Thursday, January 10, 2008

An Interesting Spam Technique

Hi Folks,
today I wanna point out an interesting technique used from spammers. Actually, I'm not newbie in Spam but this specific methodology I've never seen before. Of course, the most interesting question for a spammer is : " Is it possible to bypass a spam filter ?". This methodology is able to do that using a trusted mirror. Nowadays google is one of the best search engine in the NET and lots of people use it, for this reason it's pretty difficult close any "google link". Here we go ! Spammer may use google as a mirror exploiting spam filters.

Also in my email box:



The URL doesn't link directly the malicious site, it seems a regular google search string. A very restrictive one; in fact:

http://www.google.co.uk///search?hl=en&q=inurl%3Athereseason.com+V6J+5C6&btnI=745

means:
"search all sites that have in the url the words: thereseason.com, V6J and 5C6, then open it !". The parameter btnI is the result of "I'm Feeling Luky" in google research. If you try to execute this link you'll open the Canadia Pharmacy:



It's still interesting analyzing the URL, let me try to search on google the following string:

http://www.google.co.uk///search?hl=en&q=inurl%3Athereseason.com+V6J+5C6

Without the btnI parameter. And... It's true !! No many sites, only one.



According to F-Secure, there are lots of this spam going around, with different discount percentage and different senders.



Just one endnote ....
To me, It's pretty easy guessing and/or building an unique search string with google advanced features like this one. How can spam filters prevent that ? Is It possible to deny all the google's "I'm feeling luky" search strings ? It seems a new and good challenge for Anti-Spammers .

2 comments:

Amir said...

another interesting technique is to use search engines and lgitimate sites with high reputation for spam attacks.

We have found severl attacks of spammers that used google search results or even flickr images to fool regular anti-spam engines.

Marco Ramilli said...

Thank you Amir, that's is very interesting !