Disguised URL using google

[matt@fleetsoft.co.uk]

I have received a phishing spam which contains:

<a href="http://%61qn%63uu%09%6b%%2ED%41.%09%%52U/"'>http://www.google.se/url?q=http://go.msn.com/HML/5/2.asp?target=http://%61qn%63uu%09%6b%%2ED%41.%09%%52U/" target=_blank>http://www.hsbc.co.uk/brhiiqxnO0PKzaaszuvU1C61jmrQkofXTyPcThSyiC3R2cjVvx5m8k9ogg</a>

Now looking at that as a human I can tell that it's some sort of redirect to the URL:

http://%61qn%63uu%09%6b%%2ED%41.%09%%52U/

which itself is disguised using (badly) encoded characters.

Removing the two extra %s and the spaces then using: http://www.albionresearch.com/misc/urlencode.php to decode it gives:

http://aqncuuk.da.ru

Visting this URL redirects to:

http://kduryfks.mail15.com

which then oddly redirects to:

http://www.hsbc.co.uk/1/2/hsbc/about (I guess the phishing website was replaced by a redirect, unless the scam is that it snoops on your interactions with the real website?!)

Visting the original long google.se URL in Internet Explorer does lead me on the above trail of redirects. Firefox falls victim to the malformed URLEncoded characters and complains that it cannot open "http://aqncuu%09k.da.%09ru", correcting the URL to http://aqncuuk.da.ru does work in Firefox.

Now the problem comes when reporting to spamcop as I get:

Resolving link obfuscation

http://www.google.se/url?q=http://go.msn.c...ed%41.%09%%52u/

Percent unescape: http://www.google.se/url?q=http://go.msn.c...t=http://aqncuu

host www.google.se (checking ip) = 66.102.7.104

host 66.102.7.104 (getting name) no name

host www.google.se (checking ip) = 66.102.7.104

host 66.102.7.104 (getting name) no name

And this is bad because google.se wont want to be troubled by this report, especially as the google based URL is only a redirect and nothing to do with the scam.

And even worse because the scammer's website will go unreported!

Should I resubmit the spam but alter the URL read http://aqncuuk.da.ru instead?

Might spamcop be able to deal with redirect URLs in the future? How does it 'resolve' such URLs?

Thanks,

Matt

P.S. While writing this email the http://aqncuuk.da.ru site has changed to a 404 page (http://pochta.ru/notfound.php) so I guess the site has been taken down already!

[turetzsr]

fleetsoft.co.uk,May 19 2005, 11:27 AM]<snip>

And this is bad because google.se wont want to be troubled by this report, especially as the google based URL is only a redirect and nothing to do with the scam.

<snip>

28254[/snapback]

...If SpamCop offers to report the spam(vertized web site) to the Google abuse desk, you should uncheck the box before submitting the reports to avoid this.

[Jeff G.]

Redirection services should not be providing the spam support service of redirection to spammers.

[ankman]

...If SpamCop offers to report the spam(vertized web site) to the Google abuse desk, you should uncheck the box before submitting the reports to avoid this.

I know this is a rather old article, but would like to comment it.

I agree, you should uncheck. But, I can see in the Report History, that many Spamcop users don't uncheck and that complaints to Google and Co. were sent.

I'd suggest to parse those spamvertized links. It should be easy to get the real URL. In this is not inteneded, deactivate those complaints to Google and Co.

But may be also Google and Co. could do something to just not allow those redirects at all.

[turetzsr]

<snip>

I agree, you should uncheck. But, I can see in the Report History, that many Spamcop users don't uncheck and that complaints to Google and Co. were sent.

...Right, it's up to the SpamCop user.

I'd suggest to parse those spamvertized links. It should be easy to get the real URL.

...This is not SpamCop's mission. The main goal of the parser is to provide the reporting user with a way to determine the source of the spam and, if the reporting user chooses, report the spam to the abuse address for the server that's the source. Finding "spamvertized" links is gravy. It may seem easy to you but may be more difficult for the parser's programmer than the perceived benefit as viewed by the programmer. You can always send a manual complaint. You can even use the SpamCop parser to find the abuse address to which to complain -- just find the IP address of the offending server and type that into the text box at http://www.spamcop.net/ (after signing in).

