OK, this has probably been covered already, but I missed it, so I'd appreciate a little help

I'm using Gnucleus. Whenever I do a search, I always get two results that exactly match the search criteria I've entered. One is a .URL (Windows Internet Shortcut) file that is alwasy 115K in size and one is an .MPG file that is always (I believe) 28K in size. Occasionally I'll get a third hit for something like "free passcodes for X" where X is the search criteria I've entered.

Since I often use shorthand for searches, the fact that these "hits" are being generated in response to my query is obvious. F'rinstance, if I'm searching for a song (let's say "She Blinded me With Science" by Thomas Dolby) and I put in "Dolby Blinded Science", along with all the hits for the "Thomas Dolby - She Blinded Me With Science.mp3", I'll get hits for "Dolby Blinded Science.url" and "Dolby Blinded Science.mpg".

I've never downloaded one of these files, since I assume something unpleasant is up. But I'm afraid that one day I'll accidentally grab one from a long list of hits. Those lists DO jump around when you're trying to click on them :-P

So I really have three questions:
1. What is generating these fake hits? Is it some kind of Gnutella virus?

2. Why do the .URL files continue to show up even though I've blocked .URL files in Gnucleus using the Search filter?

3. These files always seem to come from the same IP. Why do they continue to appear after I've denied that IP using the connect filter?

http://www.gnutellaforums.com/showth...threadid=11503

hmm..i think i sucessfully blocked those 2 ips...either they are being blocked or i'm connected where search results don't hit those 2 hosts..

I downloaded one of these once just to see what the hell it was. BTW, there's also an MP3 file like this too. The .url file is just a link. Same thing that your Favorites use in IE. It's a link to a porn site. The MP3 and the movie will both open up a different page (I guess so they can keep track of where their hits are coming from) on the same Porn site if you open them in Windows Media Player. It's not really a virus, just a very deceptive way for these people to get people to come to their site.

Ooohhh...OK - so it's not a Gnutella virus - it's Gnutella SPAM!

A porn merchant using sleazy tactics. Who would have thought?

In fact, it is not Gnutella anything.
It is an individual or company who happen to be "sharing" this garbage on the Gnutella Network. They also happen to be sharing this same garbage on WinMX and eDonkey, as well.

So, please don't think of these things as of the Gnutella Network.

__________________
Fusion for REAL!--CDex 1.51--Wackyuses--Bitzi - Check Files Before Download !--.mp3 File Name Change Problems? Try Rename-It!--Alternate PORTS--Avast- Anti-Virus--WindowWasher--IrfanView--PC Pitstop - Test your PC !--Mac OSX Troubleshooting--GO .ape ! - For 'Lossless' Audio Compression--Port :6346 - Test If It Is 'Blocked'--Cole2k Codecs--OldVersion - Newer isn't always better !
Nod32 - Free Virus Scan: Use ESET's Online Antivirus Scanner

Tomorrow's forecast:
Sunni in places, Shi'ite in others...

It seems to be always the same spammer, at least in my part of gnutella net, and I have checked and compared often, at least 50 times in two months.

The IP-Adress is always 194.213.194.37, as far as I can see, which resolves to:

inetnum: 194.213.194.0-194.213.194.63
netname: GTS-CZ-HOSTING2-PPAHA
descr:Server Hosting(Praha) GTS Czech a.s.,
possibly a dial-up.

I am not sure if it would be helpful or effective in any way to complain at his isp (above).

I wonder how many spammers are out there...

Greetings

hi

i had exactly the same thing on morpheus(which i have forcibly removed!) i thought i was going mad every search query i had there was always 3 types if file one an mp3,one a rar file and one an exe file from this ip address 66.250.52.45.

glad to know what it was

I'm afraid I can't agree with you. These are not the result of normal sharing like you or I would do. It seems to be the result of someone purposely hacking the Gnutella network to disseminate their offal.

Since the hit you get is always EXACTLY the same as the search you entered, my guess is that they have constructed some kind of custom server software that uses the Gnutella protocol. For any query it receives, their application generates a positive hit by combining the query string and some other string like ".MPG" and ".URL". Then if someone takes the bait and goes to download the file, their server sends out one of its "payload" files using the constructed name.

None of the regular Gnutella clients could pull this off, and it's just not possible that these dolts are sharing files with names that correspond to EVERY possible search query.

As for the IP address of the spammer(s), there are now dozens of them. The latest update to Gnucleus has a list of them and it now supports blocking them! There are 44 IPs on the list so far. Some of them repsond with your search plus MPG and URL, some of them respond with "secret paysite passwords" plus your search, and there are other combinations as well.

