Geocities Spam

From Spamwiki
Jump to: navigation, search

Geocities Spam

Description

Geocities is a free web hosting service provided by Yahoo. It is predominantly used by hobbyist website creators to build fansites, personal sites, photo galleries, etc. However starting in 2004 and continuing up until the present day, numerous spammers (notably Vincent Chan) have started abusing Geocities websites in an automated fashion, building pages whose sole purpose is to redirect the user to the actual target website. This allows the spammer to get around numerous well-established spam filters, which would never block a geocities domain, since Yahoo is widely whitelisted on most block lists.

My Canadian Pharmacy (referred to in this document as MCP) is a longstanding Russian or possibly Ukrainian spam operation which has been relentlessly spamming email users around the world since at least the spring of 2004. The operators are currently wanted by numerous international law enforcement groups including Interpol and the FBI. They largely appear to be tied to credit card fraud and identity theft. Nobody has ever noted receiving a single shipment of any product ordered on a My Canadian Pharmacy website.

Numerous pharmacy oversight organizations have fielded several thousand complaints per year regarding this illegal operation. They and numerous law enforcement agencies continue to investigate as much as possible regarding the spamming, website setup, DNS setup and (alleged) order processing of this spam gang. This investigation is ongoing.

Spam Example

Best replica watches from IWC at Replica Classics 
Genuine Swiss made Rolex replicas are as close to the real thing 
Guaranteed triple-wrapped gold on all-gold models 
http://mx.geocities.com/ivanasan17
If you are looking for a stylish, quality costume watch at low prices,
our offers are for you. We specialize in top quality replica watches.
Wearing these expensive looking watches is prestigious. Buying these
models you will save you a ton of money and always look trendy. 
Why pay more? Get qualitative replica watches here 

Basic Summary

Visiting a spammed Geocities website will cause the user's browser to automatically redirect to the target url, which has been embedded within some obfuscated or otherwise encrypted javascript. In the above example, the page contains the following JavaScript segments in the header of the page:

eval
(unescape("%66%75%6E%63%74%69%6F%6E%20%65%5F%65%28%65%29%7B%65%3D
%75%6E%65%73%63%61%70%65%28%65%29%3B%70%3D%22%51%5A%55%45%4C%4D%5
3%42%4C%4A%4B%56%52%43%50%44%44%48%4F%53%43%55%45%54%4E%58%49%41%
5A%4B%22%3B%73%3D%22%22%3B%73%6C%3D%6E%65%77%20%41%72%72%61%79%28
%29%2C%6B%3D%30%2C%6A%3D%30%3B%66%6F%72%28%69%3D%30%3B%69%3C%65%2
E%6C%65%6E%67%74%68%3B%69%2B%2B%29%7B%63%3D%65%2E%63%68%61%72%43%
6F%64%65%41%74%28%69%29%3B%69%66%28%63%3C%31%32%38%29%7B%63%3D%63
%5E%70%2E%63%68%61%72%43%6F%64%65%41%74%28%6A%25%70%2E%6C%65%6E%6
7%74%68%29%3B%6A%2B%2B%3B%7D%73%2B%3D%53%74%72%69%6E%67%2E%66%72%
6F%6D%43%68%61%72%43%6F%64%65%28%63%29%3B%69%66%28%73%2E%6C%65%6E
%67%74%68%3E%38%30%29%7B%73%6C%5B%6B%2B%2B%5D%3D%73%3B%73%3D%22%2
2%7D%7D%73%3D%73%6C%2E%6A%6F%69%6E%28%22%22%29%2B%73%3B%64%6F%63%
75%6D%65%6E%74%2E%77%72%69%74%65%28%73%29%7D"));

And:

e_e("m%2967%25%3D%27b83%3B3oa%24!%3C%3C%609%22#%24%27%2D*
1%2EioW_elqroaGAvr49* %278%7D%25%3A&!%3Dp%60zWA%255%25k
%220#8#%248|%2B%22!%22um%3B7!5naw%3E6%2De%252%3C*%2Fc0%2D!hp%5BXc
pkkebmN_etrw%3A%22%28%22!%2Ek");

This decrypts to turn into:

a) A function called "e_e" which will perform a rudimentary character replacement decryption technique.

b) A run of the e_e function, passing a specific string to the function.

The resulting URL in this case turns out to be: www.thioc.com, another illegal Replica Watch website.

The spammers behind these runs tend to follow a very similar pattern, often using the same length of randomized characters for all of their Geocities site names, and re-using (but re-naming) their javascript variables and encryption functions. Aside from this the process, site setup, message types and inevitable domain types are always the same.

Vincent Chan has apparently been doing this for at least two years now, well-documented in his SpamHaus ROKSO entry. He is most likely not the only one, merely the most prolific one.

How to Report this Spam

Forward Spam Emails

The simplest way to report Yahoo Geocities spam is to forward emails to:

network-abuse[at]cc[dot]yahoo-inc[dot]com

As of 16 September 2007, this is the best address to use.

Yahoo is well aware of this ongoing issue and is responsive to reports, often taking action within the same day. Even the receipt of one single spam email featuring a geocities address will be enough to take action. You should make sure to include all the headers, if possible, as this is a basic requirement of Yahoo and Geocities before any action will be taken.

Sample Report

to: network-abuse[at]cc[dot]yahoo-inc[dot]com

subject: geocities redirect spam: anherbals.com (Herbal King)

Please disable the following spamvertized geocities URLs:

http://www.geocities.com/mpkgd89/
http://www.geocities.com/thlqc54/
http://www.geocities.com/ucpmk57/
http://www.geocities.com/uhyq84/

- This was unsolicited email.

- This was SPAM.
The geocities URLs use obfuscated javascript to redirect to
anherbal[dot]com, which hosts the Herbal King spam.
http://spamtrackers.eu/wiki/index.php?title=Herbal_King

- This is abusing the Yahoo/Geocities Terms of Service since the sites
are being used in spam runs.
http://info.yahoo.com/legal/us/yahoo/geocities/gctos/gctos-274.html

5. MEMBER CONDUCT
...
You agree to not use the Service to:
...
(g) upload, post or otherwise transmit any unsolicited or unauthorized
advertising, promotional materials, "junk mail," "spam," "chain
letters," "pyramid schemes," or any other form of solicitation, except
in those areas of the Service that are designated for such purpose;
...
(o) use your home page (or directory) as storage for remote loading or
as a door or signpost to another home page, whether inside or beyond
Yahoo GeoCities;

- Included below are the complete spam messages containing the offending
Geocities sites, including full headers.

Submit to Yahoo's Web Reporting Form

Yahoo has provided a web form for reporting Geocities spam at

http://help.yahoo.com/l/us/yahoo/geocities/abuse.html

The form requires the user name of the user abusing the Geocities service. The Geocities user name can be found from the bold component of the URL below.

http://geocities.com/dannyhensley344/

The Geocities Web Form is working as of 11 February 2008.

See Also

Googlepages Spam