funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New spammer tricks

From: "Larry Seltzer" <Larry () larryseltzer com>
Date: Thu, 13 Mar 2008 19:39:13 -0400
Yeah, Nick's right. Redirects through Yahoo have been a big deal for
many many years. Google redirects are newer, but so is Google. 

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Nick FitzGerald
Sent: Thursday, March 13, 2008 6:41 PM
To: funsec () linuxbox org
Subject: Re: [funsec] New spammer tricks

rms () computerbytesman com wrote:


I haven't seen this trick used before.   ...


You must not get, or at least look at much of your, spam...


...  Some spammer is using Google to
redirect to their own Web site.  ...


Ancient.

Been around for a long time, plus several variations including adwords,
DoubleClick (now owned by Google) and such.  Perhaps my favourite such
trick is the "Google search URL with 'I'm feeling lucky' option" --
after ensuring that a search for some reasonably unique phrase on the
target page, or just the domain name itself, has the target page as the
first search result, spam out the search URL with Google's "I'm feeling
lucky" option (the "btnI" URL parameter) which tells Google to redirect
to the top search hit rather than display the search results list.

I reported this to John Graham-Cumming in July last year as a potential
TSC entry, but he didn't add it to TSC until September:

  http://www.jgc.org/tsc.html

(look for the "Are you feeling lucky, Sergey?" entry).  Although I was
fairly sure I'd heard of this being used earlier, a quick search at the
time did not turn up earlier examples of spammers using it.

The fun thing about this one is that a high-profile site can easily
subvert it, resulting in an effective, remote and fully hands-off "take-
down", as Bojan Zdrnja noted in an update to his ISC Diary blog entry
about the phenomenon:

   http://isc.sans.org/diary.html?date=2007-09-21


...  Lots of Web sites offer redirector URLs which can be used by the 
spammers.  Tinyurl and similar services would be another obvious 
choice.


In my experience, tinyurl.com is pretty responsive to abuse reports,
whereas Google, DoubleClick, etc are not.  Google did fix the then well-
known and heavily-used "url?q=<target_url>" redirector, but most of
their other open redirectors are directlty tied to their revenue
generation business and re-writing their whole infrastructure to fix
that is either taking longer or has been deemed not worth the effort, so
the spammers have moved to using all those other open redirectors.


I'm also starting to get spam messages that place HTML Web pages in 
attached Zip files to avoid spam filters.  So far, none of the Web 
pages appear to be malicious.


Yeah -- this seemed to start about a week to ten days ago and aside from
avoiding message content spam filters, I'm not sure it buys the spammers
a lot.  Is there a common MUA out there that makes viewing the HTML
content of these attachments really, really easy?  I have seen
password-protected ZIP attachment spam with directions in the message
body that the attachment contains links to porn and that you should unly
"unlock" the attachment with the provided password and read its contents
if you are of a legal age to view porn where you live and only if
viewing porn is not otherwise illegal.  The difference was that the
message made it fairly clear what you would, ahem, "gain" from opening
the attachment.  This latest batch of non-encrypted ZIP attachment spam
doesn't seem, to me, to have quite such a clear message, with very
minimalist spams typically, in the ones I've seen, like:

   Subject: Don't get left behind, get it

            Feel and smell more sexy to women

            Details attached


   Subject: Master in bed games

            Take her to seven heaven

            Details attached

So I'm not sure that there is that much of a hook to the spammers' 
potential customers...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: