Sign in to follow this  
Followers 0
300mph

Spooky Hyperlink in spam

11 posts in this topic

I just received a very spooky spam today. One of the usual hyperlinks that directs an unsuspecting person to the spammers webpage contained a very odd format. The format was: http://[some address here].com/my_last_name

I was more than a little startled to see my last name appended to a spam page hyperlink. Has anyone ever seen this or have any idea how this could happen?

Share this post


Link to post
Share on other sites

...The simplest, albeit unlikely, answer is that in preparation for your response the spammer has created a virtual internet directory with your name. I consider that unlikely only because most spammers target thousands or millions of potential victims and, therefore, would have to go through the trouble of creating such a virtual directory for each potential victim. A more complex answer would be that the spammer has set up some scri_pt or program on the web server to recognize your name as a name rather than a virtual directory.

...This is just off the top of my head. I presume others can come up with yet more scenarios.

Share this post


Link to post
Share on other sites

I just received a very spooky spam today. One of the usual hyperlinks that directs an unsuspecting person to the spammers webpage contained a very odd format. The format was: http://[some address here].com/my_last_name

I was more than a little startled to see my last name appended to a spam page hyperlink. Has anyone ever seen this or have any idea how this could happen?

Either you or one of your contacts has a Trojan that has downloaded their contact email address's.

Don't hurt to scan your own computer. I no longer have my full name in my email just "from:PP"

Email info can also be "scraped" as it passes from one server to the next. You can see what computers servers that handle your email by a traceroute

Share this post


Link to post
Share on other sites

The format was: http://[some address here].com/my_last_name

Or what you see in the email is http:[some address here].com/mhy_last_name but the hyperlink really goes to http://[some other place].com/really_bad_script

Edited by Lking

Share this post


Link to post
Share on other sites

...The simplest, albeit unlikely, answer is that in preparation for your response the spammer has created a virtual internet directory with your name. I consider that unlikely only because most spammers target thousands or millions of potential victims and, therefore, would have to go through the trouble of creating such a virtual directory for each potential victim. A more complex answer would be that the spammer has set up some scri_pt or program on the web server to recognize your name as a name rather than a virtual directory.

...This is just off the top of my head. I presume others can come up with yet more scenarios.

Very interesting. Is there a safe way to try out the address and see what's there or if it is active?

Share this post


Link to post
Share on other sites

Either you or one of your contacts has a Trojan that has downloaded their contact email address's.

Don't hurt to scan your own computer. I no longer have my full name in my email just "from:PP"

Email info can also be "scraped" as it passes from one server to the next. You can see what computers servers that handle your email by a traceroute

Yes, this is always a possibility. Here is an additional piece of info that thickens the plot. I have a rather unusual last name, so it's not like Smith or Jones, and the name used in the hyperlink is my name with one letter misspelled. Also my email address does not contain my name and my profile does not contain my name.

Share this post


Link to post
Share on other sites

Thanks everyone for your responses and here are more specifics:

1. My name appears in the hyperlink itself, the visual text says something else.

2. The name is misspelled by one letter and my name is rather unique so it's not a coincidence. This seems to point to a hand-formed spam creation and not a spambot?

3. I don't have my name associated with the email account.

Given these clues does it sound like I have somehow been targeted by the spammers or am I being too paranoid.

Share this post


Link to post
Share on other sites

2. The name is misspelled by one letter and my name is rather unique so it's not a coincidence. This seems to point to a hand-formed spam creation and not a spambot?

I'm wondering if a spambot is being used that randomises names slightly, based on replacing letters with similar letters or numbers, like you might see in a message that is being tinkered with in an effort to beat filters.

As an aside, my name is rare where I live too, there's only two of us that I know of within something like 500km.

Share this post


Link to post
Share on other sites
I'm wondering if a spambot is being used that randomises names slightly, based on replacing letters with similar letters or numbers, like you might see in a message that is being tinkered with in an effort to beat filters.

<snip>

...Ah, yes, I've seen something like that in "help, I'm trapped in Europe and need money fast!" spam allegedly from someone I knew.

Share this post


Link to post
Share on other sites

I just received a very spooky spam today. One of the usual hyperlinks that directs an unsuspecting person to the spammers webpage contained a very odd format. The format was: http://[some address here].com/my_last_name

I was more than a little startled to see my last name appended to a spam page hyperlink. Has anyone ever seen this or have any idea how this could happen?

My guess is that the webserver is configured to accept anything in place of your name. "http://[some address here].com/_____" is probably always accepted. This also provides some tracking as to who's falling for it. They simply check the webserver logs and see which names were used in URL requests.

Also, if the actual URL was more complicated than what you posted, keep in mind that "?" is a separator between the URL and the parameters it's passing to the page. "http://[some address here].com/?my_last_name" takes you to the same page as just "http://[some address here].com/", but the first one also passes "my_last_name" as a parameter to that page.

I doubt that they actually went through and configured a webserver specifically for each name that they spammed, though it shouldn't be too hard to scri_pt something like that using the database that generated the spam (just generate an entry on the webserver along with each spam message generated).

As for how they actually got your name, I'm guessing it's from someone who's got you in their contact list and had their PC compromised, or possibly scraped from some internet profile somewhere (which may have gotten its info from someone else's contact list).

Very interesting. Is there a safe way to try out the address and see what's there or if it is active?

http://web-sniffer.net/

Share this post


Link to post
Share on other sites

if you used the address on facebook etc, then on that site you can resolve email address to user by simply searching via email address.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0