A question about disguised links

[elind]

<a =

href=3D"http://ad.doubleclick.net/click;h=3DDwXgyklaAFflZyiLhMnAiifOjiqGD=

wXgykla;~sscs=3D%3fhttp://teknoatilim.com/video.exe">Watch. =

<br><a>

I am receiving spam with the above link. I am curious about what it does. It appears to be using doubleclick.net, but Spamcop parsing doesn't pick it up, yet it is the only link in the spam.

Can anyone explain how this works?

[StevenUnderwood]

I am receiving spam with the above link. I am curious about what it does. It appears to be using doubleclick.net, but Spamcop parsing doesn't pick it up, yet it is the only link in the spam.

Can anyone explain how this works?

Please provide a tracking link rather than the link itself so that the searchbots have less of a chance of picking up crud like this. The link is currently broken, but we don't know if it is the software here doing that, something you did before posting, of the way it actually looks in the source of the message.

Several factors seem to indicate some "handling". Specifically, the several =3D and the = at the end of the lines.

[Farelf]

As Steven says, link is broken/unworkable as it appears above. Doubleclick redirects are supposedly being used for malware downloaders - what mxlab call Trojan.Downloader.Exchanger.bc. - see Double Click ad links used in URLs (second sample).

[elind]

Please provide a tracking link rather than the link itself so that the searchbots have less of a chance of picking up crud like this. The link is currently broken, but we don't know if it is the software here doing that, something you did before posting, of the way it actually looks in the source of the message.

Several factors seem to indicate some "handling". Specifically, the several =3D and the = at the end of the lines.

I'm not sure what you mean by protecting the searchbots? Are you saying they need to be protected against picking up spam?

I copied/pasted the link as received without changing it. If it's broken it was likely a spammer mistake and, needless to say, I didn't try it. The source of the email was Charter according to spamcop.

However I still don't understand how this is supposed to work, broken or not. What is the point?

[StevenUnderwood]

However I still don't understand how this is supposed to work, broken or not. What is the point?

It is simply a redirect to a Trojan program. We could provide more if you would simply provide the information asked for.

[Merlyn]

<a =

href=3D"http://ad.doubleclick.net/click;h=3DDwXgyklaAFflZyiLhMnAiifOjiqGD=

wXgykla;~sscs=3D%3fhttp://teknoatilim.com/video.exe">Watch. =

<br><a>

I am receiving spam with the above link. I am curious about what it does. It appears to be using doubleclick.net, but Spamcop parsing doesn't pick it up, yet it is the only link in the spam.

Can anyone explain how this works?

read http://www.secureworks.com/research/threats/ppc-hijack/ to understand how these work. There are a couple doubleclick.net examples there also.

[elind]

It is simply a redirect to a Trojan program. We could provide more if you would simply provide the information asked for.

That's simple to you. Obviously I wouldn't ask these questions if I thought nobody could answer them. I don't know what information you want that is relevant to how the link in question works. I don't provide the original source for obvious reasons; it contains my email addresses in addition to my spamcop one. I don't know how to edit it to be relevant and I am not a fool, but I don't understand how doubleclick can be hijacked to redirect as you say, nor do I understand the point of doing it that way in the first place, nor why such a "simple" method cannot be parsed by spamcop.

If you want to be helpful ask intelligent questions, otherwise ignore mine.

Thank you.

read http://www.secureworks.com/research/threats/ppc-hijack/ to understand how these work. There are a couple doubleclick.net examples there also.

Thank you

[Farelf]

...I don't know what information you want that is relevant to how the link in question works.

Hard to tell because the link is busted, seeing it in its context might be more useful.

...I don't provide the original source for obvious reasons; it contains my email addresses in addition to my spamcop one. I don't know how to edit it to be relevant...

The original source was not requested, the tracking url of the reported spam was requested and if you submit munged reports your addresses would not be in that documentation unless it was also forged as the sender address. Did you submit a report, do you use the munge option, were you forged as sender, do you know how to get a tracking url?

...and I am not a fool, but I don't understand how doubleclick can be hijacked to redirect as you say, nor do I understand the point of doing it that way in the first place, nor why such a "simple" method cannot be parsed by spamcop. ...

