Spammer got a part-time job: Blogging

Blog-spamming is not a new concept. The diagram below illustrates one particular schema which is quite popular with blog-spammers right now.

Note that from the above schema, blog-spammers generate revenue from multiple sources:

When users do a search from Google and click on the link of the stuffed keyword page, they will get redirected to the “landing site” (via route B of above diagram). The landing sites generate revenue for blog spammers.
The spammer is collecting user search patterns by logging the referrer. Such data could be sold within the SEO community (e.g. what combination of keywords would people most search for at Google?)
If the spammer manages to optimize the page-rank of certain pages. These could then be sold to other prospective customers (e.g. example keywords within pages include: boston_terriers, movie_stars, bazooka, hoodies, human_heart…etc, in case people want to set up website to sell things related to these).

Now what does this have to do with spammers? Let’s take a closer look at one of the examples of the page that collects the Google search pattern (B3 in the diagram above). The deobfuscated url within the javascript would be:

http://???????.net/tds/in.cgi?2&group=blog&ur=1&said=mydomain&seoref=<seoref> &parameter=$keyword&se=$se&HTTP_REFERER=<referrer>&default_keyword=& <keyword_used_to_generate_the_page>

For those interested, the link redirects the user to a porn site passing in a particular affiliate id.

Now we go to the root of the domain.

Looks familiar with images seen at your inbox?

So how successful is the scheme? Take one example of the data collection domain (courtesy of whois.domaintools.com):

Alexa rank of the site

Oh dear…

So what can we do to defend against these attacks? Currently none of these blog-spammers seems to be hosting malicious files on their website. However, within SophosLabs we classify the relevant URLs so that they are blocked at our web appliance. Though it is very easy to spot one of these keyword-stuffed site, reporting them to Google also helps Google to fight these spammers.

Posted on November 8th, 2007 by Boris Lau, SophosLabs, UK
Filed under: General

Windows 7 security - A great leap forward or business as usual?

About SophosLabs

SophosLabs protects businesses from known and emerging malware - viruses, rootkits and spyware - and other computer threats like phishing, spam and scams. Learn more about the people who write this blog.

RSS feed

Hot video

International Kill-A-Zombie Day

SophosLabs blog