Many people complain about all the spam in their mailboxes but when you’re running a blog, forum or even a simple contact page where visitors can leave messages, you can still receive spam in some other forms. With Facebook and Twitter, for example, you might get invitations by people you don’t even know. With LinkedIn, this is a bit more difficult but it still has people attempting to connect to you so they can make all kinds of “interesting” offers to you.

But today I’ve received a comment spam on my post called “Dealing with deadlines” and it started like this:

{I have|I’ve} been {surfing|browsing} online more than {three|3|2|4} hours today,
yet I never found any interesting article like yours.
{It’s|It is} pretty worth enough for me. {In
my opinion|Personally|In my view},if all {webmasters|site owners|website owners|web
owners} and bloggers made good content as you did, the {internet|net|web} will be {much more|a
lot more} useful than ever before.|
I {couldn’t|could not} {resist|refrain from} commenting.
{Very well|Perfectly|Well|Exceptionally well} written!|
{I will|I’ll} {right away|immediately} {take hold of|grab|clutch|grasp|seize|snatch} your {rss|rssfeed} as I {can not|can’t} {in finding|find|to find}
your {email|e-mail} subscription {link|hyperlink} or {newsletter|e-newsletter} service.
Do {you have|you’ve} any? {Please|Kindly} {allow|permit|let} me {realize|recognize|understand|recognise|know}
{so that|in order that} I {may just|may|could} subscribe.

Well, that’s an interesting comment. (Full text here…) Basically, this is a script file that’s used by spammers to create random comments for blogs and forums. And normally, spammers will just use a selection of words and sentences from these script files to generate something a visitor might have written. And the many variants make it harder to detect as spam. Unless you’re giving the master script, of course, like this stupid spammer has done.

If I would allow this message, someone with a Canadian IP address (142.4.208.160) would be able to add more comment spams on my blog and might even flood fill it with spam, once they got their first approval. Of course, the spammer also used an email account (augustuscolangelo@freenet.de) from the German provider called Freenet and they have been used many times by spammers. They’ve taken steps to prevent spammers to send mass emails but that doesn’t stop spammers from doing comment spams like this one.

Also interesting is the fact that the spammer added a link to foot-en-direct-gratuit.sixsigmadss.com (Links to main site, not the spammers blog) which happens to be some blog on the site of an Indian company called “Six Sigma”. I wonder if this company even knows about this blog, that’s written in French. I guess they don’t know about it, but that their DNS information has been hijacked. Or maybe their servers are hacked.

So, what I like to do is visit RobTex to collect more information about what I’ve found. So far, it’s an interesting international spammer. Mail in Germany, spamming from Canada with a web server that’s owned by a company in India. RobTex tells me the shared host they use for the site is Enzu in the USA, which provides cloud services and more. They also use the DNS services of GoDaddy which does confuse me a bit. Why not use the DNS servers of Enzu?

Well, some further research tells me why. While Six Sigma uses GoDaddy as their host, the spammers have instead used Enzu to create their own website, which makes them appear legitimate. They’ve also moved the regular site to Enzu, and are probably redirecting visitors from there to the original website. (Or Six Sigma is supporting the spammer, which is also an option. I just don’t want to accuse them of this crime.) When I visit the Six Sigma website, it does seem as if someone has taken over control over their site. Much of it looks disabled, as if the hacker is just misusing the site for their own purposes. It looks like it’s been taken over two days ago by the hacker, yet they did not detect the hack at this moment. I hope they will be able to fix this fast, though.

Of course, there’s an even bigger risk here. Since the spammer seems to have hijacked their home site, he can play a man-in-the-middle attack. Every customer of them who enters their credentials to log in will tell this hacker about their credentials too. This is a serious thing. Spammers are often trying to do more than just send spam. They will try to collect more information to allow them to hack even more accounts.

There are a few things here that worry me. First of all, this Indian company that doesn’t seem to realize their site is hacked. Also, GoDaddy, who is supposed to be their host, isn’t hosting their main site. Also, Enzu doesn’t seem to realize that they’re hosting a site for an Indian company that uses the French language for a blog that seems filled with random articles from French/Canadian news sites. You could wonder if hosting companies should be able to check if strange things are happening to the accounts of their customers.

Yeah, I think you can blame hosting companies for all the spam on the Internet, simply because they’re not pro-active when suspicious changes are made to the accounts of their clients. If hosting companies take more care in selecting their clients, validating any account changes and don’t even tell their customers when their accounts seem to be hacked, then spam will just continue to cause problems.

Update: Within an hour of posting this all, a spammer tried to add a comment to this post! They never learn…