spam of the week #2

Published on 6/4/2007 in Spam of the Week. 0 Comments

This item appears to be a classic click-through scam spam.

The hapless user gets some mail, thinks “yay, free mac!”, and after clicking on anything in the mail their web browser is launched and is redirected all over the place. Presumably each of the redirects represents a false click on some advertising or something somewhere which brings in revenue for the spammer.


Highslide JS
Click to enlarge the initial spam.


Highslide JS
Click to enlarge the page seen after the initial couple of redirects.


Highslide JS
Click to enlarge the final webpage that is displayed. Kinda ironic don’t you think?

As an exercise I traced all of the redirects and meta refreshes in order.

  1. After clicking on the spam, the following URL is requested by the users browser:
    http://r.rockysoils.com/c/34458/18377/82890422.html?/
    dummy@email.address
    Which results in the first 302 redirect:
    HTTP/1.1 302 Moved Temporarily
    Location: http://publishers.clickbooth.com/ez/bkdgyfnggey/
    &dp=1537637&/dummy@email.address
  2. That redirect:
    http://publishers.clickbooth.com/ez/bkdgyfnggey/
    &dp=1537637&/dummy@email.address
    Results in another:
    HTTP/1.1 301 Moved Permanently
    Location: http://publishers.clickbooth.com/geo_tracking_redirect.html?e=dowymcrbxx
  3. That redirect:
    http://publishers.clickbooth.com/geo_tracking_redirect.html?e=clqnspiekk
    Brings up the page shown in the second image above, and contains a meta refresh command:
  4. The meta refresh request:
    http://publishers.clickbooth.com/sw/12072/CD8940/
    Brings up another web page which sets 2 cookie and then triggers another meta refresh:
  5. This meta refresh request:
    http://www.freepay.com/intl.aspx?x=5284
    Results in a 302 redirect:
    HTTP/1.1 302 Found
    Location: http://offers.gratisnetwork.com/rotator/CD114/18
  6. That redirect:
    http://offers.gratisnetwork.com/rotator/CD114/18
    results in another 302 redirect, and sets four more cookies
  7. http://offers.gratisnetwork.com/sw/1510/CD114/&p=18
    Sets 2 more cookies, and contains another meta refresh
  8. http://ab.vcmedia.com/c/s=64718/c=107930/
    returns another 302 redirect
  9. http://a.websponsors.com/c/s=64718/c=107930/
    returns another 302 redirect
  10. Which finally gets us to the last page:
    http://ShoppersSavingCenter.biz/?config=2073&src=WC-64718aaa:107930
    which is shown in image number 3

0 Responses to “spam of the week #2”

Feed for this Entry Trackback Address
  • No Comments

Leave a Reply