Paid Advertising
web application security lab

Archive for the 'spam' Category

Cross Site Printing

Tuesday, January 8th, 2008

Aaron Weaver has taken the concept of Inter protocol XSS hacking to the next annoying level. That’s right folks, he has figured out that you can do cross site printing. That is, when you visit a malicious website, it can attempt to connect to and send data to your printer on your local network. The obvious use? You got it, spam!

So now, when you visit sites, there is a potential for them to spam you, similar to the way some people receive FAX spam. While he has only gone so far as to show how you can send ASCII art, it would be interesting to see if a PostScript formatted file could be sent in a way that the printer would understand and print. For the time being, however, we are limited to low def ASCII art spam.

However, there are some fairly complicated programs that do analysis on and generate ASCII art from photos. What will be more nasty is once this turns into actual exploits against the printers themselves - as many printers contain copies of printed materials for weeks or years afterwards. Also, depending on what the spammers put on your printer, it’s possible this could get people fired, depending on the content of the print job (no pun intended). Very interesting research by Aaron Weaver!

Buy Diggs and Votes on StumbleUpon

Thursday, January 3rd, 2008

There’s an interesting site called Subvert and Profit where the owner claims to sell diggs and votes on stumbleupon for traffic generation. Selling at $1 per vote/digg the goal is to monetize that traffic through various marketing campaigns or traffic arbitraging. Pretty interesting business model, and at worst it’s against the ToS of the various companies - it’s probably not illegal in any way. Blackhat SEM at it’s finest. It’s really not much different than buying paid links on websites if you think about it.

Some of the testimonials on the Subvert and Profit blog are pretty telling, such as, “the mind-boggling barrage of traffic which comes next, is nothing less than euphoric”. I can definitely agree that the volume of traffic from digg and stumbleupon, as well as reddit dwarfs slashdotting in our experience. Traffic arbitrage is here to stay, as long as the margins stay there. Pretty interesting!

Google Spamming Us

Thursday, December 20th, 2007

You know, we get some really odd traffic. Some of it good, some of it not so much. Let’s take a look at some of Google’s traffic since it’s a slow day. If nothing else it’s good for a laugh. First let’s look at Google trying to hack us - XSS style: - - [26/Nov/2007:01:53:58 +0000] “GET /blog/?%22%3E%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1″ 200 55053 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +”

Not too bad for a robot. How about some totally innane Apache directory structure stuff that couldn’t possibly work? - - [26/Nov/2007:00:46:03 +0000] “GET /bluehat-spring-2007/?C=S;O=A HTTP/1.1″ 200 3681 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +”

Someone needs to figure out how UTF-7 works: - - [26/Nov/2007:02:25:19 +0000] “GET /s.js+ACIAPgA8-/script+AD4-x HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +”

Oh don’t we love the Google spam? I really am disheartened that it’s this easy to con Google into spamming websites. As if I don’t get enough referrer spam, Google does one better. *sigh* - - [23/Nov/2007:19:11:23 +0000] “GET /weird/popup.html/Buy-NET.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +” - - [09/Dec/2007:07:21:51 +0000] “GET /weird/popup.html/Buy-COM.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +” - - [11/Dec/2007:05:24:19 +0000] “GET /weird/popup.html/Buy-MEUK.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +” - - [14/Dec/2007:17:48:58 +0000] “GET /weird/popup.html/Buy-INFO.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +”

Google has a lust for the goatse! Cannot get enough of it!!!!! Seriously, Google. I just don’t have Goatse on my machine. I promise! Granted, I 302 redirect all 404s to the homepage, instead of 301, so that’s my bad, but seriously - there is a reason I might want to do that and still not have goatse on my site. I don’t ever remember having it anyway. Time to give up the obsession, Google! - - [30/Nov/2007:01:04:10 +0000] “GET /goatse.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +” - - [07/Dec/2007:19:36:57 +0000] “GET /goatse.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +” - - [10/Dec/2007:20:17:00 +0000] “GET /goatse.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +” - - [19/Dec/2007:22:58:31 +0000] “GET /goatse.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +”

More spam anyone? Let’s see here… Google likes Viagra and goatse. I’m seeing a theme here! - - [26/Nov/2007:04:47:00 +0000] “GET /fierce/?ref=SaglikAlani.Com HTTP/1.1″ 304 - “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +”

And the trackbacks… oh Google, please figure out what a Trackback is and stop spidering it. I swear, no matter how many bazillion times you look at the trackback pages, you’re still not going to find anything useful there. I double cross my heart and swear to die. This is from Nov 18th-Dec 20th (just over one month):

$ grep error_log |grep -c wp-trackback

Think how much bandwidth Google uses that is just completely unnecessary. The countless and senseless bandwidth waste-age. I started using Google because it was light on my personal bandwidth - so much for that idea.

