rconner Posted January 2, 2008 Share Posted January 2, 2008 Pharma spammer is using a Google search URL to cloak his website (tracking link). What makes this particular effort novel (to me, at any rate) is the fact that it is a "inurl:" search. It would be hard to "hijack" or suppress this search as can be done with the "I'm Feeling Lucky" URLs we've lately seen, since the "inurl" search binds it pretty tightly to the specific domain given in the search string. As of this evening, the spam domain (greatcanadianpharm.com) seems to be NXDOMAIN, but of course this could be merely a transient DNS problem. I'm pondering what sort sort of report could be made to Google for something like this, and what they could or would do about it. -- rick Link to comment Share on other sites More sharing options...
Farelf Posted January 3, 2008 Share Posted January 3, 2008 ...It would be hard to "hijack" or suppress this search as can be done with the "I'm Feeling Lucky" URLs we've lately seen, since the "inurl" search binds it pretty tightly to the specific domain given in the search string. ...Obvious in retrospect - I suppose we can look forward to a rash of these....As of this evening, the spam domain (greatcanadianpharm.com) seems to be NXDOMAIN, but of course this could be merely a transient DNS problem. ...Just another botnet thing - seems to turn over faster than many. I'm sure the average browser would struggle through most times. H:\>nslookup ... > greatcanadianpharm.com ... Name: greatcanadianpharm.com Addresses: 222.238.99.40, 59.186.108.204, 61.105.185.90, 62.143.224.172 76.248.113.196, 76.254.142.142, 121.133.39.144, 121.160.40.122, 125.215.76.194 125.231.239.170, 125.232.133.30, 207.119.6.101, 210.106.5.101, 211.168.219.196 218.236.53.4 > greatcanadianpharm.com ... Non-authoritative answer: Name: greatcanadianpharm.com Addresses: 59.186.108.204, 61.105.185.90, 62.143.224.172, 76.248.113.196 76.254.142.142, 121.133.39.144, 121.160.40.122, 125.215.76.194, 125.231.239.170 125.232.133.30, 207.119.6.101, 210.106.5.101, 211.168.219.196, 218.236.53.4 222.238.99.40 > greatcanadianpharm.com ... Non-authoritative answer: Name: greatcanadianpharm.com Addresses: 61.105.185.90, 62.143.224.172, 76.248.113.196, 76.254.142.142 121.133.39.144, 121.160.40.122, 125.215.76.194, 125.231.239.170, 125.232.133.30 207.119.6.101, 210.106.5.101, 211.168.219.196, 218.236.53.4, 222.238.99.40 59.186.108.204 > greatcanadianpharm.com ... Non-authoritative answer: Name: greatcanadianpharm.com Addresses: 76.248.113.196, 76.254.142.142, 121.133.39.144, 121.160.40.122 125.215.76.194, 125.231.239.170, 125.232.133.30, 207.119.6.101, 210.106.5.101 211.168.219.196, 218.236.53.4, 222.238.99.40, 59.186.108.204, 61.105.185.90 62.143.224.172 > greatcanadianpharm.com ... Non-authoritative answer: Name: greatcanadianpharm.com Addresses: 121.133.39.144, 121.160.40.122, 125.215.76.194, 125.231.239.170 125.232.133.30, 207.119.6.101, 210.106.5.101, 211.168.219.196, 218.236.53.4 222.238.99.40, 59.186.108.204, 61.105.185.90, 62.143.224.172, 76.248.113.196 76.254.142.142 ...I'm pondering what sort sort of report could be made to Google for something like this, and what they could or would do about it. ...Can only hope they get enough complaints for them to make an effort - they shouldn't be listing stuff on botnets anyway. Link to comment Share on other sites More sharing options...
Wazoo Posted January 3, 2008 Share Posted January 3, 2008 Mot sure if you've mentioned this before, but .. did you also note thier use of the 301 - Moved redirector for the Google('s logs) URL itself? Browsing http://www.googlebot.com Fetching http://www.googlebot.com/ ... GET / HTTP/1.1 Host: www.googlebot.com HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://www.google.com/">here</A> Link to comment Share on other sites More sharing options...
rconner Posted January 3, 2008 Author Share Posted January 3, 2008 Mot sure if you've mentioned this before, but .. did you also note thier use of the 301 - Moved redirector for the Google('s logs) URL itself?I noticed the unusual "googlebot" domain, but did not bother to curl it to get at the HTTP header. I simply loaded the URL with the button part trimmed off to see where it would take me. Whois says that googlebot.com is owned by Google (not surprisingly, perhaps). It seems that this domain is used for Google's spiders. I assume that the 301 redirect is just Google's way of moving the curious away from their spidering machines and back to the search area where they belong. Would there be some reason, I wonder, why the spammer would publicize this particular URL rather than a plain old Google URL? -- rick Link to comment Share on other sites More sharing options...
