Jump to content

Another web redirect ruse


rconner
 Share

Recommended Posts

This one is new to me (maybe not to others): tracking URL

This is the usual network-markering-guru BS. Spammer refers me to a URL at go2-url.com, which reports 404 status in the header, but which actually imports the spam pitch from some other website (hosted by our pals at theplanet.com) using a FRAMESET.

Clearly, go2-url is not playing by Hoyle. They are reporting that a resource is not found (404) when it manifestly was found. In fact, in other cases, I've seven seen them use the 404 page to advertise how you can exploit 404 pages to stuff them with ads.

If this sort of thing catches on, you will no longer be able to trust 404s to mean that websites are offline.

-- rick

Link to comment
Share on other sites

Totally different results. No FRAME set at all, a whole slew of javascripts and a meta-Refresh command ....

<html>

<head><title>Sorry - Page not found at Royal-Health.Com</title>

<!-- Header Basic .txt - SSI -->

<scri_pt TYPE="text/java scri_pt" LANGUAGE="java scri_pt" src="h ttp://www.royal-<broken>health.com/right-off.js"></scri_pt>

<scri_pt TYPE="text/java scri_pt" LANGUAGE="java scri_pt" src="h ttp://www.royal-<broken>health.com/affil.js"></scri_pt>

<scri_pt TYPE="text/java scri_pt" LANGUAGE="java scri_pt" src="h ttp://www.royal-<broken>health.com/tab-basic.js"></scri_pt>

<meta http-equiv="refresh" content="3; URL=ht tp://www.royal-<broken>health.com">

spamvertised URL hosted at rackspace (at 209.61.173.98)

However, redirection to another (totally different) web-site hosted at ntt.net (at 198.170.244.223)

ht tp://www.treasure<broken>huntmarketing.com/main.html

Already have way too many windows opened up on three systems, so am not going to go any further ... will just agree, what a freaking mess ,,,,

Link to comment
Share on other sites

Do you mean that they can exploit any 404 or just their own?
The latter, I think. Out of the can, Apache gives you a rudimentary 404 page that it will serve when people ask for non-existent data, but you can replace this with anything you like -- presumably even the content that was supposed to be "not found"

If you had (say) a spam investigation tool that checked on websites just by pulling their HTTP headers (and not inspecting the contents), you would be misled into believing that this one was offline when it fact it was not. This perverts the reason for the 404 code.

I think the guy I mentioned just got drunk on his "leet" webmastering skills and was offering to impart this valuable information to the waiting masses.

Totally different results. No FRAME set at all, a whole slew of javascripts and a meta-Refresh command ....

Was this from the same tracker URL, or from another spam?

-- rick

Link to comment
Share on other sites

...If this sort of thing catches on, you will no longer be able to trust 404s to mean that websites are offline.
Frameset redirection and HTTP status are evidently two different things and would 'always' have been so, but yeah, I haven't heard of that being deliberately exploited before. And it does appear deliberate, given the breathless "P.S. I was told that this report is going to be taken offline really soon. So don't wait, go to the site now. It won't cost you anything, so do it now: ..." - the classic hurry up (don't think) or you're gunna miss out . Perfect for a malware drop, eh? (Sucker arrives, sadly regards 404, "Aww, it's gone already," meantime, behind the scenes ...)

I see framesets at that url - using GET from http://www.asymptoticdesign.com/aux/header-viewer.cgi

Link to comment
Share on other sites

And it does appear deliberate
Of that I have no doubt. I've been watching these guys for a couple of weeks now (my work address seems to be on their list), and the sites are invariably 404s, some of which are "really" 404s (with the ad about how to make 404s work for you), and others are using the <frameset> gag. What I haven't figured out is whether the hoster/redirector is directly in bed with the people at the redirected-to sites.

-- rick

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...