345".

You can probably guess where I'm headed now and in a true "if it can be done it has to be done" mindset, subsequently had the most fun implementing a parasitic KV-storage engine on top of those search bars. I was probably prouder of it at the time than I am now, and would today strongly recommend against storing your PDFs in other people's search bars.

Obviously can't know for sure if this is what's happening here, but seeing this definitely rings a bell.

Clickable: https://imgur.com/3FVR7Yn

Better than the spam I get, which is either foreign people asking when they can receive their free gift, or people saying positive but completely nonsensical stuff.

Probably someone just testing a spam bot on your site before deploying it for real.

Probably someone scanning for vulnerabilities. Less likely, your blog I being used as a communication channel - either between human parties or to control something. I'm not sure how you'd find out.

I'd strongly suggest installing a recaptcha plugin. At one time I was getting a lot of spam comments and this solved it for me.

Looks like base64. Does it decode to anything comprehensible?

Are there any URL fields in the form, even if the URL doesn't come out onto the page? Could they be sending HTML that your blog is stripping out?

The first thing that came to mind is possible encrypted C2 channel using random blogs? Others have more interesting theories but this is what C2 over twitter or something would look like and If I had to guess the posts are base64 containing encrypted data.

I am fairly confident this isn't related to looking for vulns.

Im getting these since years for many wordpress site that come up, my current guesstimate is that the larger one is a botnet communication and the smaller ones are simply "checks" if you autoapprove your comments.

With the unique string, you have it very easy to check if your comment made it live

It could be an attempt to exploit a bug like this one: https://wpscan.com/vulnerability/e8bb79db-ef77-43be-b449-4c4...

Either bot coms or they're trying to blackhat SEO the url on the left

It’s someone’s AI learning to remember.