Jump to content

More Google redirection


rconner

Recommended Posts

Pharma spammer is using a Google search URL to cloak his website (tracking link). What makes this particular effort novel (to me, at any rate) is the fact that it is a "inurl:" search. It would be hard to "hijack" or suppress this search as can be done with the "I'm Feeling Lucky" URLs we've lately seen, since the "inurl" search binds it pretty tightly to the specific domain given in the search string.

As of this evening, the spam domain (greatcanadianpharm.com) seems to be NXDOMAIN, but of course this could be merely a transient DNS problem.

I'm pondering what sort sort of report could be made to Google for something like this, and what they could or would do about it.

-- rick

Link to comment
Share on other sites

...It would be hard to "hijack" or suppress this search as can be done with the "I'm Feeling Lucky" URLs we've lately seen, since the "inurl" search binds it pretty tightly to the specific domain given in the search string. ...
Obvious in retrospect - I suppose we can look forward to a rash of these.
...As of this evening, the spam domain (greatcanadianpharm.com) seems to be NXDOMAIN, but of course this could be merely a transient DNS problem. ...
Just another botnet thing - seems to turn over faster than many. I'm sure the average browser would struggle through most times.

H:\>nslookup

...

> greatcanadianpharm.com

...

Name: greatcanadianpharm.com

Addresses: 222.238.99.40, 59.186.108.204, 61.105.185.90, 62.143.224.172

76.248.113.196, 76.254.142.142, 121.133.39.144, 121.160.40.122, 125.215.76.194

125.231.239.170, 125.232.133.30, 207.119.6.101, 210.106.5.101, 211.168.219.196

218.236.53.4

> greatcanadianpharm.com

...

Non-authoritative answer:

Name: greatcanadianpharm.com

Addresses: 59.186.108.204, 61.105.185.90, 62.143.224.172, 76.248.113.196

76.254.142.142, 121.133.39.144, 121.160.40.122, 125.215.76.194, 125.231.239.170

125.232.133.30, 207.119.6.101, 210.106.5.101, 211.168.219.196, 218.236.53.4

222.238.99.40

> greatcanadianpharm.com

...

Non-authoritative answer:

Name: greatcanadianpharm.com

Addresses: 61.105.185.90, 62.143.224.172, 76.248.113.196, 76.254.142.142

121.133.39.144, 121.160.40.122, 125.215.76.194, 125.231.239.170, 125.232.133.30

207.119.6.101, 210.106.5.101, 211.168.219.196, 218.236.53.4, 222.238.99.40

59.186.108.204

> greatcanadianpharm.com

...

Non-authoritative answer:

Name: greatcanadianpharm.com

Addresses: 76.248.113.196, 76.254.142.142, 121.133.39.144, 121.160.40.122

125.215.76.194, 125.231.239.170, 125.232.133.30, 207.119.6.101, 210.106.5.101

211.168.219.196, 218.236.53.4, 222.238.99.40, 59.186.108.204, 61.105.185.90

62.143.224.172

> greatcanadianpharm.com

...

Non-authoritative answer:

Name: greatcanadianpharm.com

Addresses: 121.133.39.144, 121.160.40.122, 125.215.76.194, 125.231.239.170

125.232.133.30, 207.119.6.101, 210.106.5.101, 211.168.219.196, 218.236.53.4

222.238.99.40, 59.186.108.204, 61.105.185.90, 62.143.224.172, 76.248.113.196

76.254.142.142

...I'm pondering what sort sort of report could be made to Google for something like this, and what they could or would do about it. ...
Can only hope they get enough complaints for them to make an effort - they shouldn't be listing stuff on botnets anyway.
Link to comment
Share on other sites

Mot sure if you've mentioned this before, but .. did you also note thier use of the 301 - Moved redirector for the Google('s logs) URL itself?

Browsing http://www.googlebot.com

Fetching http://www.googlebot.com/ ...

GET / HTTP/1.1

Host: www.googlebot.com

HTTP/1.1 301 Moved Permanently

Location: http://www.google.com/

<TITLE>301 Moved</TITLE></HEAD><BODY>

<H1>301 Moved</H1>

The document has moved

<A HREF="http://www.google.com/">here</A>

Link to comment
Share on other sites

Mot sure if you've mentioned this before, but .. did you also note thier use of the 301 - Moved redirector for the Google('s logs) URL itself?

I noticed the unusual "googlebot" domain, but did not bother to curl it to get at the HTTP header. I simply loaded the URL with the button part trimmed off to see where it would take me.

