How desperate do you have to be to spam someone? Part III

After writing about this potential guestbook spammer [1], I changed the program name for the Obligatory Email Notification [2] script to see what would happen.

Not terribly surprising, Mr. 72.232.102.130 [3] stopped spamming my form. I guess his spamming software was smart enough to handle 404 errors [4] (although technically, I should return a 410 response code but … eh, whatever).

Three days later, and someone else (and I suspect it's someone else, since the email addresses being submitted are “from” colleges and universities, and are not from Gmail [5], like Mr. 72.232.102.130 was using) is now spamming my Obligatory Email Notification script.

The first spam seemed to be a test (submitted a comment of “Hi My Name Is ivahag.”) but the rest appeared to be the type of spam you would find on a guestbook (“buy this male performance enhancer drug online!”) and at first, I couldn't figure out why the spammer was linking to the faculty page at East West University in Bangladesh.

But then I checked the source code (and this is why I'm not linking to this):

>
```
</BODY>
</HTML>
<html><iframe width=0 height=0 frameborder=0
src=http://www.kgeba.com/portal/index.php?aff=razec marginwidth=0
marginheight=0 vspace=0 hspace=0 allowtransparency=true
scrolling=no></iframe></html>
<html><iframe width=0 height=0 frameborder=0
src=http://www.kgeba.com/portal/index.php?aff=razec marginwidth=0
marginheight=0 vspace=0 hspace=0 allowtransparency=true
scrolling=no></iframe></html>
<html><iframe width=0 height=0 frameborder=0
src=http://www.kgeba.com/portal/index.php?aff=razec marginwidth=0
marginheight=0 vspace=0 hspace=0 allowtransparency=true
scrolling=no></iframe></html>
<html><iframe width=0 height=0 frameborder=0
src=http://www.kgeba.com/portal/index.php?aff=razec marginwidth=0
marginheight=0 vspace=0 hspace=0 allowtransparency=true
scrolling=no></iframe></html>
```

Lovely!

Here's how this works.

The spammer plasters links to the faculty page at East West University in Bangladesh in guestbooks for hot search terms based around male fertility drugs. Some poor sap who's Porsche 911 didn't help goes looking for said male fertility drugs and comes across the links to the faculty page at East West University in Bangladesh (due to the page rank [6] generated by all the links) and thinks he's about to score cheap male fertility drugs.

Only what he sees is a list of academics at some obscure university on the other side of the world and goes back to some search engine [7] to locate other sources of male fertility drugs (and Lord knows what type of ads I'm going to start getting from Google AdSense [8] based on this entry). But unbeknownst to our inadequate feeling fellow, his browser has just generated four requests to some site that pays out money based upon page views. Since the page was requested by a real browser, the assumption that said site makes is that someone viewed the page from a link by Mr. Razec (or who's affiliate code is “razec”) and so Mr. Razec's account is credited by some small amount.

Which, over time, adds up.

Neat little scam, isn't it?

So yesterday I changed the names of the fields for the Obligatory Email Notification form, changing email to atthingy and comments (which, if you remember, is a non-displaying <TEXTAREA>) to blahblah and sure enough, Mr. Razec picked up on the changes and spammed the form again.

Only this time, the link he sent is to a guestbook that's already been spammed.

[1] /boston/2007/05/10.2

[2] https://boston.conman.org/

[3] http://clusty.com/search?input-form=clusty-simple&v%3Asources=webplus&query=72.232.102.130

[4] http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5

[5] http://www.gmail.com/

[6] http://en.wikipedia.org/wiki/PageRank

[7] http://www.google.com/

[8] https://www.google.com/adsense/

Gemini Mention this post

Contact the author