Throwing suspicion on Microsoft
I was tracing a spammer who used plone redirect pages (isn’t every other spammer these days?).
When I found the redirect code, it had this URL in it:
http://www.live.com/?6772716C3529285C6665675B58601F535E5B1C4F5253164A50541457574355530D4144451A4B164B464336
I knew that domain belonged to Microsoft, and I’d already established that the redirect never went anywhere near Microsoft land, so what’s up?
Turns out the javascript throws away everything before the ? and then deobfuscates the numbers. So watch out for redirects that frame innocent domains!
Just to finish what I started:
The redirect is on doorgen.com, and it redirects to canadianpharmanetwork and torontodrugstore, affiliate number 2025.
Here’s the whois:
Seicha Alok Sight (support@doorgen.com)
140-18 rue des Fontinettes
Pas-de-Calais
Pas-de-Calais,62100
FR
Tel. +33.0610720912
This spammer is on 69.31.45.250 and 69.31.45.251 on Pilosoft.
Thanks to Dirk for figuring out the javascript.
September 14th, 2006 at 3:36 pm
See my posts on http://blogs.msdn.com/livesearch/archive/2006/09/11/750079.aspx about what the new Microsoft LIVE search does with the the HTTP_REFERER.
You may find that they’re using a middle page to redirect users to the final destination and hide the referring page and in turn making it look like an abused redirect page when infact it may not be.
September 15th, 2006 at 5:47 am
The javascript was on a third party page. A site belonging to a non-spammer. You know, a regular plone thing.
The javascript was a redirect, but it went to what I call a cutout. A domain controlled by the spammer, to hide the fact that he was spamming from the affiliate scheme.
September 23rd, 2006 at 1:44 am
I have just received an email spam where JS deobsfucates the URL. Spamcop said:
“Finding links in message body
Detected javascript in body. Cannot trust links in text. Aborting link detection.”
December 13th, 2006 at 3:14 pm
This is the US go’vt and MS keeping up the attack on the poeple.