Definition[]
Spam redirections are used by spammers for several reasons
- to fly under the radar (i.e. escape detection) by the automatic spam blocking systems
- to avoid getting warnings and red flags against their sites from site reviewing systems
- to provide a longer life to otherwise quickly removed spamvertized web sites
Formats[]
Free hosting sites[]
Redirections can take many forms. Some make use of free hosting services, such as Google's Blogspot and Yahoo's Geocities which allow quick web site set-up. Spammers register hundreds of thousands of sites, set them up, and put in a redirection to the true target web site. Since they do not send spam containing the target site name, they hope to evade detection. These are known as "Hosters" and are well documented by URIBL.COM at the URIBL spam tracking site.
Prefix driven[]
Another type of redirection uses the third level domain name, or domain prefix method. Here, a domain name is registered, and the redirection to the target site is triggered by the first letter of the prefix. This method is illustrated with a live example shown in the following tables.
Prefix | Spam Brand | Sample domain |
---|---|---|
A | Mr.Long | pdandotherb.com |
B | Canadian Pharmacy | prettylast.com |
C | root directory | hotsellingpills.com |
D | Canadian Healthcare | attevm.com |
G | US Pharmacy | drg821.com |
H | Vegas Casino | casino22.net |
K | Canadian Healthcare | attevm.com |
P | MaxGain+ | debentes.com |
R | SwissWatchesDirect | laoje.net |
S | RXnet | 55med.com |
T | King Replicas | huneice.com |
V | Wondercum | fionws.com |
Prefix | Spam Brand | Sample domain |
---|---|---|
A | Mr.Long | pdandotherb.com |
B | US_Drugstore | callsubtract.com |
C | Federated RX | hotsellingpills.com |
D | Official Generic Pharmacy | wehelpyounow.com/cheap_pharmacy |
G | Canadian Health&Care Mall | variable |
H | Vegas Casino | casino22.net |
K | Worldwide Wholesale Pharmacy | yoajlem.com |
P | MaxGain+ | debentes.com |
R | SwissWatchesDirect | greattimewatches.net |
S | RXnet | 55med.com |
T | King Replicas | wegdeange.com |
V | Wondercum | fionws.com |
Prefix | Spam Brand | Sample domain |
---|---|---|
A | Mr.Long | pdandotherb.com |
B | Canadian_Pharmacy | loverspillsbat.com |
C | Federated RX | hotsellingpills.com |
D | Direct Pharmacy | sourcegoodfind.com |
G | Canadian Health&Care Mall | axvojgips.com |
H | Vegas Casino | casino22.net |
K | Canadian_Drugstore | qualityrange.com |
P | MaxGain+ | hujanda.com |
R | SwissWatchesDirect | seewatchnow.com |
S | RXnet | 55med.com |
T | King Replicas | seewatchnow.com |
V | Wondercum | fionws.com |
Live examples[]
To illustrate using live examples from May 2008, here are a set of spammed domains used for redirecting -
- ydspread.com
- yuaccounting.com
- zanewnovel.com
- zhbidto.com
- zjofficial.com
Selecting one of these, here is a sample of spammed prefixed domains
- bcej.zhbidto.com
- bczb.zhbidto.com
- kstz.zhbidto.com
- kvv.zhbidto.com
- parc.zhbidto.com
- pawr.zhbidto.com
- rpdws.zhbidto.com
- rved.zhbidto.com
- tqt.zhbidto.com
- tuz.zhbidto.com
Note that the redirecting domains reside on a fast-flux botnet, occupying 8 hijacked hosts at a time, refreshing to a new set every 3 minutes:
zhbidto.com. 180 IN A 81.180.157.127 zhbidto.com. 180 IN A 89.156.145.103 zhbidto.com. 180 IN A 121.152.240.95 zhbidto.com. 180 IN A 24.122.218.63 zhbidto.com. 180 IN A 67.64.156.156 zhbidto.com. 180 IN A 67.188.53.61 zhbidto.com. 180 IN A 68.73.153.25 zhbidto.com. 180 IN A 76.106.194.40
The configuration in February 2008 can be seen at MaxGain#Redirections
Further reading[]
- Google Blogspot redirection abuse
- Yahoo! Geocities redirection abuse