Hard to tell about any of that (except the first) without seeing what the parser made of it and if it was broken so that the parser ignored it then there is little point in conjecture since the SC engineering staff don't come here. But there can be variable results depending which version of the parser looks at the data and/or how the DNS records and abuse records resolve at that instant (caching coming in to it also) so sometimes it is worth revisiting the report, it is not static and the link that the parser saw may not really be broken. Dunno without seeing it.

There have been other discussions about the parser's handling of (various) redirects - generally there is difficulty drilling down to the actual target, the killer (as it mostly/always applies) being because the full redirect process is not necessarily resident in the link included in the spam. That probably encapsules the "point" of it - to make the target look relatively harmless, to obscure it so to protect it from discovery and censure, to fool filters and to waste the time of anyone wanting to analyze it all.

You posted in a general forum, possibly not wanting to discuss the specifics but wanting a theoretical treatment. Maybe Merlyn's link satisfied some of that (evidently my earlier one didn't). But you also raise some specifics about the parser 'not picking it up' and unless you are going to back up that assertion we can let that part drop, interesting though the question might turn out to be.

[elind]

Hard to tell because the link is busted, seeing it in its context might be more useful.The original source was not requested, the tracking url of the reported spam was requested and if you submit munged reports your addresses would not be in that documentation unless it was also forged as the sender address. Did you submit a report, do you use the munge option, were you forged as sender, do you know how to get a tracking url?

OK. Sorry to get off track. I misunderstood to mean source. Yes I could get the tracking URL by going back through logs, but I wasn't concerned about details; just the principles out of curiosity. I'm still receiving these. Some are reported to a website host. Some just say reporting suspended for doubleclick.

I'll read up on the link provided without asking more silly questions.

Thanks

[Farelf]

... I'll read up on the link provided without asking more silly questions.

No question is silly - check new information by all means but then don't stop until you know what you wanted to know.

[StevenUnderwood]

I don't understand how doubleclick can be hijacked to redirect as you say, nor do I understand the point of doing it that way in the first place

Any link can be redirected through them (and others) because of the method they use for redirection has been broken. It was not very hard to break.

A couple of reasons:

-Some parsers (more automated ones than human ones who cah easily see the trick) will blame doubleclick rather than the ultimate location of the page, protecting them a bit.

-Many "normal" people will see a doubleclick link in the spam and trust it more than some unknown domain, causing hits to the site. In this case, those hits become more machines that can be used to spread the virus and other spam from.

[elind]

Any link can be redirected through them (and others) because of the method they use for redirection has been broken. It was not very hard to break.

A couple of reasons:

-Some parsers (more automated ones than human ones who cah easily see the trick) will blame doubleclick rather than the ultimate location of the page, protecting them a bit.

-Many "normal" people will see a doubleclick link in the spam and trust it more than some unknown domain, causing hits to the site. In this case, those hits become more machines that can be used to spread the virus and other spam from.

That makes some sense in terms of improving the statistical return on spam. A little bit better can be a lot better, although I would then question why they send multiple spams to the same address at the same time and in particular why they send to spamcop addresses (which is where I get almost all spam), since that would seem to invalidate the former supposed sophistication. However perhaps they are just different spammers.

I also have another suggestion for this method, in that it seems to confuse the spamcop parser.

I received one with this link today.

<a =

href=3D"http://ad.doubleclick.net/click;h=3DprVJZxdCqxESRHIKqakxVhjqUyZRp=

rVJZxdC;~sscs=3D%3fhttp://trieu-exotics.com/video.exe">Watch. =

<br><a>

The first report via spamcop did not recognize the the spam website. Editing out the doubleclick part and resubmitting with only trieu-exotics gives the host as godaddy.com

Looking at trieu-exotics suggests that it is a legitimate aquarium products (live coral) site, so I'm still confused. Either it is a front or the site has been hacked and "video.exe" has been stored there.

Can anyone run video.exe on a secure machine to see what it does? I don't want to on mine.

[Telarin]

Looking at trieu-exotics suggests that it is a legitimate aquarium products (live coral) site, so I'm still confused. Either it is a front or the site has been hacked and "video.exe" has been stored there.

The hacked scenario is the most likely. There are MANY MANY Linux and other web servers out there that have very weak root passwords on them. Hackers love to use these machines to host their own content, either on alternate ports, or files that aren't otherwise linked to the live website. The longer they can have their content on the server without discovery, the more victims they can catch.

