[conspire] Web spam and yandex forms

Akkana Peck akkana at shallowsky.com
Tue Dec 7 12:51:42 PST 2021 

I'm having a security issue with a website I run, and I'm hoping
some of the security experts here might be able to help me
understand what's happening.

I run a site, nmbilltracker.com, which tracks bills in the
New Mexico legislature. While getting it ready for the current
redistricting session, I discovered that I was getting large numbers
of new bogus user registrations, about one per minute.
These registrations have usernames like:

    Профuт даже  неопытнoгo нoвичка нaчинaeтcя oт 799 3eленых. Чтo
    трeбyетcя? cовcем немного, всeгo пару шaгов Вы неpeaльно 6удетe
    yдивлeны нacколько вce нeслoжно u будете жaлеть тoлько oб однoм:
    почемy этoго всегo нe былo в прошлом
    https : / / forms.yandex.by/u/61a554952ec1745f4c6e4b68 hig

(I added the spaces in the URL, to make it not clickable here.)
Google translates that as

    The profit of even an inexperienced newcomer starts from 799
    women. What is required? the whole a little, just a couple of
    steps you are incredibly 6you are surprised how easy it is u you
    will only regret one thing: why is it not in the past
    https : / / forms.yandex.by/u/61a554952ec1745f4c6e4b68 hig

These user registrations also included email addresses of the form
[randomstring]@gmail.com, and in fact my first clue that something
was wrong was a bunch of postfix log entries for "no such user"
bounces from Google when trying to confirm email addresses.

I've added some "bogus username" checks to the registration
process, and will be deleting the thousands of bogus accounts.
This website doesn't have any data worth stealing except for
username/email/hashed passwd combos (and there's no indication
that anything has happened that would leak those).
Mostly I'm just curious what they were after. What good is it to
a spammer to register users with spam text as the username? Do they
think someone will click on the URL? Apparently yandex is Russia's
version of Google, and you can make custom forms like with Google Forms.
But I still don't really see what good it would do a spammer ...
unless maybe it's an attempt at a DDOS on yandex (googling on yandex
found stories about such a DDOS a few months ago).

And is there any point in looking for some sort of abuse at yandex
address to send an alert to? Or is yandex spammer-friendly and I'm
better off not giving them my email address?

        ...Akkana

More information about the conspire mailing list