This morning, I found a message in my comment moderation queue which I thought I should warn people about.
Like most comment spam these days, it listed a genuine-looking e-mail address at a big-name provider, but instead of trying to be SEO spam, the URL field was pointed at the front page of Shutterstock and the message body tried to scare me with claims that they were a certified photographer (what does that even mean?), I had photos on my site that were infringing their copyrights, and if I didn’t take them down, I’d be reported to my hosting provider and/or sued.
Now I find this to be a hilarious piece of scam-work for three reasons:
- My site has almost no images of any kind in order to keep bandwidth consumption down
- There’s only one image on the entire site that isn’t either part of the bundled-with-WordPress theme I’m using, a screenshot I took of non-photographic content, or a diagram I drew.
- That single photo is the picture of me in the sidebar, which was taken by a member of my immediate family out behind our house, not some random stranger on the Internet.
…so why am I bringing this up? Well, the threat tries to drive you to download something off Google Drive which is supposedly a list of what you’ve infringed.
First, that should already be ringing alarm bells. If they could customize the URL, why couldn’t they just say what I’ve infringed in the message like a DMCA takedown message would?
…and why wouldn’t they mention the DMCA or EUCD, which have the force of law behind them, when so many people are over-eager to do so? Probably because sending such a takedown requires you to list what you want to be taken down and swear under penalty of perjury that you hold the rights to it.
(Not to mention, why would a legitimate sender post a comment on a random post with no images in it, rather than using the contact form.)
Second, a line like “Take a look at this document with the links to my images you used at blog.ssokolow.com and my earlier publications to obtain the evidence of my ownership.” is classic form-letter spam… though, granted, spam usually just uses ssokolow.com in place of actually referring to the site in a way that would require a human to compose.
This is clearly a message that’s trying to come across as written by a human, but has the markers of being submitted by a bot. Obvious botspam if you know what to look for.
In fact, I’ve been meaning to rework my anti-spam code to require filling out an hCaptcha if a message mentions the domain name of the site the message is being submitted to without it being part of a proper URL (i.e. blog.ssokolow.com instead of http://blog.ssokolow.com/ or whatever), because it’s such a common spam tactic to copy-paste the domain into the form letter to make it sound more official.
I decided to see what they were pushing, so I spun up an up-to-date copy of Chromium in Incognito Mode in a sandbox on Linux and pasted in the URL… it immediately asked me to log into my Google Account.
Now, I’m not familiar with Google Sites, but it wouldn’t surprise me if there’s some way for them to get a log of which Google accounts accessed a file that’s been marked private (enterprise customers would want that), and this is some attempt to scrape e-mails to sell to spammers.
I didn’t feel like creating a throwaway Google account just to investigate further, so I left it there.
The takeaway?
Don’t let spammers goad you into revealing your contact information… especially when their messages look so unlike real legal threats.
UPDATE 2021-05-25: Received another one today which actually did do the DMCA boilerplate and didn’t require login to get to the “download proof” button when I opened it in a sandboxed copy of Chromium in Incognito Mode.
Unfortunately, “Your download should begin automatically.” didn’t, no matter how many times I clicked the “Download my file” button, so, unless they’re trying to exploit my browser to infect my system, I still have no idea what the scam is.
…and since they’re still posting random comments on fanfiction reviews with no images (rather than using the contact form), on a blog with almost no images, and all the images are things I own the rights to, and they still won’t say what they claim I’m infringing in the message itself, I’m still convinced that it’s a scam.
(Plus, the DMCA boilerplate seems to be addressing me as “a service provider”, which suggests they copy-pasted somebody’s example of DMCA text that would be sent to a service like WordPress.com or Blogger, rather than to the blogger themself.)
To be clear how serious I am about these people acting in bad faith, here’s a breakdown of all the image files that show up outside the the stock WordPress theme I’ve extended and the common WordPress plugins I’m using, when I check my local backup of my WordPress install:
- The site’s favicon, which I created from scratch by clicking pixels together in GIMP.
- One photo of me taken by a family member out behind our house.
- A bunch of screenshots of open-source programs I created, none of which display photos.
- A bunch of screenshots (often annotated) showing the effects of custom CSS userstyles I wrote, none of which depict anything more photographic than a 23px-by-42px thumbnail of a game box in a cropped and annotated screenshot of an Amazon wishlist.
- A bunch of Inkscape drawings and flowcharts I did from scratch.
- A few cropped screenshots of things like my custom system tray icons and my Conky theme.
- One screenshot of a Chameleon Twist error message that is eligible for fair use under the same terms Wikipedia uses to justify their screenshots, and which would certainly have nothing to do with a copyright claim which links to the front page of shutterstock in the comment form’s URL field.
- A bunch of old icons for sites like del.icio.us, FriendFeed, StumbleUpon, and Google Code from a plugin I removed ages ago, which I forgot to delete… and those haven’t actually been displayed by the site in a decade… just loose files sitting on the server taking up space.
Unless a WordPress plugin author turned evil and slipped something in as part of a routine update, just so they could extort downstream users, that’s it. Those are all the images I’ve uploaded in the 16 years I’ve been running this blog.
…so don’t pay these scammers any attention. (After all, depending on how a blog is configured, submitting something like this to a comment form may go straight to public display without the author ever getting an e-mail notification. If that’s not spam, then it’s unbelievable, record-breaking incompetence.)
Warning about a new comment spam scam by Stephan Sokolow is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Are you sure that the “immediately asked me to log into my Google Account” was actually the Google login page, rather than a scam page trying to harvest your Google credentials? I’ve seen that before.
I could be wrong, but I’m pretty sure I checked and found that it had the correct EV certificate for an official Google login page.
I like looking through a post that will make people think. Also, thank you for allowing me to comment!
You’re welcome… though, as is my policy for comments that don’t say anything specific enough about the content of the post, I’ve blanked out the URL field on your comment before approving it.
(Anti-spam measure. Too many spammers post comments that could apply to anything just to game SEO via the post URL field.)