Wazoo Posted January 3, 2008 Share Posted January 3, 2008 Would there be some reason, I wonder, why the spammer would publicize this particular URL rather than a plain old Google URL? Obfuscation in the access logs on Google's servers .. BTW: Browser data provided by a Google bot reads like; Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Additional BTW: Google's cache of that Domain/page dates back to 3 Aug 2007. Link to comment Share on other sites More sharing options...
rconner Posted January 3, 2008 Author Share Posted January 3, 2008 Obfuscation in the access logs on Google's servers .. <snip> Additional BTW: Google's cache of that Domain/page dates back to 3 Aug 2007. Second point first, it looks as though the spammer has been seeding this domain for awhile, I wonder whether it hasn't already appeared in a lot of other peoples' spam (or in my own spam that has been /dev/null'd by my ISP). First point second -- I'm struggling a bit with this, maybe there is something I don't get: So, I click on the googlebot URL, and the query goes to www.googlebot.com and gets recorded in this host's httpd logs. Then, www.googlebot.com sends my browser a 301 redirect to www.google.com, with my query data attached. My browser dutifully loads www.google.com (with the query), which transaction is then recorded in www.google.com's httpd logs. I tested this out with curl -i, and it seems to work in the way I describe. I infer from this that my query appears not once, but TWICE in Google's httpd logs. One of those appearances (the second) is exactly what Google would see if the spammer just gave me a www.google.com link to begin with (and left out the seemingly pointless redirection from www.googlebot.com). How do you figure this hides anything from Google? -- rick Link to comment Share on other sites More sharing options...
Wazoo Posted January 3, 2008 Share Posted January 3, 2008 How do you figure this hides anything from Google? Not really 'hiding' much. Just a lot of extrapolating on my part, based on the 'size' of the Google network, and the typical scenario of an overloaded staffer trying to work one of these issues ... Trace googlebot.com (72.14.209.99) ... 72.14.209.99 RTT: 95ms TTL:242 (bf-in-f99.google.com ok) Trace google.com (64.233.187.99) ... 64.233.187.99 RTT: 60ms TTL:242 (jc-in-f99.google.com ok) User's click/browser query was handled by the 'bf' server. Assume something like an .htaccess file sitting there, which re-wrote the URL and then passed the HTTP request over to the "jc" server. Someone sends in a complaint, using the 'returned-to-the-browser" URL would generally send the staffer on a search of the "jc" server, where the 'original/actual' HTTP query wouldn't show up, as it never saw the 'original' HTTP request. Also noting that most browsers would then be passing on the 'referral' URL of the GoogleBot server, rather than anything that would in any way point back to the 'actual' source of the clickable link. The actual purpose of this simply defies my understanding, other than adding to the possible research efforts, possibly trying to evade some automatic scripting involved on Google's servers. Much over-simplified, data above probably even geographically based, but ... an attempt at explaining my thoughts/words. Also, pretending a bit that the googlebot Domain may be nothing more than a desgnation for those servers actually devoted to running and handlig the bots themselves. Let me add the caveat that I'm not having a great day, I could be hallucinating all this .... Link to comment Share on other sites More sharing options...
Farelf Posted January 3, 2008 Share Posted January 3, 2008 ...Second point first, it looks as though the spammer has been seeding this domain for awhile, I wonder whether it hasn't already appeared in a lot of other peoples' spam (or in my own spam that has been /dev/null'd by my ISP). ...Maybe - first web.archive.org record is 15 June. Well, the only one but that's just the 6 month ± "x" lag in terms of there being no later. But Googling doesn't - so far - produce any spam hits. Similar-sounding operation, Greatcanadianpharmacy.com operated until May 2005 and that domain is shown as expired both then and again in August 2007. The newcomer is, no doubt, hoping for some "goodwill" accruing from the previous operation (which was very professional-looking). The newcomer will, presumably, become something of a target for Complainterator. Link to comment Share on other sites More sharing options...
Farelf Posted January 3, 2008 Share Posted January 3, 2008 ... Obvious in retrospect - I suppose we can look forward to a rash of these. ... Ayup ... well the inurl qualifier anyway - http://www.spamcop.net/sc?id=z1594994928z9...fac32a1652f7bez And Google have lost interest in hearing about it ISP does not wish to receive reports regarding ... - not that it "works" with my setup anyway (maybe something in my largish "hosts" file is interfering, though Rick's example works just as the scum intended, maybe that has something to do with going through googlebot, dunno). Link to comment Share on other sites More sharing options...
