Gnutella Forums  

Go Back   Gnutella Forums > Current Gnutella Client Forums > LimeWire+WireShare (Cross-platform) > Technical Support > General Windows Support
Register FAQ The Twelve Commandments Members List Calendar Arcade Find the Best VPN Today's Posts

General Windows Support For questions about Windows issues regarding LimeWire or WireShare or related questions


Reply
 
LinkBack Thread Tools Display Modes
  #31 (permalink)  
Old July 8th, 2005
Unr3485894
Guest
 
Posts: n/a
Thumbs down

This is frustrating me too. It's bad enough that spammers have to take pictures, spray their graffiti all over it making it difficult to edit it and restore the original, but to completely erase the image and substitute their own crap completely is over the top. At least if part of the original, "real" image remains, you can see if some file you have elsewhere is the unadulterated original. And with spoofed search results there is no original. But when there is an original, but it gets completely replaced by crap en route ... how do you recover from that?

And it isn't just spam. Sometimes files download supposedly successfully, but don't work -- exactly how good is Limewire's corruption detection anyway? It seems to miss most cases of corrupt files. I've found perfectly working "CORRUPT-foo" files in my incomplete directory, and gotten lots of supposedly successful downloads that were truncated, sometimes to zero bytes. A download that results in a zero length file was ipso facto NOT successful! (Probably, these happen when the en-route-substitution thing the spammers use goes wrong. Perhaps when the legitimate file sharer isn't busy and the file is big enough and Limewire tries to download the file from both sources in the mesh, the real one and the spammer? I could see that producing all kinds of corrupt files and cut-off files, and if LW relies on the client sending a chunk to send the chunk's hash for verification and the spammer lies, LW will not detect anything amiss...)
Reply With Quote
  #32 (permalink)  
Old July 10th, 2005
smegma
Guest
 
Posts: n/a
Exclamation

I had a conversation with the ipod spammer tonight.

Yup -- one of the fake search results showed chat enabled. And they actually talked to me! Here's what the spammer has to say for himself:

Code:
You: WHY DO YOU SEND THIS SPEW????
24.59.129.174: what spew
24.59.129.174: ?
You: The fake search results!!!
24.59.129.174: Huh?
You: You know ... the ipod picture
24.59.129.174: nothing that i know of is fake
You: You returned a search result for an ipod picture...
24.59.129.174: whats the name 
You: "fetscom super".
24.59.129.174: what file?
You: It's the search query I used.
You: fetscom super.jpg
You: Why are you offering a picture of an ipod named whatever the search was?
24.59.129.174: i wasnt aware that i was
Host is unavailable
Apparently, denial and feigned ignorance are to be preferred over admitting the truth, even in conversation with someone who can't do much about it anyway.
Reply With Quote
  #33 (permalink)  
Old July 20th, 2005
smegma
Guest
 
Posts: n/a
Cool hey

*bump*

I thought maybe people would be interested in this? But I guess not.
Reply With Quote
  #34 (permalink)  
Old July 23rd, 2005
Novicius
 
Join Date: July 23rd, 2005
Location: Offutt Air Force Base
Posts: 1
cynpaap is flying high
Angry Download movies, receive ipod advertisement instead

To me it is so rediculous that these stupid companies honestly think they will get us to buy their product if they duke us into downloading their advertisement. It really ****** me off that I am downloading a movie and when I go to open it it's a picture of an ipod. If anything, it makes me want to never have anything to do with them and definitely never buy their product. SO Gay! How do we stop it?!
Reply With Quote
  #35 (permalink)  
Old July 23rd, 2005
skunkworks
Guest
 
Posts: n/a
Default

with an AK-47 that's how!
Reply With Quote
  #36 (permalink)  
Old July 26th, 2005
ALimewireUser
Guest
 
Posts: n/a
Default

I'm no computer expert by any stretch, but I do know a thing or two. I've always thought the scenario went something like this...