Whois says that googlebot.com is owned by Google (not surprisingly, perhaps). It seems that this domain is used for Google's spiders. I assume that the 301 redirect is just Google's way of moving the curious away from their spidering machines and back to the search area where they belong. Would there be some reason, I wonder, why the spammer would publicize this particular URL rather than a plain old Google URL?

-- rick

Link to comment
Share on other sites

Would there be some reason, I wonder, why the spammer would publicize this particular URL rather than a plain old Google URL?

Obfuscation in the access logs on Google's servers ..

BTW: Browser data provided by a Google bot reads like;

Mozilla/5.0 (compatible; Googlebot/2.1;

+http://www.google.com/bot.html)

Additional BTW: Google's cache of that Domain/page dates back to 3 Aug 2007.

Link to comment
Share on other sites

Obfuscation in the access logs on Google's servers ..

<snip>

Additional BTW: Google's cache of that Domain/page dates back to 3 Aug 2007.

Second point first, it looks as though the spammer has been seeding this domain for awhile, I wonder whether it hasn't already appeared in a lot of other peoples' spam (or in my own spam that has been /dev/null'd by my ISP).

First point second -- I'm struggling a bit with this, maybe there is something I don't get:

  1. So, I click on the googlebot URL, and the query goes to www.googlebot.com and gets recorded in this host's httpd logs.
  2. Then, www.googlebot.com sends my browser a 301 redirect to www.google.com, with my query data attached.
  3. My browser dutifully loads www.google.com (with the query), which transaction is then recorded in www.google.com's httpd logs.

I tested this out with curl -i, and it seems to work in the way I describe. I infer from this that my query appears not once, but TWICE in Google's httpd logs. One of those appearances (the second) is exactly what Google would see if the spammer just gave me a www.google.com link to begin with (and left out the seemingly pointless redirection from www.googlebot.com). How do you figure this hides anything from Google?

-- rick

Link to comment
Share on other sites

How do you figure this hides anything from Google?

Not really 'hiding' much. Just a lot of extrapolating on my part, based on the 'size' of the Google network, and the typical scenario of an overloaded staffer trying to work one of these issues ...

Trace googlebot.com (72.14.209.99) ...

72.14.209.99 RTT: 95ms TTL:242 (bf-in-f99.google.com ok)

Trace google.com (64.233.187.99) ...

64.233.187.99 RTT: 60ms TTL:242 (jc-in-f99.google.com ok)

User's click/browser query was handled by the 'bf' server. Assume something like an .htaccess file sitting there, which re-wrote the URL and then passed the HTTP request over to the "jc" server. Someone sends in a complaint, using the 'returned-to-the-browser" URL would generally send the staffer on a search of the "jc" server, where the 'original/actual' HTTP query wouldn't show up, as it never saw the 'original' HTTP request. Also noting that most browsers would then be passing on the 'referral' URL of the GoogleBot server, rather than anything that would in any way point back to the 'actual' source of the clickable link. The actual purpose of this simply defies my understanding, other than adding to the possible research efforts, possibly trying to evade some automatic scripting involved on Google's servers.

Much over-simplified, data above probably even geographically based, but ... an attempt at explaining my thoughts/words.

Also, pretending a bit that the googlebot Domain may be nothing more than a desgnation for those servers actually devoted to running and handlig the bots themselves.

Let me add the caveat that I'm not having a great day, I could be hallucinating all this ....

Link to comment
Share on other sites

...Second point first, it looks as though the spammer has been seeding this domain for awhile, I wonder whether it hasn't already appeared in a lot of other peoples' spam (or in my own spam that has been /dev/null'd by my ISP). ...
Maybe - first web.archive.org record is 15 June. Well, the only one but that's just the 6 month ± "x" lag in terms of there being no later. But Googling doesn't - so far - produce any spam hits.

Similar-sounding operation, Greatcanadianpharmacy.com operated until May 2005 and that domain is shown as expired both then and again in August 2007. The newcomer is, no doubt, hoping for some "goodwill" accruing from the previous operation (which was very professional-looking). The newcomer will, presumably, become something of a target for Complainterator.

Link to comment
Share on other sites

...

Obvious in retrospect - I suppose we can look forward to a rash of these. ...

Ayup ... well the inurl qualifier anyway - http://www.spamcop.net/sc?id=z1594994928z9...fac32a1652f7bez

And Google have lost interest in hearing about it ISP does not wish to receive reports regarding ... - not that it "works" with my setup anyway (maybe something in my largish "hosts" file is interfering, though Rick's example works just as the scum intended, maybe that has something to do with going through googlebot, dunno).