Another Fun SEO Blackhat Spam Tactic

Wednesday, September 19th, 2007

Searching through spam can be fun and annoying all at the same time. I found this beauty in my Wordpress moderation queue and thought it was worth a mention. Here’s a spam URL:

If you think about it, it’s a fairly ingenious tactic, using multiple sites to help your SEO. Firstly, they get me to link to a site (typically theirs, but in this case, it’s CNN, who is a trusted domain). Then CNN spits out the results (which would be there if Google hadn’t already nuked this site out of their index). The search engines follow their own results and give them link value. Very clever. No idea if it works or not, but it’s clever.

First Conviction of Can Spam Act

Friday, June 15th, 2007

There is an article on The Register about a phisher was was convicted of phishing AOL employees. You can go to the article to read the whole story. The part that I thought was amazing was not that he was phishing employees, or that he got caught, but that it was the first conviction under the Can Spam Act by a jury (there has been other convictions, but not by a jury).

Why CAN SPAM? Why now? CAN-SPAM defines SPAM as a “commercial electronic mail message” How is phishing a commercial electronic message? It may be fraud, but it’s certainly not commercial. To me it seems like a pretty worthless law, now moreso than ever. To me this law has always seemed like an easy out to explain why certain people are allowed to spam and why others aren’t without rhyme or reason. Yet have we seen a drop in spam? Do you feel comfortable putting your email address online without anti-spam filters in place to defend against the onslaught? I think not. Herein lies the failures of a useless law. This guy could have been convicted under a dozen other laws.

I felt the same way when I first read the law. One major problem with it is that it doesn’t deal with international spam. Instead of saying that anyone who spams is culpable and letting extradition treaties deal with the aftermath, CAN SPAM only applies to US citizens. How is that changing the problem? What if a US citizen is using offshore companies to do the deed for them? Clearly the CAN SPAM act needs a serious re-think in my opinion. Let’s either scrap it, or get a real law with some teeth. Perhaps one that holds ISPs financially responsible for hosting verified spam relays and hacked machines?

CAPTCHA Breaking Game

Wednesday, June 13th, 2007

As mentioned on Ronald’s blog and a rather suspicious digg entry linking to a referral code (indicating that the person who dugg this is somehow related to the site) there is a CAPTCHA breaking service located at decodetowin. The site claims to be running a sweepstakes and the only way to win is to “decode” the CAPTCHAs. Here is text from the site:

What is Decode to Win? Decode to Win is a contest website in which you decode graphical messages to increase your chance at winning a prize. You get one point for every message you decode. At the end of each week, we pick a random user from the top 15 point holders and send him/her a prize offering. In some cases, we will send prizes to more than one user.

No doubt, signing up adds your name to validated spam lists - they get you coming and they get you going. Interesting premise though. It appears that they are breaking Google CAPTCHAs by the looks of it, but it’s difficult to know for sure unless you are Google. One interesting thing I noticed as I was testing it is that the first one succeeds while the following tries always fail until you reload the flash file. It’s unclear why they do this, but my guess is that it is likely that people will try more than once, and it is unlikely that they will sign up. So it’s worth getting them to try three or more times to see if they simply typoed the second try. It’s out the folks, no one should doubt that CAPTCHAs definitely are being broken. Thanks to Ronald to pointing this one out.

Email Address Obfuscation Woes

Friday, May 25th, 2007

This will be a quicky post as it was more just something I laughed at when I saw it. I ran across an obfuscation inconsistency that made me laugh out loud. If you click on one of Security Focus’s posts you’ll see something like this:

Cold Fusion Scan
by icos (at) arez (dot) com [email concealed]

Then if you click on the threaded version of the same post you see this:

Cold Fusion Scan

Silly mistake that is happily leaking all the people’s email addresses who post to the mailing lists to spiders and robots. Wonder why you are getting so much spam? Hope they fix this, not that it makes much difference now. Time to retire that email address!