1) I search for "sndjfrti"
2) Main superspam computer picks up the search term via search monitoring
3) Main superspam computer sends command to 40 other minorspam computers to make a copy of "StupidIPodPic.jpg" and rename it "s_n_d_j_f_r_t_i.jpg"
4) 40 hosts suddenly show up in my search results for the file "s_n_d_j_f_r_t_i.jpg"

Based on your Resident Evil story, I wonder if it's more along the lines of...

1) I search for "sndjfrti"
2) Computer of hacker working for IPodSpamCo picks up the search term via search monitoring
3) Hacker computer orders 40 computers with trojan viruses to rename "HiddenIPodPic.jpg" as "sndjfrti.jpg"
4) 40 hosts suddenly show up in my search results for the file "sndjfrti.jpg"

I've always tended to believe that my first theory is correct, because you can never browse the hosts of these goofball files. When I identify these files, I typically right click, verify that I can not browse host, and block host.

What would be real nice would be if the wonderful people that maintain Limewire would allow us to block ALL of the hosts in one shot.
Reply With Quote
  #37 (permalink)  
Old July 26th, 2005
Dargnoran
Guest
 
Posts: n/a
Default

One problem with your trojan theory -- none of the hosts returning bogus hits should show chat enabled either. And I talked with the spammer (or one of the spammers). Whoever it was claimed not to know that they were sending bogus search hits, but they did not claim not to know where the chat window suddenly came from. A genuinely innocent, virus-infected computer user would, in the unlikely case the thing had working chat, have freaked out at the opening of an unfamiliar chat app and probably accused me of hacking them -- nothing of the sort happened. Evidently they were using a p2p app and knew exactly what the chat window was. This leaves two possibilities: they're guilty or they have a trojan. If the trojan was a p2p server trojan and they were trying to run a normal p2p app at the same time, I expect something would clash and not work. Probably all p2p traffic would end up at the app or at the virus, and the other would not work. If they remained distinct (different ports?) the search result returned by a virus would not have chat enabled though a legit result from the normal p2p app on the same machine would. That leaves a virus that doesn't actually act as a p2p server itself, but puts spams into the shared folders of any p2p app it detects on one's system. In which case the spams wouldn't be spurious search results, but rather normal search results with spurious file contents. That is happening as well (including with the ipod spams) but this was one of the spoofed search results I chatted to.

The spoofed results must be coming from an abnormal server: they all show a T1 connection speed, instead of being varied, and the name is always derived in one of a few crude manners from your search terms. Anyway, if a trojan created a spam in a normal p2p app's shared folder named o_v_e_r_t_u_r_e.jpg and another .wmv version, they would probably not match any incoming searches. Who does a search for "o_v_e_r_t_u_r_e"?

I think there's dedicated spam hosts generating the spoofed results, AND either dedicated hosts or a virus spreading the spams by "normal" sharing -- fixed file name, varying connection speeds, etc. -- this is evidenced by encountering ipod spams whose file names missed a search term from the search that found them, contained a word not in the search, showed only one or a handful of sources, or showed a non-T1 speed. These are presumably not being shared knowingly by normal p2p users, which leaves the spammers and unknowing sharing. The spammers could have copies shared through normal p2p apps from a variety of vendors set up to claim a variety of connection speeds, given an assortment of names likely to match popular searches. And a virus could place spams named to match popular searches unwittingly in peoples' shared directories if it detects they run p2p apps. These can (either of them, or both combined) explain the ipod spams that come from "legit" search results, but not the spoofed ones. The spoofed results are coming from a decidedly abnormal p2p servent, one that always claims a T1 speed and always has browsing disabled and responds with a hit to every incoming query, named based in one of just four ways on the query, and responding to any response to the hit with the same file. There's around 40 of these within one's horizon at any given time; sometimes they show in two groups, if the ones in your horizon that aren't too busy serving spams have more than one variant of the spam among them. There seem to be several variants, at least of the jpegs, probably to defeat or at least make more difficult attempts at filtering. (Currently they are all the same image dimensions, but as soon as any popular client starts enabling filtering on that criterion, they will probably begin varying that too.) And for whatever reason, these bogus servents have chat capability, often enabled. There's rarely a response to trying to chat, probably because the machines are unattended 99% of the time. As to why chat is enabled, that's something of a mystery. Possibly, the chat function is used to leave instructions for the spammers from head office or something, though you'd think they could just use email...

