Estdomains, home to lots of spam domains, is now history. Good riddance!

I wrote a while ago about a network of pages with fake biographies generated from a database and a script. Well, Phonera/Port80 has upped the ante.

Now they’ve created fake descriptions of Swedish domain names (yes, existing ones) on the same network of IP addresses. The net result is that those fake pages rank well if you search for that domain name. And presumably also if you search for the part before .se.

None of the pages are served right now, they return “socket error”. But they’re still filling up the Google index with junk.

The way I see it, Google should dump the entire 93.158.64.0 - 93.158.127.255 range now including the cache, when those pages are referenced by IP number instead of a domain name. And put a block on that IP range preventing those IP numbers from being crawled in the future, unless it’s a domain name that’s resolving to that IP range. Although there are some domains in that range, if you make sure you only nuke pages referenced by the IP number in Google, you should be golden.

I got an e-mail from a forum owner, asking about a particular behavior on his forum.

Several people had signed up for accounts and were posting low content posts on lots of threads. Looked like just another “me too” type poster until they saw a broken image link in edit view. The image didn’t show up in the post that he could see. Hence the mail to me.

One of the user names was SEOdeveloping, which made the forum owner do some digging. He turned up a Cookie Stuffing script posted for sale by someone by the same nick.

I checked out the image link, and found there were a couple 302 redirects in place, which made me think something was up - no point in using PHP redirects unless you’re up to something.

So I connected the two dots, and searched for these words:

cookie stuffing images

I found an article by former regular Esrun, explaining the technique. It’s the technique labeled image/2. Basically, they’re shoving a cookie on your system. Presumably they’re an affiliate of some well known site, and if you happen to visit that site and sign up or buy something, the cookie stuffer will get the signup bonus or affiliate percentage.
So time to send out a warning: Be careful about allowing your users to post images pointing to sites other than those you control. Otherwise you might have to check the images carefully.

This time, the domain the image sat on was photo-shack.com, which resembles closely a well known image hosting site. And although the image didn’t work the first time I checked one of the posts, it did the second time. I did receive a cookie from photo-shack.com each time I loaded that forum post, whether or not the smiley was visible. It was a nice Christmas smiley, and I’m guessing that spam campaign has been quite successful - they’re posting manually, the posts are on topic, and they’re behaving themselves. It doesn’t appear to be spam, because there’s no visible payoff.

But they ARE stuffing cookies.

Here’s a random hit from Google, with not one but TWO images loading from his fake image hosting site.

I haven’t blogged much about webspam lately. Akismet kills most of it, so I’m not as annoyed.

But enter a new Wordpress installation. It took a few week for the first spam to arrive, and then I attracted a regular. Geez, that’s annoying. I hadn’t had time to do something about the spam yet, but it was starting to annoy me enough I took a closer look.

What I found was a lot of redirects to spammy sites from innocent third parties. Many of them from Bitrix installations, but judging from the URL’s, there are plenty of other susceptible redirect scripts. Here’s a sampling of code you could block in blog and forum software, and that would silently get rid of a lot of spam posts:.

external.php?url=http://
go.cgi?dest=http://
go.asp?url=http://
link.php?url=http://
links_ext.pl?http://
out.php?url=http://
rd?t=http://
redirect.cfm?trgturl=http://
redirect.php?goto=http://
redirect.php?url=http://

Another bad thing about these scripts, is that you could pick up a trojan by going to a site you thought was safe, if you didn’t notice that there was a redirect actually pointing somewhere else than the safe site the redirect script is sitting on.

When opening a site in a text browser that was spamvertized via e-mail, I found an iframe where the content was encoded.

The code was on this format:

&#somenumber;

I looked for a decoder, and upon examination, was sure the first few characters were http. So I plugged those into Google, and found that Google decodes it. Whatever you put into there of that code, Google spits back the decoded phrase, plus search results containing that decoded phrase.

I got an e-mail today that made me jump.

Mail subject: Your domain must be deleted today!

Dear user,

On Sat, 1 Nov 2008 12:50:02 +0200 we received a third party complaint of invalid domain contact information in the Whois database for this domain. Whenever we receive a complaint, we are required by ICANN regulations to initiate an investigation as to whether the contact data displaying in the Whois database is valid data or not. If we find that there is invalid or missing data, we contact both the registrant and the account holder and inform them to update the information.

The contact information for the domain which displayed in the Whois database was indeed invalid. On Sat, 1 Nov 2008 12:50:02 +0200 we sent a notice to you at the admin/tech contact email address and the account email address informing you of invalid data in breach of the domain registration agreement and advising you to update the information or risk cancellation of the domain. The contact information was not updated within the specified period of time and we canceled the domain. The domain has subsequently been purchased by another party. You will need to contact them for any further inquiries regarding the domain.

