Blogspot

From Spamwiki

Jump to: navigation, search

Contents

[edit] Background

Google owns the Blogspot offering, also known as Blogger. This offering allows users to register new blogging sites to set up their own blog. Because there are no restrictions, anyone can set up any number of blog sites for no charge.

Once a site is created, the user can simply redirect any visitor to a different web site. Thus, the Google Blogspot blogger registration can simply redirect to a spammed site. What is the advantage to spammers? Many of the tools that exist today to report spamvertized web sites, look at the link in the spam message, and report it to the IP address owner (ISP) or the registrar. When the registrars receives these requests, they may remove or suspend the site because it infringes the Terms of Service. But the spammers can create automated scripts that create a new Blogspot registration every minute of every hour of every day. And as of March 2008, that is exactly what is happening. Spam runs can now cycle through thousands of redirection names at Blogspot, confident that by the time a complaint has gone in to Google, and the site redirection complaint has been checked and removed by Blogspot staff, then the damage has already been done. They have moved on to spamming the other thousands of new sites.

As the spam runs arrive at various spam traps, these blogspot.com redirections can be accumulated and reported. One excellent site performing this service is URIBL.COM.

To create a Blogspot site, all you need is a Gmail account, and scammers are offering pre-registered Gmail accounts a million at a time.
Here is a direct quote from the bulkerforum where scammers hang out: 

TOPIC: gmail accts, googlepages redirects, blogger redirects

William

Joined: 14 Nov 2007
Posts: 15

Posted: Fri Mar 28, 2008 1:55 pm
Post subject: gmail accts, googlepages redirects, blogger redirects

if you buy in volume please PM me, i have 1~10 mil of gmail accts for selling,
100k googlepags redirect + 100k blogger redirects.

my ICQ is 407-678-829

[edit] Sample redirections

[edit] Prestige Replicas

[edit] Canadian Pharmacy

[edit] Downloadable Software

  • janellchandxr203.blogspot.com redirects to http://ryhakoputko.com/, registered with NAMESBEYOND.COM DBA GOODLUCKDOMAIN.COM
  • gracielasherrodur121.blogspot.com redirects to http://lunosoftb.com/, registered with MOUZZ INTERACTIVE INC.

[edit] Herbal King

[edit] Pharmacy Express

[edit] Sample Spam

Subject: Microsoft Office 2007 OEM version
Date: , 16 Mar 2008 12:07:41 +0200
MIME-Version: 1.0
Content-Type: text/plain;
 	format=flowed;
	charset="windows-1250";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.1830
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
X-Spam: Not detected

Microsoft Office Enterprise 2007 includes:
� Access 2007
� Communicator 2007
� Excel 2007
� Groove 2007
� InfoPath 2007
� OneNote 2007
� Outlook 2007
� PowerPoint 2007
� Publisher 2007
� Word 2007 

http://charmainecouncillpg518.blogspot.com

Redirects to Downloadable Software piracy site http://opertuutu.com/

[edit] Reporting Blogspot violations

The form for reporting violations only takes one site report at a time: 

http://help.blogger.com/?page=troubleshooter.cs&problem=&ItemType=spam&contact_type=Spam&Submit=Continue

Obviously,reporting one site at a time when there are over 1,000 new sites per day is rather tedious. Google and Blogspot staff need to take two actions

  1. remove all existing violations (see the list of 12,460 sites appended)
  2. remove the loop-hole that facilitates this crime

Until such action is taken, the Internet community can be forgiven for regarding this free Google blog service as being the cause of a major spamming problem.

[edit] Obfuscated Java Script redirections

Here are 3 examples of the spammer's obfuscated scripts that achieve the redirections. Note that the variable names and the two character strings are different, but the resultant decoded script is the same.

