tags: Spam
Spam Indirection
August 25th, 2005, by Rich.
Warning: apache_lookup_uri() [function.apache-lookup-uri]: Unable to include '/pics/2005/spam/indirection' - error finding URI in /home/www/boakes.org/htdocs/mods/plugins/boakes-depicticon.php on line 65
I think this may be a mildly new twist on email and referral spam: using referral spam to advertise a message that’s stored in an unused public newsgroup, thus avoiding spam filters.
This morning I checked the stats on this website, where there was a referring link from:
http://health.groups.yahoo.com/group/weight-loss-group/message/2
“Now”, I wondered aloud, “why would a health group be linking to me?”.
So I followed the link to see what the association was, and LO, it came unto me like a shining beacon:
I need to buy weight loss pharmaceuticals!
The indirection is as follows:
- Create a web based newsgroup
- Leave your advertising messge on the group
- Request a couple of web pages from many thousands of websites.
- Sell drugs to desparate victims who see and believe the message*
- Profit
* The key to this working is that many websites include a list of the latest referrers, so the site’s users will potentially click these referrers and see the message. It’s a bit desparate but if you can get the link in front of a million eyeballs and only 0.0001% click and buy, then that’s 100 customers, or perhaps more appropriately, 100 victims who hand over their credit card details.
The real killer blow, the thing that makes this technique work, is that most referral spam blocking algorithms block the whole domain which the spam advertises. In this case the domain is yahoo.com. I could potentially block health.groups.yahoo.com but my software won’t do that by default, I’d need to tweak it. This technique is just the spammers exploiting the tiniest of loopholes to get their advertising across in the time before the hole is plugged.
Blacklisted
Incidentally, the incoming connections are from two IP addresses, 80.77.84.108 and 80.77.86.209 - the second of which is already blacklisted By Mat Sullivan’s realtime blacklist SORBS.
August 26th, 2005 at 10:44 am
I’ve had a different variation, a spam which instead of the spammers website has a link to a legit sites redirect script which doesn’t check where it’s being sent to, and it’s being told to send you to the spammers site.
Basically its to get around things like the current implementation of SURBL blacklist checking in SpamAssassin..
June 23rd, 2006 at 11:44 am
it seems that mat sullivan is running his own ’spam’ site …have you had a look at the site .. imho .. any unelected user that purports to police the internet … afterall any dial up connection must be bad … does this sound like ‘any muslim must be bad’ … cos they killed the wtc
and he is just another steve irwin … except he has no crocs
June 23rd, 2006 at 3:17 pm
Kitty, sorry but I have no idea what your point is, perhaps you had some markup that got stripped out before it reached the moderation stage. Can you clarify please.
It looks like you’re suggesting that SORBS is bad, and attempting to bolster your argument through the use of an irrelevant religious simile.
…and what on earth does this have to do with Steve Irwin?