spam of the week #2
This item appears to be a classic click-through scam spam.
The hapless user gets some mail, thinks “yay, free mac!”, and after clicking on anything in the mail their web browser is launched and is redirected all over the place. Presumably each of the redirects represents a false click on some advertising or something somewhere which brings in revenue for the spammer.
Click to enlarge the initial spam.
Click to enlarge the page seen after the initial couple of redirects.
Click to enlarge the final webpage that is displayed. Kinda ironic don’t you think?
As an exercise I traced all of the redirects and meta refreshes in order.
- After clicking on the spam, the following URL is requested by the users browser:
http://r.rockysoils.com/c/34458/18377/82890422.html?/<br></br> email@example.com``` Which results in the first 302 redirect:
HTTP/1.1 302 Moved Temporarily
2. That redirect:
http://publishers.clickbooth.com/ez/bkdgyfnggey/<br></br> &firstname.lastname@example.org``` Results in another:
HTTP/1.1 301 Moved Permanently
3. That redirect:
Brings up the page shown in the second image above, and contains a meta refresh command:
4. The meta refresh request:
Brings up another web page which sets 2 cookie and then triggers another meta refresh:
5. This meta refresh request:
Results in a 302 redirect:
HTTP/1.1 302 Found<br></br> Location: http://offers.gratisnetwork.com/rotator/CD114/18``` 6. That redirect: `http://offers.gratisnetwork.com/rotator/CD114/18` results in another 302 redirect, and sets four more cookies 7. `http://offers.gratisnetwork.com/sw/1510/CD114/&p=18` Sets 2 more cookies, and contains another meta refresh 8. `http://ab.vcmedia.com/c/s=64718/c=107930/` returns another 302 redirect 9. `http://a.websponsors.com/c/s=64718/c=107930/` returns another 302 redirect 10. Which finally gets us to the last page: `http://ShoppersSavingCenter.biz/?config=2073&src=WC-64718aaa:107930` which is shown in image number 3