Splog Hubs

Wednesday, March 28th, 2007

The $100/month charge for the SEO Blackhat Forums is well worth it if you are either into getting ill gotten gains or into combating those gains. Every time I log in there I find out more interesting things that spammers and blackhat types are doing to make money. There’s a thread on there discussing splog hubs. For those of you who aren’t aware of what this is, let me enlighten you (picture ripped from said splogger):

On the right you have your unique content blogs, like mine or the dozens of other ones that you probably visit, with no malicious or spam content on them. In the middle is a spam hub. On that hub, the spammers pull all the content and aggregate it into a centralized hub. They use IP filtering so that the servers on the left can access it but no one else can. That way if for some reason the splogger visits his own spam hub, and sends a referrer (through an image by inadvertently clicking a link) the owner of the site cannot see their own content on the hub.

In this way they sploggers are scraping their own sites. This is so that when the owner of the site sees their content on the splogs on the right, even if they manage to take them down, they haven’t ruined the infrastructure that is used to scrape their content. Interesting. I have my own fun ways to combat this sort of things (along the lines of how I ruined the another splogger’s day. However, this is an interesting take (a splog by proxy) that I hadn’t heard of before in this way.

JavaScript Spam

Sunday, March 25th, 2007

Every once in a while I hear something that really gets my imagination going. A few weeks ago when Samy and I were having lunch, he told me about a way to sent email through a browser using a form and an automatic form submission using JavaScript. While not new (there is an old obscure paper about this dating back to 2001), it’s definitely not well known. Especially in the day and age where JavaScript is coming under more scrutiny because of it’s malicious power, this could prove to be a really nasty thing in spammer’s arsenal.

The only obstacle in a spammer’s way is knowing which mail servers will and won’t accept malformed information in this way (thus far it looks like sendmail works, but I haven’t had luck with exchange or qmail). Here’s some sample code:

document.write('<form name="B" target="A" method="post" action="http://'+server+':25/" enctype="multipart/form-data">');
document.write('<textarea name="C"></textarea></form>');
s = 'HELO test\n';
s += 'EHLO test\n';
s += 'MAIL FROM:<>\n';
s += 'RCPT TO:<>\n';
s += 'DATA\n';
s += 'From:\n';
s += 'To:\n';
s += 'Subject: heh!\n';
s += 'testing 123\n\n';
s += '.\n\nQUIT\n\n';

Combining XSS, and knowing the user who is visiting the page’s email address can actually create ultra targeted spam sent from that user. Why bother burning through your own IP space if you can get someone else to use theirs? Pretty ugly! Your mileage may vary in the calls themselves. I’d be interested to hear other people’s test results.

Tracking Back The Trackback Spam

Wednesday, March 21st, 2007

I got 290ish trackback spams last night, and that’s after quite a bit of anti-spam filters. For some reason spammers think I’ll approve their spam through excessive volume. Well, they couldn’t be more wrong. In fact, I’ve been thinking of interesting ways to detect them. For those of you who don’t run blogs, trackback spam is when robots pretend to be other blogs linking to my site. My site picks up the post requests from the robot, who tells it a few things, like the link to the site and a title and some sample text. Trackback spam is difficult to stop because it is doesn’t act like normal traffic (even when it’s working normally). So today I came up with a few semi-clever tactics to end the madness.

The first is the IP address. This is one thing the robot cannot fake. The robot normally must run from the webserver that the trackback is coming from. If it isn’t, that’s a huge signal that it’s a robot. So what if I connect to the same IP address on port 80 and look for a webserver? If I don’t see one, I can be 99% sure it’s fake traffic. The only way that wouldn’t be true is if the site just temporarily went down or the server is on another port. Either way, do I really care?

Next is the IP address of the link. The link itself should match the IP address. Why would a site be doing a trackback link for some other website? That makes no sense, and therefore again is 99% spam. The only way the spammers could get around this is to temporarily spoof the DNS entry to my server, but even still they’d have to be running a webserver on that IP address. In this way, you can quickly exhaust the number of sites they can spam from because they must run a webserver on it to get it to work (which they do in less than 1% of the cases I’ve looked at thus far). And even still they must also link to that same server. That greatly increases the work of a spammer to even get a link to show up in my moderation queue, and I can simply ban that IP address going forward, since I know it is truly the same IP as the spam site that I don’t care to see anyway.

It’ll be fun writing the software. They spammed the wrong guy 290 times!