[StevenUnderwood]

Editing out the doubleclick part and resubmitting with only trieu-exotics gives the host as godaddy.com

I sure hope you did not send that second report as that is a direct violation of your agreement here and grounds for account termination.

[dbiel]

although I would then question why they send multiple spams to the same address at the same time and in particular why they send to spamcop addresses (which is where I get almost all spam), since that would seem to invalidate the former supposed sophistication. However perhaps they are just different spammers.

One reason for seeing more spam on a spamcop account is that spamcop does not delete any e-mail. There are a lot of providers that simply delete known spam and only filter out what they consider to be questionable spam making the amount of spam received by the end user much lower than it would be otherwise. As the number of compromised machines grow, the greater the chance of receiving multiple copies of the "same" spam to an individual account.

One very important point to remember: It is only when the cost of sending spam (including the perceived enforceability of fines and/or other penalties) starts to exceed the financial return that the spam generates, that we will begin to see a true reduction in the amount of spam being sent.

[elind]

I sure hope you did not send that second report as that is a direct violation of your agreement here and grounds for account termination.

Uhh. I don't think so, I was just curious as to where it was and why spamcop couldn't recognize it; but now that you mention this wouldn't godaddy want to know, assuming they don't like spam either?

One reason for seeing more spam on a spamcop account is that spamcop does not delete any e-mail. There are a lot of providers that simply delete known spam and only filter out what they consider to be questionable spam making the amount of spam received by the end user much lower than it would be otherwise. As the number of compromised machines grow, the greater the chance of receiving multiple copies of the "same" spam to an individual account.

Are you sure about that? I don't think any provider can delete any mail without the user asking for it, since no filter can be 100% accurate. I had that problem a while back when my provider's settings had somehow been set to filter spam without my knowledge. I was not receiving any "forward - do not whitelist sender" type of held mail, for example, and I was losing some legitimate mail. I eventually reset that to do not filter, since I rely on spamcop to do all my filtering, including my non spamcop address. The latter still receives much less spam since I am not as open with it.

If providers really wanted to stop spam they could filter it outgoing instead of incoming and request individual client confirmation of suspect messages, or at least identify them statistically, could they not?

One very important point to remember: It is only when the cost of sending spam (including the perceived enforceability of fines and/or other penalties) starts to exceed the financial return that the spam generates, that we will begin to see a true reduction in the amount of spam being sent.

I suspect that is only partly true, because spammers could still sell suckers lists or services, whether or not they make money for the suckers. There's one born every day, I hear.

[StevenUnderwood]

I don't think any provider can delete any mail without the user asking for it, since no filter can be 100% accurate.

It may depend on where you live, but generally, the owner of the server makes the rules. Now, if they tighten the filters too much and lose too much valid email, ISP's are likely to lose customers and ultimately revenue.

There are a number of documented cases here in the forums where ISP's are dropping both incoming and outgoing email as policy without notification. Most of the time, first level support does not know (or possibly are instructed not to acknowledge) this is happening but if you are persistent enough, the truth will come out. I don't know where you are located, but many of these are US based.

[elind]

It may depend on where you live, but generally, the owner of the server makes the rules. Now, if they tighten the filters too much and lose too much valid email, ISP's are likely to lose customers and ultimately revenue.

There are a number of documented cases here in the forums where ISP's are dropping both incoming and outgoing email as policy without notification. Most of the time, first level support does not know (or possibly are instructed not to acknowledge) this is happening but if you are persistent enough, the truth will come out. I don't know where you are located, but many of these are US based.

I'm in Florida and use Road Runner (Bright House), and it did happen to me, but as I said because a filter setting got set somehow, not because it was a blanket policy. However I do recall that it was hard to get that information out of them, as I had never looked into those options before.

Seems to me there would be a lot of legal liability there as much business is conducted by email. It's not just forum chat and family pleasantries, but I guess one has to pick one's service providers carefully, as in anything.

[StevenUnderwood]

Seems to me there would be a lot of legal liability there as much business is conducted by email. It's not just forum chat and family pleasantries, but I guess one has to pick one's service providers carefully, as in anything.

There is no guarantee of delivery of ANY message sent by SMTP. Never has been, unlikely there ever will be. Guarantees would require a complete re-write of the rules that govern email transmission. People who rely on email for their living are likely to be disappointed some day.