PLEASE VERIFY YOUR CONTACT INFORMATION - http://www.enom.com

If you find any invalid contact information for this domain, please respond to this email with evidence of the specific contact information you have found to be invalid on the Whois record for the domain name. Examples would be a bounced email or returned postal mail. If you have a bounced email, please attach or forward with your reply or in the case of returned postal mail, scan the returned letter and attach to your email reply or please send it to:

Attn: Domain Services 14455 N Hayden Rd Suite 219 Scottsdale, AZ 85260

LINK TO CHANGE INFORMATION - http://www.enom.com

Thank you,
Domain Services

[IncidentID:60970]

Wait a minute, I don’t have any domain at Enom!

I hovered the mouse over the link they wanted me to use. It points to:

enom.com.sys63.ru

Just another phishing attempt folks!

I tested the site, but got blocked by my browser when accessing it with www in front of it. When I tried it again without www, I got in without the warning.

So what do they want? If they try to transfer the domains, change the e-mail address or change the DNS, I’d get an e-mail warning me of what’s going on. Could they get access to our credit card details?

I discovered a spam trackback at the bottom of an article in an online Norwegian celebrity rag.

I was so stunned, because we see very little Norwegian spam. Most of it’s not even done by Norwegians, and if it is, they’re usually based outside of Norway.

The article had been entitled “DETTE ER FANTASTISK!!!”, which means “This is amazing!!!”. The link went to krematoriet.blogspot.com. The account is owned by Geir. All of this is perfect Norwegian. But that’s all that’s on that page. He didn’t want to risk the redirect going slow by adding text and images…

The blog redirects to booking.com through a tinyurl.com redirect. Code:

Oops, that redirect worked even pasted in here! Anyway, it’s a meta content with a URL and http-equiv refresh
That in turn redirects to:

http://tracking.euroads.no/system/tracking.php?sid=3&cpid=143&adid=4944&acid=532

It’s a Norwegian/Swedish/Danish ad network.

I read somewhere you won’t get accepted into the affiliate program unless you have a website. Well, here the referrer is coming from tinyurl, so this affiliate should get thrown out of the program!

And from what I’ve seen now, I’m willing to accept that this is probably a Norwegian spammer. Shame on you!

I’ve strayed into Google Groups again, and happened to find a search term that gave me plenty of spam group hits:

pharmacy direct

I’m guessing there are hundreds of letter soup groups, but the MO has evolved since last time there was a cleanup over there (Google removed the groups I complained about last time).

This time many of the groups have several members. I’ve seen up to 14 members (presumably all alternate ID’s of spammers), but there’s no set number of members. It depends on how old the group is. For older groups, there are more members, and in addition to pages, that seem to be created as the group is new, the older the group is, the more likely it’s also got mail messages. Some of these groups have open membership, so it’s possible the mails are from spammers other than the one that started the group.
The groups now also often have a description. I’ve seen “Father Brown” several times, and many of the descriptions look like remixed text from a book, possibly about Father Brown? The text reads like gobbledygook: The sentences make sense when read by themselves, but it looks like sentences have been spliced together without any regard to context. Some groups also have lists of near identical spam terms.

There’s literally no end to the number of spam groups that have included those search terms in at least one message, so one Google technician will have a heck of a job removing all that crap!

There’s a discussion today in Norway about a website set up to funnel people to pay porn sites. The website itself is a discussion forum, where people routinely upload pornographic pictures. Many of those pictures are illegal, such as photos taken of unwitting girls on beaches. There’s also misuse of famous people’s pictures, stolen from various places.

They’ve managed to figure out who owns the website, but part of the discussion is what to do about the website - the server is in another country, and it might be extremely difficult to get it shut down.

I just wanted to suggest another solution:

Block it with DNS.

It’s doable on a national level. Italy did it with pirate bay. Of course, it won’t keep out the persistent pervs, but a DNS ban - after a court process of suitable nature - would at least make the domain less viable commercially - and that’s the point!

I got a spam e-mail today that piqued my interest. It was written in Danish, and the name on the account looked familiar. The text of the e-mail was also in Danish, but was pure spam. This surprised me, because there’s virtually no Norwegian language spam - we’ve got too tough laws for that to happen much. I assume the same is true of Denmark.

So I started investigating.

The whole list of addresses it was sent to was visible. Looking through it, I thought it looked like someone’s e-mail address book. And I recognized the name and where I’d seen it. A guy I met a little over a year ago. He wasn’t likely to have sent this. I’ve contacted him to tell him he’s been hacked.

The spam was directing people to a store registered with a Chinese name:

store-168.com

And it’s been named as one of the sites benefitting from stolen gmail account passwords before. McAfee also has a comment saying the site is puro phishing.