New wave of Blogspot spam
Did you also notice an increase of unwanted “Blogspot messages” either in your inbox or spam folder? These messages contain a link to http://<some_random_letters_and_numbers>.blogspot.com, but in the end, you end up on entirely different page - why? Let’s try to analyse the page and find out.
These spam messages - which want the user to visit a crafted Blogspot website - contain a small, but simple JavaScript hack. In order to see it, we either have to disable JavaScript in a browser, or, download the page with a tool which does not interpret the HTML code, for example, wget.
If you already have this crafted Blogspot page’s source opened in your favourite text editor, search for “<script language=”javascript”>”. In this tag, you will find such a string:
document.write(unescape(”<some_long_and_rather_human_unreadable_encoded_text>“));
Now we know what the spammers did to trick us to visit a page which promises to grow your manhood and chest in no time:
- they encoded some text first to make it unreadable for human eye or simple spam filters,
- they make the browser decode it with JavaScript unescape function,
- finally, they write it to the original HTML page using document.write.
But still, we don’t know why does it redirect us to a totally different page? An easy way to find out is to use a HTML/JavaScript encoder/decoder - the first link in Google should be just right for us: http://www.google.com/search?q=javascript+decoder. Follow the first link and paste the obfuscated text into the right box titled “Escaped Text/HTML/JavaScript”. As we can see, it decodes to this JavaScript code:
<script language=”javascript”>location.replace(”http://spammers.website.example.com”);</script>
Which just replaces the current Blogspot website (the one which was found in a spam email) with the spammer’s website specified in location.replace.
Very simple, isn’t it?
Unfortunately, Blogspot doesn’t seem to care or just is unable to do anything about it. Which might be the same.
Adam Random:
These emails have been turning up for quite a few months now and, for me, did originally include many geocities hosted pages.
When the spams first turned up they also used a different method of redirecting you to another page. I can no longer remember what they did, but it was not obfuscated and I guess that the blogspot staff did a good job of blocking it because once a few thousand blogs were reported, the spam stopped for a good 10 days.
Once the spam started again, I had lost my geocities spammer but the blogspot one was going strong. The URLs had an interesting property this time. The same URL was never sent to more than one email address and as a result there was speculation that they might be using unique URLs to detect spamtraps and normal humans reporting them to the URIBL. A massive data mining exercise. It certainly seemed to hold true for me as any time I reported 50 or so URI, I stopped getting blogspot spam for a number of days and also had a marked reduction in all other spam too.
By watching what other people were submitting, I could tell that during the times I was getting no blogspot spam, lots of other people were still getting them. http://rss.uribl.com/hosters/ shows all the submitted and active free hosters in the last 5 days.
This last batch of blogspot spam seem to have lost their uniqueness. Any blogspot URL I get now days are listed on the URIBL within minutes by others, and I’m getting hundreds of them every day. It either debunks the idea they were spamtrap hunting, or proves that the spammers just don’t give a hoot. An email getting through to anyone (or in my case, anything as it all gets processed by programs) is fine with them.
Anyway, I have been investigating using the “Flag as inappropriate” feature on the loaded blog to a notify blogspot staff of the spam blog. Loading the blogspot page will give you the “blogid” in a meta tag at the top of the page - EditURI. Also included up there is the “me” meta info which is a link to the blogger/spammers blog account which can tell you which month and year they signed up (if it’s the same month, you can assume pretty safely they are a spamming prick)
13 April 2008, 4:34 amOnce that info has been pulled out, you can use the ID to create a URI to flag the blog as inappropriate and the blog will be reviewed by a human. The general hope here would be to poke them into action to fix their abuse problem.
eg. ptfi3t9hf1ppmp.blogspot.com, the id is 4637393089326112718. The page contains the stupid unescape location rewrite code so build the following URI stolen from the navbar frame and load it. That should flag it for review
http://www.blogger.com/flag-blog.g?nav=1&toFlag=4637393089326112718