An example spam trail
OK, so here's a spam which hit nowarblog today (2008-05-20).

board: nowarblog
id: 2007/10/10/221052/20-3
subject: hAvfaRjkdmMVImCaMC
poster: -1
email:
date: 2008-05-20 09:32:07
ip: 206.53.51.84
post-russian: 0.00
link_count: 26
link_bait: 1
mixed_links: 0
google_count: 3530
word_count: 152
score: 370
 
[a href="http://www.propeller.com/member/taynaharrism"]Virginia election results, presidential election 2008[/a][br]
[a href="http://www.propeller.com/member/taynaharrism"]Election update, election results[/a][br]
[a href="http://www.propeller.com/member/taynaharrism"]Election 08, election update[/a][br]
[a href="http://www.propeller.com/member/taynaharrism"]New jersey election results, primary election[/a][br]
[a href="http://www.propeller.com/member/taynaharrism"]Presidential election 2008, nj election results[/a][br]
[a href="http://www.propeller.com/member/taynaharrism"]Ohio election results, primary election[/a][br]
 
...

(I've snipped some of the URLs off the bottom, because they're obviously identical.)

Anyway, for some reason this caught my eye, and I decided to follow up. As it turns out, Propeller.com is a "social news site" owned by AOL. The user page for taynaharrism has been hijacked for nefarious purposes, and at first glance it looks pretty legit (I'm not going to quote it here, because it's too long.) It's got a whole lot of text which is vaguely election-related. It's vague because it's a Bayes spoiler, of course, and I'm increasingly of the opinion there must be a library out there somewhere. I'll probably end up reverse-engineering it.

This Bayes spoiler text is 9706 words long (a novella!), which comes to 16 pages of 12-point Times Roman. That's a lot of meaninglessness. But the actual payload is the user's Website link, which points to http://superelectionpolls.info/election-2008

When we visit that site, we see a typical set of Bayes-spoiler pages, each linking to one another. They're all on the election them. And the payload there is the cute little Javascript embedded:

http://superelectionpolls.info/election-2008/red.js:
 
var egnlldwljff655 = 'on=';
var fc77 = 'riqfxgscbhvlkxzne534';
var kneyfihnrydqabg554 ='ment';
var qkiej391='.lo';
var nrvjdje503='ti';
var xhlcxeccpapp141='docu';
var jk134='cgi?5&parameter=election+2008';
var oejccqtxvmsfns723='http://alldebt';
var rwxalsxrcwac224='.biz/newway/in.';
var riqfxgscbhvlkxzne534 = 'ca';
var qhitoayeyfefc473='"';
if(fc77 = 'riqfxgscbhvlkxzne534')eval(xhlcxeccpapp141+kneyfihnrydqabg554+qkiej391+riqfxgscbhvlkxzne534+nrvjdje503+egnlldwljff655+qhitoayeyfefc473+oejccqtxvmsfns723+rwxalsxrcwac224+jk134+qhitoayeyfefc473);

Warning bell #1, of course: obfuscated Javascript (even not-very-obfuscated Javascript) tells you there is foul play.

In this case, of course, the string which ends up being eval'd is:

document.location="http://alldebt.biz/newway/in.cgi?5&parameter=election+2008"

If we visit that URL, it 302-forwards to http://myflydirect.com/1/5567/ - and that URL, in turn, 302-forwards to http://getadultaccess.com/movie/?aff=5567 .

And that URL, which is clearly no longer about elections, does some more stuff; I don't really care what, just today. The point is that Propeller.com is pointing to a forward chain which ends up somewhere fishy. That forward chain is detectable, and pretty amenable to automation, given that your browser does it anyway. So we can detect it. And once detected, it can be reported. Once reported, eradicated.

I love this stuff.






Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.