In this is not inteneded, deactivate those complaints to Google and Co.

...Again, that's the reporting user's call.

But may be also Google and Co. could do something to just not allow those redirects at all.

...That would be ideal! Do you have any stroke with Google? Maybe you can convince them....

[ankman]

Some users may be stupid, not read the page, leave all checked and just send complaints. This results in that Google and Co. refuse to accept these kinds of Spamcop complaints.

In my opinion Spamcop should "protect" Google and Co. from stupid Spamcop users. Otherwiese Google and Co. will refuse more and more Spamcop complaints.

I'd say if Spamcop's parser notices a redirect, it shall just not create a complaint, if Spamcop cannot extract the "true" URL for what reason ever.

[StevenUnderwood]

I'd say if Spamcop's parser notices a redirect, it shall just not create a complaint, if Spamcop cannot extract the "true" URL for what reason ever.

SpamCop's parser does not detect redirects. Blindly following redirects can be dangerous and should never be automated.

Spamcop attempts to find links, then locates the IP address of those links, period.

If Google were a good net citizen, it would see the reports, understand the risk and abuse they are supporting, and disable the redirect feature. I feel they should be getting these reports for every time their redirect is used in a spam.

[ankman]

SpamCop's parser does not detect redirects. Blindly following redirects can be dangerous and should never be automated.

Spamcop attempts to find links, then locates the IP address of those links, period.

If Google were a good net citizen, it would see the reports, understand the risk and abuse they are supporting, and disable the redirect feature. I feel they should be getting these reports for every time their redirect is used in a spam.

I agree to that wholeheartly. But you (or Spamcop) neither can control Google, nor the (stupid) users. The result is (stupid) users will file complaints anyway addressed to Google and Co. (because Google stupid too, not deactivating redirects) and Google and Co. will thus refuse to accept complaints.

This won't help no one. Spamcop has the power to protect stupid users from filing (wrong) complaints to Google, and Google from refusing Spamcop complaints in future because of this.

It should be possible to not offer those redirected links for complaints. No?

[Wazoo]

It should be possible to not offer those redirected links for complaints. No?

It would be a whole lot easier for these Corporate re-directs to actually use some real programming logic behind them. Specifically, if the "referencing URL" was not actually 'developed' within / on / from a Corporate page, then it shouldn't be honored. (and yes, I am aware of other issues that this causes to folks with a firewall / proxy / whatever that sends no referrer data, but, that's the way things 'really' work) It's because I write my code pages that way that has me on the side of complaining, complaining, complaining about the obvious mis-use of what was supposed to be an "internal" tool.

[turetzsr]

<snip>

Spamcop has the power to protect stupid users from filing (wrong) complaints to Google, and Google from refusing Spamcop complaints in future because of this.

It should be possible to not offer those redirected links for complaints. No?

...That is almost certainly not going to happen -- the SpamCop programmers have their hands full with much more important things. The whole philosophy behind SpamCop reporting is that the SpamCop parser is a tool to help intelligent SpamCop reporting users to report spam. If a "stupid" SpamCop reporting user files a "(wrong) complaint to Google," Google can appeal to the SpamCop Deputies and, if the complaint is found to be a violation of SpamCop rules (see SpamCop FAQ entry labeled "On what type of email should I (not) use SpamCop?)", the Deputies may take action (see SpamCop FAQ entry labeled "What if I break the rule(s)?").

[ankman]

...That is almost certainly not going to happen -- the SpamCop programmers have their hands full with much more important things. The whole philosophy behind SpamCop reporting is that the SpamCop parser is a tool to help intelligent SpamCop reporting users to report spam. If a "stupid" SpamCop reporting user files a "(wrong) complaint to Google," Google can appeal to the SpamCop Deputies and, if the complaint is found to be a violation of SpamCop rules (see SpamCop FAQ entry labeled "On what type of email should I (not) use SpamCop?)", the Deputies may take action (see SpamCop FAQ entry labeled "What if I break the rule(s)?").

