The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Tuesday, May 15, 2007

How desperate do you have to be to spam someone? Part III

After writing about this potential guestbook spammer, I changed the program name for the Obligatory Email Notification script to see what would happen.

Not terribly surprising, Mr. 72.232.102.130 stopped spamming my form. I guess his spamming software was smart enough to handle 404 errors (although technically, I should return a 410 response code but … eh, whatever).

Three days later, and someone else (and I suspect it's someone else, since the email addresses being submitted are “from” colleges and universities, and are not from Gmail, like Mr. 72.232.102.130 was using) is now spamming my Obligatory Email Notification script.

The first spam seemed to be a test (submitted a comment of “Hi My Name Is ivahag.”) but the rest appeared to be the type of spam you would find on a guestbook (“buy this male performance enhancer drug online!”) and at first, I couldn't figure out why the spammer was linking to the faculty page at East West University in Bangladesh.

But then I checked the source code (and this is why I'm not linking to this):

</BODY>
</HTML>
<html><iframe width=0 height=0 frameborder=0
src=http://www.kgeba.com/portal/index.php?aff=razec marginwidth=0
marginheight=0 vspace=0 hspace=0 allowtransparency=true
scrolling=no></iframe></html>
<html><iframe width=0 height=0 frameborder=0
src=http://www.kgeba.com/portal/index.php?aff=razec marginwidth=0
marginheight=0 vspace=0 hspace=0 allowtransparency=true
scrolling=no></iframe></html>
<html><iframe width=0 height=0 frameborder=0
src=http://www.kgeba.com/portal/index.php?aff=razec marginwidth=0
marginheight=0 vspace=0 hspace=0 allowtransparency=true
scrolling=no></iframe></html>
<html><iframe width=0 height=0 frameborder=0
src=http://www.kgeba.com/portal/index.php?aff=razec marginwidth=0
marginheight=0 vspace=0 hspace=0 allowtransparency=true
scrolling=no></iframe></html>

Lovely!

Here's how this works.

The spammer plasters links to the faculty page at East West University in Bangladesh in guestbooks for hot search terms based around male fertility drugs. Some poor sap who's Porsche 911 didn't help goes looking for said male fertility drugs and comes across the links to the faculty page at East West University in Bangladesh (due to the page rank generated by all the links) and thinks he's about to score cheap male fertility drugs.

Only what he sees is a list of academics at some obscure university on the other side of the world and goes back to some search engine to locate other sources of male fertility drugs (and Lord knows what type of ads I'm going to start getting from Google AdSense based on this entry). But unbeknownst to our inadequate feeling fellow, his browser has just generated four requests to some site that pays out money based upon page views. Since the page was requested by a real browser, the assumption that said site makes is that someone viewed the page from a link by Mr. Razec (or who's affiliate code is “razec”) and so Mr. Razec's account is credited by some small amount.

Which, over time, adds up.

Neat little scam, isn't it?

So yesterday I changed the names of the fields for the Obligatory Email Notification form, changing email to atthingy and comments (which, if you remember, is a non-displaying <TEXTAREA>) to blahblah and sure enough, Mr. Razec picked up on the changes and spammed the form again.

Only this time, the link he sent is to a guestbook that's already been spammed.

Obligatory Picture

[It's the most wonderful time of the year!]

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: http://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

http://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2019 by Sean Conner. All Rights Reserved.