Link to comment
Share on other sites

Not really 'hiding' much. Just a lot of extrapolating on my part, based on the 'size' of the Google network, and the typical scenario of an overloaded staffer trying to work one of these issues ...

You could be right, that the trick adds just enough noise to hide the spam activity. Of course, we've seen many spammer "tricks" that are not quite as clever as the spammer imagines them to be. Probably we should not assume that every such exploit is either carefully thought-out, or effective.

-- rick

Link to comment
Share on other sites

  • 4 weeks later...

I find it interesting that spammer links, instead of being googlesearch or googlepages type links, have now become started coming as addresses I've never/would never associate with google. Since SC doesn't report to google these spams, I do it for SC! :D:D:D:P:P:P

I use both abuse AT google.com and this google link

Here are some of the odd addresses coming in lately that all go directly to google.

h ttp://timeoffrequests.com/

ht tp://gmodules.com

ht tp://googlr.com/

All of these links have longer addresses like "search?hl=en&q=inurl:Enlargeupto4&btnI=" added to them

Moderator Edit: Based on post content, description, it seemed obvious that the links should not be left live ...especially when further described as being incomplete examples anyway ... URLs broken.

Link to comment
Share on other sites

Here are some of the odd addresses coming in lately that all go directly to google.

I chose one, did a bit of analysis while somewhat lucid .... found my best guess at an existing Topic/Discussion that covered most of the same ground, merged this 'new' Topic into that Discussion ....

Fetching http://gmodules.com/ ...

GET / HTTP/1.1

Host: gmodules.com

HTTP/1.1 302 Found

Location: http://www.google.com/

<H1>302 Moved</H1>

The document has moved

<A HREF="http://www.google.com/">here</A>

OK, this could be done by anyone on any HTTP server ....

whois -h whois.markmonitor.com gmodules.com ...

Registrant:

Google Inc. (DOM-1441344)

1600 Amphitheatre Parkway

Mountain View CA 94043

US

Domain Name: gmodules.com

Registrar Name: Markmonitor.com

Registrar Whois: whois.markmonitor.com

Registrar Homepage: http://www.markmonitor.com

Administrative Contact:

DNS Admin (NIC-1467103) Google Inc.

1600 Amphitheatre Parkway

Mountain View CA 94043

US

dns-admin[at]google.com

Sure looks like another Google-Owned page that (based on what I think is being described) is spammer user of the re-direct to 'the' www.google,com page.

PM sent to advise of this handling before I lose focus again ....

Link to comment
Share on other sites

OK, so Google owns multiple domains... I seem to have missed the point here.

I found a list posted here: ht tp://www.pronetadvertising.com/articles/googles-growing-list-of-domains.html

(broken in case this is some kind of quest... seems to be a lot of interest in how many sites are owned by google out there.. search on the NIC of their registrar to find lots of these)

BTW, Not directly registered to Google...but does appear to be hosted on an IP owned by them, thus the report. This is listed in my earlier link.

http://www.networksolutions.com/whois/resu...offrequests.com

Link to comment
Share on other sites

GET / HTTP/1.1

Host: www.googlebot.com

HTTP/1.1 301 Moved Permanently

Location: http://www.google.com/

It occurs to me that there need be no reason why the domain named in the spam has to be a Google-owned domain. I can, for example, set up goofy-ass-domain.com and then put a directive in its httpd setup to shunt all traffic to Google, complete with query strings. I don't know what this would do for me, but then I ain't a spammer.

I have to start looking at these domains a bit more closely to see what DNS has to say about their addresses.

-- rick

Link to comment
Share on other sites

Google spammer seems to of gone?

Or is it just me (could be washed).

Prior to google spammer vanishing I were reporting all to google via their web reporting site

http://www.google.com/contact/spamreport.html

Checking "Deceptive redirects " box

Link to comment
Share on other sites

Google spammer seems to of gone?

Or is it just me (could be washed).

Prior to google spammer vanishing I were reporting all to google via their web reporting site

http://www.google.com/contact/spamreport.html

Checking "Deceptive redirects " box

Looks like google spammer is back. Only recieved one (trapped by SpamCop Email of course)

http://www.spamcop.net/sc?id=z1643958257z0...;action=display

Before it was more of a DOS attack about 20 a day, all getting caught and reported non-getting to inbox

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...