I try to go through my spam queue at least once a week to check whether Akismet has incorrectly flagged any comments. This week, I noticed some strange messages (click for larger version):


At first, this looks like a legitimate pingback; at least, if this blog was about travel or cars. Out of curiosity I fired up a virtual machine and took a look at the Toyota site. At first glance, it looks like a “normal” site: a WordPress weblog, with some Youtube videos. Nothing special in the source code; the only javascript is a Google Analytics tracker, and there are no malicious-looking links.

Still, there is no reason to send me a pingback. Everything looks like a standard WordPress installation, which means that the URL would have to be entered manually, since there are no links to my site in the article. And the content of the site is in no way related, so there is no reason to send the pingback. Visitors to this site are presumably not interested in Toyota video’s… There are only two other obvious reasons I can think of to try this, and those are generating revenue from ads (but there are none on the site) and spreading malware (which isn’t there either).

There are some obvious signs that there is something wrong here; for example, both domains shown above are registered through Estdomains. They are registered to the same person, but the nameservers have different names (ns.privatetracking.com and ns.curiousvideos.com) even though they are from the same subnet. This looks like an attempt to make these look a bit more trustworthy. The websites are hosted at Netdirekt; Google has more people reporting comment spam from servers hosted with them.

So I think it’s safe to assume Akismet was right in classifying this as spam; but I’m still wondering why such relatively harmless links would be posted. Here are my best guesses:

  • They are trying what sites accept links without checking them, and will post “real” spam as soon as these get through
  • This is an attempt to attract visitors by building a network of links, with the plan being to post malware as soon as enough visitors get through
  • Something else? If you have any ideas, let me know in the comments…