1

I recently built a website using Django. It has a contact form and some minimal pages about me and my work portfolio. I have been getting a few spam messages a day and their content intrigues me (screenshot attached). They are just a few words. Most of them do not contain any links.

Some of the messages are (for where the screenshot is not read)

  • the spread of parchment.
  • written on the parchment was scratched out
  • from lat. manus - "hand" and scribo - "I write") <>]
  • A handwritten book is a book
  • the spread of parchment.
  • so expensive material

... and more, seemingly funny messages.

example of spam messages, with sender name, email and timestamp

What are such messages trying to exploit?

PS: I am in the process of adding some anti-spam measures to my contact form - probably a Google reCAPTCHA.

Prateek Verma
  • 13
  • 2
  • 2
    This looks like it's scraping some random information and trying to overwhelm your server with POST requests or maybe it should act as a C&C server by sending commands in words encrypted in certain tables (considered one of the best encryption methods till this day as well). – Sir Muffington Apr 18 '22 at 19:29
  • @SirMuffington thanks for your insight! Those phrases do not occur on my website. So it's scraping it from elsewhere. Anything I should be careful of? I am logging these in my database and emailing them to myself for now. – Prateek Verma Apr 18 '22 at 20:16
  • Well, you should not spread these out of your honeypot. A small sample here is fine. – Sir Muffington Apr 18 '22 at 20:24

2 Answers2

2

I'm guessing they're probes. One of the addresses is under the attacker's control and the rest are victims. The attacker's hope is that your site generates receipts or bounces and these are sent to the purported sender (the victim), a concept known as backscatter.

Once the attacker has verified that this works, they'll calibrate (if you truncated their message or went with just the subject, their payload must fit in that portion) and send out the real attack.

Of course, it could alternatively be any number of other things, including bayesian poisoning or even misconfigured spam software.

Adam Katz
  • 9,718
  • 2
  • 22
  • 44
  • Wow! That is enlightening. How would the attacker know that a receipt has been generated and sent to the victim's email? Is that what you meant by "verified that this works"? – Prateek Verma Apr 19 '22 at 18:45
  • 1
    One of the addresses they're testing isn't a victim, it's the _attacker's_, hidden in that noise so analysts can't figure out which one is the attacker. That way they see the backscatter and where their spam link can fit, then they send out the real attack to a broader audience. – Adam Katz Apr 19 '22 at 19:37
  • Got it! You had said it and I missed it, but thank you for clarifying again. – Prateek Verma Apr 19 '22 at 20:10
0

These might be automated Search Engine Optimization (SEO) plants.

SEO operators sell their customers the "service" of raising them in Google's Page Rank ratings, with the hopes that if someone searches for their paid keywords that their site will come out on top. SEOs do this by adding posts containing their search phrases to as many sites, blogs, databases, etc., as they can, in hopes that one of the sites they spam is one that Google has deemed "worthy" of contributing value to the page rank algorithm that would lift up their client.

It's possible that something in your CV is associated with calligraphy, paper, parchment, palimpsest, or some other keywords associated with whatever they're trying to sell. Maybe you follow someone on LinkedIn who is prominent in the parchment community. Or could be something unrelated, and they're hoping to add links to their scummy products later. You may never find out.

The end result is that it fills your systems with rubbish. It's best to set up some kind of a blocking filter that just ignores that stuff, then delete it from your systems.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • I think you hit the nail in the head for my situation. There indeed is some (not much) content on my website that's loosely related (not exact and not in the same sequence) to the keywords in the spam messages. I will mark this as the answer, noting that I found Adam's answer very helpful too. – Prateek Verma Apr 19 '22 at 18:48