Spamhuntress

Disclaimer: I don’t know for sure that this is cross scripting. Could be done some other way. I’m just guessing, OK?

———

Update: I checked with someone who’s seen a lot of …stuff.

He says one of the cases (probably by another spammer than the one I wrote about in the rest of this post) I showed him had to have been done by using a redirect in .htaccess, and a script.

The URL in question was:

http://www.blogshub.com/help/1/didrex-online-rx.html

That URL is broken, because the spammer’s site no longer contains those files. It was rigged to call

http://www.blogshub.com/help/1/script.php

And no matter what file name you came in with, the script would send you to the corresponding file on ebestdrugs.com.

My source thinks the site owner made a deal with the spammer, while my hypothesis was that the site was hacked. Basically, we can’t tell from the outside.

———

I found a read.php script that appears to have been cross scripted. I tried a random keyword, and it returned the same spam as with the URL’s I found in Google (the owner of the site has been notified).

The script returned a redirect on this site: t3search.net
That then sent back a file from this site: search-vip.net

The whois info seems fake, but contains this e-mail address: scrimak@mail.ru

Abates already had a story on that spammer.

I took the time to read the Russian traces the spammer had left behind. Turns out he sells doorway scripts and “spamilki”. In other words, spamming scripts. And his first name is Dimas, according to his ICQ page: 227922772

Payoff links are klik.php at 64.111.210.10

This entry was posted on Thursday, September 7th, 2006 at 10:01 am and is filed under Redirects. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.