There is one remaining possibility -- a bogus servent that people actually knowingly install. That is, a seemingly-normal p2p app that offers spoofed search results with a claimed speed of T1 in addition to whatever legitimate search results come from what the user is genuinely sharing, which show their own connection speed. And it has chat capability -- and doesn't show it disabled for the bogus results if the user has enabled chat. If that's the case, then the user might be genuinely baffled by a chat like that ... of course, if chat-enabled bogus result senders are asked what p2p app they use they should turn out to all be the using the same one in this case...
Reply With Quote
  #38 (permalink)  
Old July 26th, 2005
ALimewireUser
Guest
 
Posts: n/a
Default

There might be another explaination for the Enabled Chat. Perhaps some hapless soul downloaded one of these files and is now hosting it? It's a bit of a stretch, but possible.

Also, I've always been under the impression that the speed rating in the search results was a combined thing. For example, if 30 modem users had the same file and they came up in search results, would their combined bandwidth potentially be Cable\DSL or T1, based on their upload settings, etc?
Reply With Quote
  #39 (permalink)  
Old July 27th, 2005
Disciple
 
Join Date: May 17th, 2005
Location: Manhattan
Posts: 18
vDave420 is flying high
Default

Quote:
Originally posted by smegma
I had a conversation with the ipod spammer tonight.

Yup -- one of the fake search results showed chat enabled. And they actually talked to me! Here's what the spammer has to say for himself:

Code:
You: WHY DO YOU SEND THIS SPEW????
24.59.129.174: what spew
24.59.129.174: ?
You: The fake search results!!!
24.59.129.174: Huh?
You: You know ... the ipod picture
24.59.129.174: nothing that i know of is fake
You: You returned a search result for an ipod picture...
24.59.129.174: whats the name 
You: "fetscom super".
24.59.129.174: what file?
You: It's the search query I used.
You: fetscom super.jpg
You: Why are you offering a picture of an ipod named whatever the search was?
24.59.129.174: i wasnt aware that i was
Host is unavailable
Apparently, denial and feigned ignorance are to be preferred over admitting the truth, even in conversation with someone who can't do much about it anyway.
Umm...

I put 10 to 1 odds that this person also downloaded the spam. Then, when the spammer responded to your query with your search terms, they included several recent downloaders as Alternate File Locations. The person you chatted with is almost certainly NOT the spammer.

;-)

-dave-
Reply With Quote
  #40 (permalink)  
Old July 27th, 2005
Disciple
 
Join Date: May 17th, 2005
Location: Manhattan
Posts: 18
vDave420 is flying high
Default

Quote:
Originally posted by Dargnoran
One problem with your trojan theory -- none of the hosts returning bogus hits should show chat enabled either. And I talked with the spammer (or one of the spammers). Whoever it was claimed not to know that they were sending bogus search hits, but they did not claim not to know where the chat window suddenly came from. A genuinely innocent, virus-infected computer user would, in the unlikely case the thing had working chat, have freaked out at the opening of an unfamiliar chat app and probably accused me of hacking them -- nothing of the sort happened. Evidently they were using a p2p app and knew exactly what the chat window was. This leaves two possibilities: they're guilty or they have a trojan. If the trojan was a p2p server trojan and they were trying to run a normal p2p app at the same time, I expect something would clash and not work. Probably all p2p traffic would end up at the app or at the virus, and the other would not work. If they remained distinct (different ports?) the search result returned by a virus would not have chat enabled though a legit result from the normal p2p app on the same machine would. That leaves a virus that doesn't actually act as a p2p server itself, but puts spams into the shared folders of any p2p app it detects on one's system. In which case the spams wouldn't be spurious search results, but rather normal search results with spurious file contents. That is happening as well (including with the ipod spams) but this was one of the spoofed search results I chatted to.

