Last Updated: 2007-09-21 07:31:49 UTC
by Bojan Zdrnja (Version: 2)
For quite some time spammers have been trying to hide links advertised in their e-mails. The main reason for this is probably increasing effectiveness of various realtime blocklists, such as SURBL. For those that aren’t familiar with SURBL (http://www.surbl.org), it’s an RBL that lists list URIs found in spam e-mails. In other words, instead of listing spam zombies or relays, RBLs like SURBLs list sites that are referenced in advertised spams.
Anti-spam applications generally query multiple RBLs and latest versions of Spam Assassin, the most popular open source anti-spam application, will query SURBL by default.
Spammers realized that this can cause them big problems so initially they started using various open redirectors. Redirected URLs try to hide themselves behind some other (innocent) domain and server. For example, Google has a redirector service that can be easily used like this:
If you visit this URL now Google will warn you that you are about to be redirected to your favorite bookmarked site ;-) – however this was abused historically when there was no such warning.
Anti-spam tools soon incorporated detection of similar abuses because well known redirection services, such as those provided by Google or Yahoo! are easy to enumerate and parse, although spammers use various URL encoding techniques to make this more difficult.
While spammers are still using similar redirection services, sometimes even on compromised web sites, recently I saw another new trend where they are abusing another Google’s service.
This mainly seems to be happening in meds related spam e-mails. A typical spam looks like this:
Order All of your favorite RxMeDs Online!
With fast discreet trackable USPS shipping!
No Prescription Needed!
Order__NoW ~ <a href="http://www.google.com/search?q=myvisameds+global+cart&btnI=ec">Click__Here</a><br>
As you can see, the e-mail is very small (probably trying to affect some other anti-spam methods) and it contains only one URL, pointing to Google!
The trick here is in the last part of the URL that is highlighted above: “btnl=ec”. This actually tells Google that you want to use the feature called “I’m Feeling Lucky”. This feature is actually nothing special – it performs the normal search but instead of returning the page containing the search results it automatically redirects your browser to the first returned search. We can try doing the same thing for the Internet Storm Center, with the link above:
So, the spammers do the following. They first “poison” Google so that a particular search returns their wanted web site as the first match. This isn’t too difficult to do because they don’t need to “poison” proper searching keywords – they can use whatever they want because all they need is their web site to come back first. If we go back to the example above, the keywords to search for are “myvisameds global cart”. If you search for this (normally) you will see that the spammer’s web site comes as the first search. Also take a look at all the other web sites that are returned. See something interesting? (I still have to check those web sites to see if they are even serving some malicious content).
We can see that the “poisoning” process was successful, so all they need to do now is send their e-mails with the link above until Google figures out what’s going on and blocks this. At this point they change the web site and/or keywords and go from beginning.
Finally, it should be relatively easy to catch these links with a regular expression. However, it looks like there are several implementations on Google’s web site so they don’t always and with “btnI=ec”. If you have good rules for this, let us know.
Now this is funny. Christian e-mailed us and told us that this diary made it to the first place in search results for the "myvisameds global cart" keyword search. This effectively means that we (unintentionally) stopped this particular spam from working as the link above (Google's "I'm Feeling Lucky") will actually lead to this diary!