rconner Posted January 4, 2008 Author Share Posted January 4, 2008 Not really 'hiding' much. Just a lot of extrapolating on my part, based on the 'size' of the Google network, and the typical scenario of an overloaded staffer trying to work one of these issues ...You could be right, that the trick adds just enough noise to hide the spam activity. Of course, we've seen many spammer "tricks" that are not quite as clever as the spammer imagines them to be. Probably we should not assume that every such exploit is either carefully thought-out, or effective. -- rick Link to comment Share on other sites More sharing options...
emanmb Posted January 29, 2008 Share Posted January 29, 2008 I find it interesting that spammer links, instead of being googlesearch or googlepages type links, have now become started coming as addresses I've never/would never associate with google. Since SC doesn't report to google these spams, I do it for SC! I use both abuse AT google.com and this google link Here are some of the odd addresses coming in lately that all go directly to google. h ttp://timeoffrequests.com/ ht tp://gmodules.com ht tp://googlr.com/ All of these links have longer addresses like "search?hl=en&q=inurl:Enlargeupto4&btnI=" added to them Moderator Edit: Based on post content, description, it seemed obvious that the links should not be left live ...especially when further described as being incomplete examples anyway ... URLs broken. Link to comment Share on other sites More sharing options...
Wazoo Posted January 29, 2008 Share Posted January 29, 2008 Here are some of the odd addresses coming in lately that all go directly to google. I chose one, did a bit of analysis while somewhat lucid .... found my best guess at an existing Topic/Discussion that covered most of the same ground, merged this 'new' Topic into that Discussion .... Fetching http://gmodules.com/ ... GET / HTTP/1.1 Host: gmodules.com HTTP/1.1 302 Found Location: http://www.google.com/ <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.com/">here</A> OK, this could be done by anyone on any HTTP server .... whois -h whois.markmonitor.com gmodules.com ... Registrant: Google Inc. (DOM-1441344) 1600 Amphitheatre Parkway Mountain View CA 94043 US Domain Name: gmodules.com Registrar Name: Markmonitor.com Registrar Whois: whois.markmonitor.com Registrar Homepage: http://www.markmonitor.com Administrative Contact: DNS Admin (NIC-1467103) Google Inc. 1600 Amphitheatre Parkway Mountain View CA 94043 US dns-admin[at]google.com Sure looks like another Google-Owned page that (based on what I think is being described) is spammer user of the re-direct to 'the' www.google,com page. PM sent to advise of this handling before I lose focus again .... Link to comment Share on other sites More sharing options...
emanmb Posted January 29, 2008 Share Posted January 29, 2008 ahh, lucidity! i tried those links myself and each time ended up at google. at any rate i just found it interesting. Link to comment Share on other sites More sharing options...
emanmb Posted January 29, 2008 Share Posted January 29, 2008 Thet just keep coming. No real point just that I was unaware of the many flavors of google. http://gewgol.com/ http://googlesyndication.com/ http://gppglr.com/ Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 30, 2008 Share Posted January 30, 2008 1 more! http://gewgol.com/ OK, so Google owns multiple domains... I seem to have missed the point here. I found a list posted here: ht tp://www.pronetadvertising.com/articles/googles-growing-list-of-domains.html (broken in case this is some kind of quest... seems to be a lot of interest in how many sites are owned by google out there.. search on the NIC of their registrar to find lots of these) BTW, Not directly registered to Google...but does appear to be hosted on an IP owned by them, thus the report. This is listed in my earlier link. http://www.networksolutions.com/whois/resu...offrequests.com Link to comment Share on other sites More sharing options...
rconner Posted January 30, 2008 Author Share Posted January 30, 2008 GET / HTTP/1.1 Host: www.googlebot.com HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ It occurs to me that there need be no reason why the domain named in the spam has to be a Google-owned domain. I can, for example, set up goofy-ass-domain.com and then put a directive in its httpd setup to shunt all traffic to Google, complete with query strings. I don't know what this would do for me, but then I ain't a spammer. I have to start looking at these domains a bit more closely to see what DNS has to say about their addresses. -- rick Link to comment Share on other sites More sharing options...
petzl Posted February 5, 2008 Share Posted February 5, 2008 Google spammer seems to of gone? Or is it just me (could be washed). Prior to google spammer vanishing I were reporting all to google via their web reporting site http://www.google.com/contact/spamreport.html Checking "Deceptive redirects " box Link to comment Share on other sites More sharing options...
petzl Posted February 7, 2008 Share Posted February 7, 2008 Google spammer seems to of gone? Or is it just me (could be washed). Prior to google spammer vanishing I were reporting all to google via their web reporting site http://www.google.com/contact/spamreport.html Checking "Deceptive redirects " box Looks like google spammer is back. Only recieved one (trapped by SpamCop Email of course) http://www.spamcop.net/sc?id=z1643958257z0...;action=display Before it was more of a DOS attack about 20 a day, all getting caught and reported non-getting to inbox Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.