Spammers that use the free forums to spam us all
Saturday, November 24 2007 @ 07:18 AM Eastern Standard Time
Contributed by: Michael Brusletten
Views: 1,822
We've all wondered for the most part on how the spammers are getting away with the redirects in the free forums and sites that they create. Now we can tell you how they are doing it. They are using Java scripting for the redirects. We will show you step by step on how they do it and how you as a webmaster can put a stop to it. Continue reading!
Let take for an example that you get a spam message similar to the following:
And you click on the link. It will initally take you to http://phentermineorderch.sosblog.com and then the page will load the forum for that link. Then out of the clear blue, it suddenly takes you to another page. over to http://dudir.com/index.php?q=phentermine&said=3612. Now you didn't expect that to happen did you? So you go looking thru the page source for any possible link to this redirect. But, you can't find anything. So we did some digging around on this jokers page and found that they have a few Java scripts running. Nothing really important to report there right? Wrong! If its not in plain sight, then its buried in the code someplace. So we went digging into all the elements that this page had to offer. Wasn't anything to do with the graphics or the page CSS. So we continued to the bottom of the page where it has a counter running for visitor hits. We tore into that and discovered that the counter was not what it appeared to be. We found that the Java script was no more than a redirect to http://dudir.com/index.php?q=phentermine&said=3612 and as soon as the page finished loading and then it hit the counter, the page was redirected to the new web page. Pretty slick huh? Here's the code that they are currently using and it might change a tad bit but it'll still remain the same.
First they insert the
<script language="javascript" src="http://www.iq17.com/counter/counter.js?id=3612"></script>
into the header of the page so that it can be called. Within that JS file is another statement that reads something like this.
var ref = escape(document.referrer);
document.write('<script language="javascript" src="http://www.iq17.com/counter/counter.js?id=3612&ref=' + ref + '"></script>');
Now you know whats going to happen now, right? The old redirect gig. Now when it calls this JS file, it gets another command to like this.
document.location = 'http://dudir.com/index.php?q=phentermine&said=3612';
So goes the user to the end page result that the spammer wanted you to be on. Without you ever really knowing that you had been redirected unless you were paying attention to details.
Now that you know what you are looking for, please do us all a favor and build yourselves a script that goes thru these spammers pages to weed out the offenders that want nothing more than a launch pad for their spam campaign to start off on. Ultimately we don't care if you host a spammers site on your domain, all we as is that you deny or delete these scripts from being processed on those spam pages so that they cannot be redirected. Most of if not all website administrators will agree with this. If you have any questions, please let us know.
Let take for an example that you get a spam message similar to the following:
| A new spam post has been submitted at "Spacequad AntiSpam Services" User UID: "1@64.202.120.55" Content:"<p> <a href="http://phentermineorderch.sosblog.com/">Buy phentermine.</a> from Phentermine buy.<br> Buy phentermine. Buy phentermine cod. Buy phentermine online. Buy phentermine cheap. Buy cheap phentermine online pharmacy online. Phentermine buy. Buy cheap phentermine. <a href="http://phentermineorderch.sosblog.com/">[read more]</a><br> Tracked on Saturday, November 24 2007 @ 05:20 AM EST </p> " Request headers: HTTPS: off HTTP_ACCEPT: */*;q=0.1 HTTP_HOST: www.spacequad.com HTTP_USER_AGENT: TrackBack/1.02 HTTP_CONTENT_LENGTH: 279 HTTP_CONTENT_TYPE: application/x-www-form-urlencoded |
And you click on the link. It will initally take you to http://phentermineorderch.sosblog.com and then the page will load the forum for that link. Then out of the clear blue, it suddenly takes you to another page. over to http://dudir.com/index.php?q=phentermine&said=3612. Now you didn't expect that to happen did you? So you go looking thru the page source for any possible link to this redirect. But, you can't find anything. So we did some digging around on this jokers page and found that they have a few Java scripts running. Nothing really important to report there right? Wrong! If its not in plain sight, then its buried in the code someplace. So we went digging into all the elements that this page had to offer. Wasn't anything to do with the graphics or the page CSS. So we continued to the bottom of the page where it has a counter running for visitor hits. We tore into that and discovered that the counter was not what it appeared to be. We found that the Java script was no more than a redirect to http://dudir.com/index.php?q=phentermine&said=3612 and as soon as the page finished loading and then it hit the counter, the page was redirected to the new web page. Pretty slick huh? Here's the code that they are currently using and it might change a tad bit but it'll still remain the same.
First they insert the
<script language="javascript" src="http://www.iq17.com/counter/counter.js?id=3612"></script>
into the header of the page so that it can be called. Within that JS file is another statement that reads something like this.
var ref = escape(document.referrer);
document.write('<script language="javascript" src="http://www.iq17.com/counter/counter.js?id=3612&ref=' + ref + '"></script>');
Now you know whats going to happen now, right? The old redirect gig. Now when it calls this JS file, it gets another command to like this.
document.location = 'http://dudir.com/index.php?q=phentermine&said=3612';
So goes the user to the end page result that the spammer wanted you to be on. Without you ever really knowing that you had been redirected unless you were paying attention to details.
Now that you know what you are looking for, please do us all a favor and build yourselves a script that goes thru these spammers pages to weed out the offenders that want nothing more than a launch pad for their spam campaign to start off on. Ultimately we don't care if you host a spammers site on your domain, all we as is that you deny or delete these scripts from being processed on those spam pages so that they cannot be redirected. Most of if not all website administrators will agree with this. If you have any questions, please let us know.
What's Related