Example 1 

var xlvsjpk="rpjsjmgpyxwngieadgphlxque";
var uglwiggm=0; 
var   isevs,aimmuq,amvhbx="4e030901031d1350151919091208020459453a091a192216171b001e51541a0e1e1d17004013
06154f0808130918111e1b4b1a020f154a4d47505958574e5a4e0d1510174a4743191f1d0000120b1f440e081d565f4c52481a06130d170456";
aimmuq=;
var iuirac;
for(isevs=0;
isevs<amvhbx.length;
isevs+=2){iuirac=unescape('%'+amvhbx.substr(isevs,2));
aimmuq+= String.fromCharCode(iuirac.charCodeAt(0)^xlvsjpk.charCodeAt(uglwiggm++));
if(uglwiggm>=xlvsjpk.length) uglwiggm=0;
 }document.write(aimmuq);

which actually decodes into 

<script language="JavaScript">window.top.location.href        ='http://anherbal.com/';</script>

Example 2 

var xvmhpf="djajxlmnoqkekbpded";
var hebtystw=0;
var aocoo,hvptxlx,swwrps="58190218111c194e031005021e03170158462e0b170b2b0f1f071f05495b1c0b1e000a134a1e0e1a56
00020d0e05020a054c18160002444a414a584c504e4f514b42031604145f4b4b0b0f021d1e0f0f035f080a064d575f594b17091303081853";
hvptxlx=;
var ppgcu;
for(aocoo=0;
aocoo<swwrps.length;
aocoo+=2){ppgcu=unescape('%'+swwrps.substr(aocoo,2));
hvptxlx+= String.fromCharCode(ppgcu.charCodeAt(0)^xvmhpf.charCodeAt(hebtystw++));
if(hebtystw>=xvmhpf.length) hebtystw=0;
}document.write(hvptxlx);

which actually decodes into 

<script language="JavaScript">window.top.location.href      =    'http://anherbal.com/';</script>

Example 3 

var winvfa="fwunwalcvgcdcmbipabvox";
var nrklsi=0;
var hnjxaf,jlljrp,yrwxb="5a04161c1e111843564743080203051c1106074b4d320701143d1413051302455d130a030606074f161
91f560a18160f0308030d580f1101054d424950415f564f5f0e03011e4d4e4302180f0616010c0e47130e0f5948435a58060d05081c1748";
jlljrp=;
var fnkopggu;
for(hnjxaf=0;
hnjxaf<yrwxb.length;
hnjxaf+=2){fnkopggu=unescape('%'+yrwxb.substr(hnjxaf,2));
jlljrp+= String.fromCharCode(fnkopggu.charCodeAt(0)^winvfa.charCodeAt(nrklsi++));
if(nrklsi>=winvfa.length) nrklsi=0;
}document.write(jlljrp);

which actually decodes into 

<script    language="JavaScript">window.top.location.href     =  'http://anherbal.com/';</script>

(Line breaks were inserted, and the long hexadecimal string was broken into two for formatting reasons.

These three samples all cause a redirection to anherbal.com formerly an LNH Solutions scam, then VPXL.

Fingerprinting

The parts of the code that do not vary are highlighted in bold in this example 

var winvfa="fwunwalcvgcdcmbipabvox";
var nrklsi=0;
var hnjxaf,jlljrp,yrwxb="5a04161c1e111843564743080203051c1106074b4d320701143d1413051302455d130a030606074f161
91f560a18160f0308030d580f1101054d424950415f564f5f0e03011e4d4e4302180f0616010c0e47130e0f5948435a58060d05081c1748";
jlljrp=;
var fnkopggu;
for(hnjxaf=0;
hnjxaf<yrwxb.length;
hnjxaf+=2){fnkopggu=unescape('%'+yrwxb.substr(hnjxaf,2)); 
jlljrp+= String.fromCharCode(fnkopggu.charCodeAt(0)^winvfa.charCodeAt(nrklsi++));
if(nrklsi>=winvfa.length) nrklsi=0;
}document.write(jlljrp);

[edit] Related redirection abuse

The URIBL tracking site allows a comparison between Google Blogspot abuse rates and other free site providers such as Yahoo! Geocities

[edit] blogspot redirections March 21 - April 2

This can be viewed in full at the download site. Each of these has the .blogspot.com appended. The appendage is omitted for brevity.

aaekrqmsabj aaliyahramirez822763 aangknkbth72 odinet0435 boditeky40390 ... trimmed ... zosiagforistell zrbgyzujjyja zrbtvtwrdrpxjkf zrklwpevgt ztpzwffelvlhgv ztvcgyslbahwrf zymataha65557 zymymata54807

[edit] blogspot.com redirection sites

a3m66g06g1sov6a a9csfg87pwh53 aadbgtgk81 aaliyahanderson476312 ... 12,400 snipped for brevity ... zoewood006095 zoewood333733 zoewood532659 zvi0afplpkdzg3a

Retrieved from "http://spamtrackers.eu/wiki/index.php/Blogspot"
Personal tools