The spoofed results must be coming from an abnormal server: they all show a T1 connection speed, instead of being varied, and the name is always derived in one of a few crude manners from your search terms. Anyway, if a trojan created a spam in a normal p2p app's shared folder named o_v_e_r_t_u_r_e.jpg and another .wmv version, they would probably not match any incoming searches. Who does a search for "o_v_e_r_t_u_r_e"?

I think there's dedicated spam hosts generating the spoofed results, AND either dedicated hosts or a virus spreading the spams by "normal" sharing -- fixed file name, varying connection speeds, etc. -- this is evidenced by encountering ipod spams whose file names missed a search term from the search that found them, contained a word not in the search, showed only one or a handful of sources, or showed a non-T1 speed. These are presumably not being shared knowingly by normal p2p users, which leaves the spammers and unknowing sharing. The spammers could have copies shared through normal p2p apps from a variety of vendors set up to claim a variety of connection speeds, given an assortment of names likely to match popular searches. And a virus could place spams named to match popular searches unwittingly in peoples' shared directories if it detects they run p2p apps. These can (either of them, or both combined) explain the ipod spams that come from "legit" search results, but not the spoofed ones. The spoofed results are coming from a decidedly abnormal p2p servent, one that always claims a T1 speed and always has browsing disabled and responds with a hit to every incoming query, named based in one of just four ways on the query, and responding to any response to the hit with the same file. There's around 40 of these within one's horizon at any given time; sometimes they show in two groups, if the ones in your horizon that aren't too busy serving spams have more than one variant of the spam among them. There seem to be several variants, at least of the jpegs, probably to defeat or at least make more difficult attempts at filtering. (Currently they are all the same image dimensions, but as soon as any popular client starts enabling filtering on that criterion, they will probably begin varying that too.) And for whatever reason, these bogus servents have chat capability, often enabled. There's rarely a response to trying to chat, probably because the machines are unattended 99% of the time. As to why chat is enabled, that's something of a mystery. Possibly, the chat function is used to leave instructions for the spammers from head office or something, though you'd think they could just use email...

There is one remaining possibility -- a bogus servent that people actually knowingly install. That is, a seemingly-normal p2p app that offers spoofed search results with a claimed speed of T1 in addition to whatever legitimate search results come from what the user is genuinely sharing, which show their own connection speed. And it has chat capability -- and doesn't show it disabled for the bogus results if the user has enabled chat. If that's the case, then the user might be genuinely baffled by a chat like that ... of course, if chat-enabled bogus result senders are asked what p2p app they use they should turn out to all be the using the same one in this case...
I think you need to read the Gnutella specs a little closer, if you really think you were chatting with the spammer. See my prior reply.

I will also say that there are not "trojaned machines" that are the source of the spam.

1st) The spammer is probably no longer serving the file. If (s)he is, (s)he is no longer the only source. Other normal people who have also been tricked by the spammer and have defaulted to sharing downloaded files are ALSO sources.

2nd) Files are not requested by NAME in general, they are requested by HASH. Therefore, even if the file you request from me has a different name that you know of, it won't stop me from being a source for the file. Therefore, if FooledUser01 downloads the spam using the filename 'FooledUser01 search term.wmv" because he searched for "FooledUser01 Search Term", and downloaded the resulting spam, he can still serve the file "Other Query String.wmv" to you if it is the same file. Therefore, only the spammer is responding to your query with your specific query terms, however, (s)he is including as alternate sources those other nodes which have recently downloaded from him/her.

I applaud you on your detective work, but alas, the conclusions you draw with regards to the person you chatted with and the method of spamming (trojaned PCs) are not supported by the protocol's design and available data.


-dave-
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Search results disappointing ... biased results with Spam ChrisAvalon Open Discussion topics 63 April 5th, 2008 07:07 PM
confused(spam showing in results) xand_scenex Download/Upload Problems 2 February 11th, 2007 03:38 PM
no results, just spam dapork Open Discussion topics 3 August 30th, 2006 09:43 PM
autogenerated spam results superesonator General P2P Network Discussion 8 February 12th, 2005 08:23 PM
Spam or What? Unregistered Open Discussion topics 2 June 26th, 2002 06:52 PM


All times are GMT -7. The time now is 07:01 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.