This is a social, not technical problem. Google and other will likely not contact Spamcop about these users, since it's easier (and cheaper to not have the abuse desk involved into a conversation of "stupid" Spamcop users) to just refuse Spamcop complaints instead.

[turetzsr]

This is a social, not technical problem. Google and other will likely not contact Spamcop about these users, since it's easier (and cheaper to not have the abuse desk involved into a conversation of "stupid" Spamcop users) to just refuse Spamcop complaints instead.

...That's their choice. If they (and their e-mail users) don't mind being permanently listed in the SpamCop BL, more power to them.

[Wazoo]

This is a social, not technical problem. Google and other will likely not contact Spamcop about these users, since it's easier (and cheaper to not have the abuse desk involved into a conversation of "stupid" Spamcop users) to just refuse Spamcop complaints instead.

Thusly leading to things like the monster Topic on GMail servers repeatedly finding their way onto the SpamCopDNSBL.

[Cornholio]

SpamCop's parser does not detect redirects. Blindly following redirects can be dangerous and should never be automated.

Spamcop attempts to find links, then locates the IP address of those links, period.

If Google were a good net citizen, it would see the reports, understand the risk and abuse they are supporting, and disable the redirect feature. I feel they should be getting these reports for every time their redirect is used in a spam.

I completely agree with this. Google should be ashamed of themselves for the service they are providing to spammers (auto-redirect while hiding their site's address from spam-reporting tools). I, personally, forward each and every one of these spam emails I get with google redirects to abuse[at]google.com.

So what if they refuse spamcop reports... that's not gonna stop me!

[rconner]

I completely agree with this. Google should be ashamed of themselves for the service they are providing to spammers (auto-redirect while hiding their site's address from spam-reporting tools). I, personally, forward each and every one of these spam emails I get with google redirects to abuse[at]google.com.

So what if they refuse spamcop reports... that's not gonna stop me!

I generally report sites that are redirecting to spammers via insecure redirect links. Years ago, Yahoo ran one of these, but was apparently persuaded to button it down so that I seldom see rd.yahoo.com URLs in spam anymore.

I file these with deliberation, and do not consider myself to be a "stupid SpamCop user." I could be naive here, but I like to think tha these reputable companies want to know that their facilities are being abused. If they consider these reports to be an annoyance, well, then, I consider it an annoyance that they collaborate (however unknowingly) in spam.

There is one type of Google redirect not previously mentioned here that does deserve some forbearance: this is the case when the spammer links to his site by means of a Google "I'm Feeling Lucky" link. For example, you might see something vaguely like the following (I munged the link with spaces so that it will all show up:

http: //www.google.com/search? btnI=I%27m+Feeling+Lucky &q=fake+rolex+made+of+spam+can

The IFL link is like a normal Google query, only it takes you immediately to the top ranked hit for the query terms you enter (rather than giving you a page full of hits). If the spammer can cook up some query clauses that are calculated to make him the #1 hit, then he can use an IFL link to redirect you to his site. I suspect that this is not terribly easy to do, and although i was getting a lot of this a couple months back, it has since tailed off.

I am not sure what to do about IFL links; on one hand, perhaps Google needs to know about them, but on the other I'm not sure what they can do short of simply shutting down IFL. So, I usually follow the IFL link and just report the site to which it takes me, and I leave Google alone.

-- rick

[rconner]

It would be a whole lot easier for these Corporate re-directs to actually use some real programming logic behind them. Specifically, if the "referencing URL" was not actually 'developed' within / on / from a Corporate page, then it shouldn't be honored. (and yes, I am aware of other issues that this causes to folks with a firewall / proxy / whatever that sends no referrer data, but, that's the way things 'really' work) It's because I write my code pages that way that has me on the side of complaining, complaining, complaining about the obvious mis-use of what was supposed to be an "internal" tool.