And Road Runner is one of the ISP's known to block email per policy throughout their network. Please see http://forum.spamcop.net/forums/index.php?showtopic=2782

[elind]

There is no guarantee of delivery of ANY message sent by SMTP. Never has been, unlikely there ever will be. Guarantees would require a complete re-write of the rules that govern email transmission. People who rely on email for their living are likely to be disappointed some day.

And Road Runner is one of the ISP's known to block email per policy throughout their network. Please see http://forum.spamcop.net/forums/index.php?showtopic=2782

OK, I too know the legal meanings of guarantee, but that is not the same thing as deliberate erasing.

As to RR, all I know is that when I found the secret passage to the "voluntary" filter and turned it off, I haven't noticed any problems, and that goes for the most obvious spam that I occasionally forward from my held mail rather than report directly, just because I am curious about it.

[Farelf]

...And Road Runner is one of the ISP's known to block email per policy throughout their network. Please see http://forum.spamcop.net/forums/index.php?showtopic=2782

As a slightly O/T comment, that blocking is to one's advantage, on the day one's address is picked to be forged as the "from:" address on a billion spam. Because all the "delivery failed" notifications which include an attachment of the "failed mail", sent by the very many clueless admins out there, just bounce off, are never seen, leaving just the somewhat smaller number of "bare" notices to deal with. Since those don't include actual spam content they can be reported by batch email right through any outwards filtering there may be (ISPs almost always deny having those but SC reporters, at least, are immediately aware of them except in the rare case where a "hole" has been punched through for reporting to spamcop.net).

Of course it might be nice to have the option to "quick" report all those other (filtered) bounces - "full" reporting being out of the question due to volume - and maybe clue up the occacional clueless admin as a consequence. It may be that the option to "turn off" inwards filtering exists for many folk who are unaware that it's there (since the usual MO, when filtering was/is introduced seems to be to do it by default). But I'm not sure if the daily limits still apply or if they do if they apply to quick reporting - http://www.spamcop.net/fom-serve/cache/350.html

But forget about getting outwards filtering turned off AFAICT. Anyway, the time between being 'honored' to be the current spamrun's forged sender seems, to me, to be reducing so inwards blocking can be a significant 'blessing'. As those who lately get a thousand misdirected and unfiltered bounces a minute might agree.

[Miss Betsy]

Still O/T - I have turned off the filtering for all the accounts I have, but I still receive very little spam compared to the times when ISPs did /no/ filtering. I don't know very much about the mechanics of how email is filtered by ISPs but it seems to me that they probably drop any email from a known compromised machine and also use Bayesian filters or some other way of 'learning' because I received only two misdirected bounces on one account recently. Also sometimes there will be two or three days when a similar spam will appear and then it is not seen again.

I have one account that forwards to a hotmail account. That account didn't filter at all (and got lots of spam because it is published), but none of it ever reached the hotmail account. Now, that account has filter options. I have turned it off (because it caught a legitimate email that is essential) and have the spam directed to a special folder. I don't know if that keeps it from being forwarded, but still no spam ever appears in hotmail although that also has the spam filter turned off. Of course, it is not scientific, but I still think that I get less spam on the spammy account than I did before the ISP started offering spam filtering.

You can't ever tell whether people just didn't see an email - I find one every now and then that, on a busy day, I missed - or whether they never got it. Someone I have on a 'group' list is not getting the emails sent to the group, but did get an individual email - again sent to a hotmail account. We will have to see if things change - now that we are aware, she is going to mark me as a 'favorite' and a 'safe' sender.

The blocking is a 'blessing' because all those dummies who open and reply to spam never get them. However, at this point, it has not diminished spam, but just led spammers to multiply their efforts - that's why people get multiple editions of the same spam, IMHO.

And since a lot of spam is criminal in nature, the return is great enough for spammers to spend time evading filters. That's why 419 spam often comes through in spite of the filters, I have been told.

And I agree completely with the OP that the consumer needs to be careful about the email service that they use. If the consumer was aware of how filtering and blocking stops spam, then IMHO it would hasten the day when spamming indiscriminately would cease. The criminal element is going to be harder to stop since the returns are greater per caught phish and may always have to be filtered. 419 spammers used to use snail mail so cost is not going to be a deterrent.

Miss Betsy