It seems one or more versions of this custom software is now making the rounds among the lowlife scumsucking leeches of the net, being traded or sold in the fetid, stagnant pools of reeking filth where these creeps brew their sleazy marketing schemes.

Since Gnutella is an open source protocol, you get the good with the bad. Anyone can write a Gnutella client - but anyone can also abuse the protocol for their own ends. That's what these stinking orifices are doing. And now that they've crashed the party, they'll never leave. We'll just have to learn to ignore their offensive odor, the same as we've had to do with their spam in e-mail and their pop-up ads on the web.

Hey, Cloudwatcher... (nice nick).......

Where exactly do we disagree?
I promise you that if we were talking about this subject in a private forum, my language would be a wee bit stronger than what I used in my above reply!

It IS some company pushing garbage with a really bad cheat that the majority will fall for.......

I find that I only get this [edit] if I do a search for some of the more rare things I am always looking for.
The thing seems to 'sense a degree of desperation' on the part of the searcher!!!!!! Geeeeeeeezzzz!!!!!

But.... BUT...... You are certainly affording far to great an ability, and a need for such ability, in regards to what we are really talking about...... Anybody can do it, right? I mean, it's just a link-file....... It's not the end of the world, right? No big anti-Gnutella Network conspiracy or anything remotely like it.... Just some more [edit]les trying to make a crude "buck" off the internet!

Never download any 28kb HTML files

Hey, I even edited my own post about these [edit]ers who do this [edit]!

__________________
Fusion for REAL!--CDex 1.51--Wackyuses--Bitzi - Check Files Before Download !--.mp3 File Name Change Problems? Try Rename-It!--Alternate PORTS--Avast- Anti-Virus--WindowWasher--IrfanView--PC Pitstop - Test your PC !--Mac OSX Troubleshooting--GO .ape ! - For 'Lossless' Audio Compression--Port :6346 - Test If It Is 'Blocked'--Cole2k Codecs--OldVersion - Newer isn't always better !
Nod32 - Free Virus Scan: Use ESET's Online Antivirus Scanner

Tomorrow's forecast:
Sunni in places, Shi'ite in others...

Well when I started this thread I thought I might be seeing evidence of Gnutella virus, but then when I found out what it really was, I called it a Gnutella spam. You said it's "not a Gnutella anything" and "please don't think of these things as of the Gnutella Network".

That's what I disagree with. This is a new kind of spam (or spam-like activity) that is ONLY spread via the Gnutella network and couldn't exist WITHOUT the Gnutella network.

Uhhh- I'm not sure where you're coming from with this one. I don't think your state of mind or the thing you're searching for really has much to do with it. I think the only thing that matters is whether one of these spambots is within your horizon when you do a search. If you're trying to say that it only kicks in when you do a porno search or something, well, I haven't found that to be the case. Why, I NEVER search for porn on Gnutella!

Not a big conspiracy, but how about a lot of little ones... Wouldn't that have the same effect? When you think about it, the whole concept of Gnutella is largely based on trust and goodwill. And the cretins who run these spambots are violating that spirit. They're in the same league as the jokers who purposely mis-label their files, only worse since they're doing it to turn a buck instead of just to be ornery. They are liars, and liars bug me, just on principle.

Sure, the tools they are using are crude enough now, and their tricks are mostly easy to ignore. But they add "noise" to the network and make it just a little harder to use. And you know they're not going to stop with these crude tools - they'll get more sophisticated, and Gnutella will suffer as a result.

Remember when pop-up ads were only used by porno sites? Now they're used by everybody who runs ads on the web - and web surfing is exponentially more annoying. How long until the noise overwhelms the "signal" in the Gnutella network? How long until somebody else uses this same tactic in a more aggressive fashion?

What if you did a search that returned 100 identical hits, yet 35 of them were actually spam in disguise? You'd stand a pretty good chance of getting a spam instead of the file you really wanted. Eventually, you'd start to download as many copies of each file as your bandwidth could handle, just to make sure you had at least one good copy in amongst the bogus ones. Multiply that increase by the number of users on the network, and you've got a pretty big bandwidth hit.

Not to mention what a pain it would be sorting out the fakes from the real files. Suppose RIAA started balsting out thousands of files that contained the first 45 seconds of a song, then switched over to a recorded announcement about file sharing being stealing?

I dunno. I'm not gonna cry all night over this or anything, it just ticks me off.

BTW - glad you like the nick!