I found that rd.yahoo.com, which I studied for awhile, put up a "warning: not our content" page if the referrer was not from inside Yahoo. This may be a bit wimpy, but is at least better than simply blindly permitting the link (which is what they used to do).

I have an example here at my site, including an "ouside" rd.yahoo.com link to try.

-- rick

[Cornholio]

In order to give Google an idea of the magnitude of what they are doing, I would encourage everyone to forward all of their spams which have a google redirect to abuse[at]google.com. I'm sure if enough people do this, they'll disable the redirect feature soon enough.

I personally get at least 10 of these a day and am sick of it!

[michaelanglo]

...That's their choice. If they (and their e-mail users) don't mind being permanently listed in the SpamCop BL, more power to them.

That's an oops. This discussion is about links to Spamvertising and these do not feed the SpanCop BL.

Adding some logic to the Google redirect seems the best path - since google warns of bad and dangerous sites in its search this ought to be done anyway has someone tried constructing a redirect to a site they would normally warn their users about ?

[turetzsr]

...That's their choice. If they (and their e-mail users) don't mind being permanently listed in the SpamCop BL, more power to them.

That's an oops. This discussion is about links to Spamvertizing and these do not feed the SpanCop sic BL.

<snip>

...Right you are -- oops! To rephrase: If they don't mind receiving e-mails from SpamCop about the spamvertizing, more power to them. <g>

[ufo-joe]

I too am getting frustrated when I see messages like:

"http://www.google.it/pagead/iclk?sa=l&ai=FzucIV&num=76574&adurl=http://gJiF.sugaronly.com has been appealed previously."

Google is in fact acting as a dishonest broker for the spammers, and not accepting it's responsibilities. I am going to try and get Trading Standards and possibly the police involved, as google is facilitating the illegal (and potentially dangerous) sale of prescription drugs, if not internet fraud. I recommend that other spamcop users try to do the same, it would carry more clout if several complaints were received.

Joe

[turetzsr]

I too am getting frustrated when I see messages like:

"http://www.google.it/pagead/iclk?sa=l&ai=FzucIV&num=76574&adurl=http://gJiF.sugaronly.com has been appealed previously."

Google is in fact acting as a dishonest broker for the spammers, and not accepting it's responsibilities.

<snip>

...You may be interested in related SpamCop Forum discussion "Reporting Blogger/Blog*Spot (Google) abuse."

[ufo-joe]

Well, I got no response from Google to an email pointing out the issues.

I contacted my Trading Standards Office who told me they are powerless to act on this, and they suggested I try and bring the attention of the media to it, which I am now attempting to do - if I'm lucky, it could be a big story given the problems with spam and the notoriety of Google.

I also worked in a plug for Spamcop, if the item get published in full.

Joe

[brycenesbitt]

I'm here because of

href=3D"http://www.google.com/pagead/iclk?sa=3Dl&ai=3DZhTrEI&num=3D02633&=

adurl=3Dhttp://www.dalmus.com/video.exe">Download and =

Watch</a>

While I think spamcop should parse these, a unblockable complaint should go to google.

[nealbscott]

These google redirs are driving me nuts. I feel it is my duty to report anyone involved, and the ultimate destination of the redirect is certainly fair game. Spamcop NEEDS to let us *easily* report them as bad guys. I get a spam every 15 minutes now so the imperitive here is to make it easy on me.

[Farelf]

... the imperitive here is to make it easy on me.

Sympathy, but I think SC's imperatives are a little different (as an interested observer, merely). The model that works best with SC is to use the SCbl to filter your inwards mail so you can at least keep a fair amount of the stuff out of your intray, taking the pressure off you. Most people would be using a collection of filters to increase the catch rate. I used to report everything. It does become a bit obsessive. Fortunately (?) my ever-vigilant ISP now filters it all for me. Or if I turn their filters off they (typically) block my outgoing reports. Which forced me out of the rut.

I really don't think SC is going to change its priorities anytime soon.