* * * * *
How desperate do you have to be to spam someone? Part III
After writing about this potential guestbook spammer [1], I changed the
program name for the Obligatory Email Notification [2] script to see what
would happen.
Not terribly surprising, Mr. 72.232.102.130 [3] stopped spamming my form. I
guess his spamming software was smart enough to handle 404 errors [4]
(although technically, I should return a 410 response code but … eh,
whatever).
Three days later, and someone else (and I suspect it's someone else, since
the email addresses being submitted are “from” colleges and universities, and
are not from Gmail [5], like Mr. 72.232.102.130 was using) is now spamming my
Obligatory Email Notification script.
The first spam seemed to be a test (submitted a comment of “Hi My Name Is
ivahag.”) but the rest appeared to be the type of spam you would find on a
guestbook (“buy this male performance enhancer drug online!”) and at first, I
couldn't figure out why the spammer was linking to the faculty page at East
West University in Bangladesh.
But then I checked the source code (and this is why I'm not linking to this):
> </BODY>
> </HTML>
> <html><iframe width=0 height=0 frameborder=0
> src=
http://www.kgeba.com/portal/index.php?aff=razec marginwidth=0
> marginheight=0 vspace=0 hspace=0 allowtransparency=true
> scrolling=no></iframe></html>
> <html><iframe width=0 height=0 frameborder=0
> src=
http://www.kgeba.com/portal/index.php?aff=razec marginwidth=0
> marginheight=0 vspace=0 hspace=0 allowtransparency=true
> scrolling=no></iframe></html>
> <html><iframe width=0 height=0 frameborder=0
> src=
http://www.kgeba.com/portal/index.php?aff=razec marginwidth=0
> marginheight=0 vspace=0 hspace=0 allowtransparency=true
> scrolling=no></iframe></html>
> <html><iframe width=0 height=0 frameborder=0
> src=
http://www.kgeba.com/portal/index.php?aff=razec marginwidth=0
> marginheight=0 vspace=0 hspace=0 allowtransparency=true
> scrolling=no></iframe></html>
>
Lovely!
Here's how this works.
The spammer plasters links to the faculty page at East West University in
Bangladesh in guestbooks for hot search terms based around male fertility
drugs. Some poor sap who's Porsche 911 didn't help goes looking for said male
fertility drugs and comes across the links to the faculty page at East West
University in Bangladesh (due to the page rank [6] generated by all the
links) and thinks he's about to score cheap male fertility drugs.
Only what he sees is a list of academics at some obscure university on the
other side of the world and goes back to some search engine [7] to locate
other sources of male fertility drugs (and Lord knows what type of ads I'm
going to start getting from Google AdSense [8] based on this entry). But
unbeknownst to our inadequate feeling fellow, his browser has just generated
four requests to some site that pays out money based upon page views. Since
the page was requested by a real browser, the assumption that said site makes
is that someone viewed the page from a link by Mr. Razec (or who's affiliate
code is “razec”) and so Mr. Razec's account is credited by some small amount.
Which, over time, adds up.
Neat little scam, isn't it?
So yesterday I changed the names of the fields for the Obligatory Email
Notification form, changing email to atthingy and comments (which, if you
remember, is a non-displaying <TEXTAREA>) to blahblah and sure enough, Mr.
Razec picked up on the changes and spammed the form again.
Only this time, the link he sent is to a guestbook that's already been
spammed.
[1]
gopher://gopher.conman.org/0Phlog:2007/05/10.2
[2]
https://boston.conman.org/
[3]
http://clusty.com/search?input-form=clusty-simple&v%3Asources=webplus&query=72.232.102.130
[4]
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5
[5]
http://www.gmail.com/
[6]
http://en.wikipedia.org/wiki/PageRank
[7]
http://www.google.com/
[8]
https://www.google.com/adsense/
Email author at
[email protected]
