Tuesday, 2 August 2011

Blog Spam Analysis Series: CISSP Spam surprise

Update 08/08/2011: Added link to further evidence of Shon Harris spamming via blog comments from ittraining blog at the bottom of the post.

I have maintained this blog for some time. I appreciate comments but sometimes there is spam that unfortunately gets in:

In particular, I was interested in the CISSP spam: The CISSP post is one of the most popular in this blog and perhaps that is why Spam tends to get there.

In the screenshot above you may notice that the CISSP spam so far comes from three spammers: Gowshika, Mithun and Nitheesh. Let's take a look at them:


Gowshika's information:
- Spam messages to my blog to date: 1 (100% CISSP Spam)
- No blog, only a blogger profile: Probably too busy spamming people to keep up a blog too ;)
- Profile created in May and alive until at least August 2011 when the spam arrives
- Potentially an Indian female according to minor research below if the name is really her real name.
- Spam link goes to:

Although I did not know this initially, a simple Google search reveals that Gowshika is an Indian name:


Would you put your name in your profile if you were a spammer? I suppose I would not :). That being said we have to admit that Gowshika was smart enough to avoid writing down her surname, email address and phone number :). Gowshika could also be the name of the spammer's girlfriend or whatever but this somehow points to India anyway.

I was going to go with the rough rule of "if it finishes in 'a' it is possibly a girl" but I actually double checked that Gowshika is truly a female name with a couple more Google searches like "Gowshika male" and "Gowshika female".

Next spammer:
Mithun's information:
- Spam messages to my blog to date: 2 (100% CISSP spam)
- No blog, only a blogger profile: Probably too busy spamming people to keep up a blog too ;)
- Profile created in May and alive until at least August 2011 when the spam arrives, previous spam link sent on 29/6/2011.
- Potentially an Indian male according to minor research below if the name is really his real name.
- Spam links go to:

There is a famous Indian actor as the first Google result (so possibly: Indian and male):


Next spammer:

Nitheesh's information:
- Spam messages to my blog to date: 2 (100% CISSP spam, 1 message went to this post but the spam link still pointed to a CISSP site)
- No blog, only a blogger profile: Probably too busy spamming people to keep up a blog too ;)
- Profile created in May and alive until at least August when I could still open the profile (02/08/2011). both spam links sent on 21/6/2011.
- Potentially an Indian male according to minor research below if the name is really his real name.
- Both spam links go to:

A simple Google search reveals this is an Indian male name:


At this point the state of the investigation is as follows:
- 3 spammers for all CISSP spam links to date
- Potentially 2 Indian males and 1 Indian female
- 100% of CISSP spammers were potentially Indian
- 100% of the CISSP links go to www.logicalsecurity.com
- Spam links:

I was thinking that despite looking very similar if not identical to Shon Harris' main CISSP domain for selling CISSP materials, this site would probably be some form of malware site (seriously, that was my first reaction). However, I was wrong: www.logicalsecurity.com appears to be a legitimate site and even Shon Harris' linkedin profile links to it!

It seems unlikely to me that Indian people would bother to post CISSP spam comments in my blog for the lulz alone. You do not need to be very smart to realise that the business model points to Shon Harris outsourcing spammers in India to increase sales of her CISSP training materials.

Further, there is evidence gathered by attrition.org that logicalsecurity.com was previously spamming via email too, both in 2008 and in 2010 

Not only that, but Jericho from attrition.org actually confronted Shon Harris directly about it in 2010 and Shon did not mention, ever, in a single line of her emails (yes I read it all) that she was not sending spam. Ironically the conversation started because Shon had problems to unsubscribe from the mailing list :).

There are hints of this in the emails that went on between Jericho and Shon but I wondered this myself too as I was investigating the spam in my blog: What is the value of the CISSP code of ethics if the top authority in CISSP training materials and a CISSP herself, Shon Harris, violates them like this?

One of the clauses in the code of ethics is literally: "Act honorably, honestly, justly, responsibly, and legally".  A CISSP, or anybody with some basic ethics for that matter, should not be sending Spam. Matters get worse when you are not only a CISSP but also training other future CISSPs, most people would expect the trainer to lead by example.

Finally, I would like to mention that the following looks unprofessional too:

# curl -A CISSP -i logicalsecurity.com|head -3
...
HTTP/1.1 200 OK
Date: Tue, xx Aug 2011 xx:xx:xx GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9

Pro tip: Do not spam security folks ;)

Update 08/08/2011: Further evidence of this activity from the ittrainingblog (04/08/2010):
"FUNNY UPDATE: Check out the comment spam we got from Shon Harris' blog, I actually approved it. Im interested to know what spammy SEO company she has marketing her site, Shon has far too strong a name in the industry for that."

2 comments: