Perché così tanti reindirizzamenti nell'indirizzo email di spam?

1

Un nuovo messaggio di spam è arrivato oggi con un URL al suo interno:

http://agreementpoint.cricket/Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO

Reindirizza molte volte prima che completi la pagina finale.

Mi sto chiedendo perché? Dopotutto posso seguire l'intera sequenza di reindirizzamenti, quindi non nascondono nulla ... da me.

Ho seguito i reindirizzamenti usando il mio programma C che esegue un HTTP GET, che ho rivisto per imitare la capacità dei browser di cercare tag in 302 reindirizzare le pagine e seguirli, quando manca l'intestazione "Location:" il caso qui.

Se i filtri antispam non seguono i reindirizzamenti, perché qualcuno paga per il filtro antispam?

Ad ogni modo, per questo messaggio spam, la lunga serie di reindirizzamenti risultante è divertente:

bash-3.2$ ./get http://agreementpoint.cricket/Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
URL=http://agreementpoint.cricket/Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
IP resolved to 66.228.35.10
DOMAIN: agreementpoint.cricket
IPv4: 66.228.35.10
REST OF URL: Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
REQUEST: GET /Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO HTTP/1.1
Host: agreementpoint.cricket
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: agreementpoint.cricket/Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
Connection: close

REQUEST LENGTH 333, ACTUALLY SENT 333
GOT CHUNK 536 BYTES
TOTAL BYTES RECEIVED: 536
RECEIVED:
___________________________________________
HTTP/1.1 302 Found
Date: Mon, 13 Feb 2017 17:03:46 GMT
Server: Apache/2.2.15 (CentOS)
Location: i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO">here</a>.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at agreementpoint.cricket Port 80</address>
</body></html>

RESPONSE CODE: 302
URL=http://agreementpoint.cricket/i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO
IP resolved to 66.228.35.10
DOMAIN: agreementpoint.cricket
IPv4: 66.228.35.10
REST OF URL: i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO
REQUEST: GET /i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO HTTP/1.1
Host: agreementpoint.cricket
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: agreementpoint.cricket/i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO
Connection: close

REQUEST LENGTH 345, ACTUALLY SENT 345
GOT CHUNK 310 BYTES
TOTAL BYTES RECEIVED: 310
RECEIVED:
___________________________________________
HTTP/1.1 302 Found
Date: Mon, 13 Feb 2017 17:03:46 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.45
Location: http://74.208.164.141/r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


RESPONSE CODE: 302
URL=http://74.208.164.141/r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv
DOMAIN: 74.208.164.141
IPv4: 74.208.164.141
REST OF URL: r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv
REQUEST: GET /r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv HTTP/1.1
Host: 74.208.164.141
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: 74.208.164.141/r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv
Connection: close

REQUEST LENGTH 415, ACTUALLY SENT 415
GOT CHUNK 316 BYTES
TOTAL BYTES RECEIVED: 316
RECEIVED:
___________________________________________
HTTP/1.1 302 Found
Date: Mon, 13 Feb 2017 17:03:46 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.42
Location: http://www.lnksecure26.com/rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3=
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


RESPONSE CODE: 302
URL=http://www.lnksecure26.com/rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3=
IP resolved to 64.71.235.16
DOMAIN: www.lnksecure26.com
IPv4: 64.71.235.16
REST OF URL: rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3=
REQUEST: GET /rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3= HTTP/1.1
Host: www.lnksecure26.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: www.lnksecure26.com/rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3=
Connection: close

REQUEST LENGTH 427, ACTUALLY SENT 427
GOT CHUNK 376 BYTES
TOTAL BYTES RECEIVED: 376
RECEIVED:
___________________________________________
HTTP/1.1 302 Found
Date: Mon, 13 Feb 2017 17:03:47 GMT
Server: Apache
Set-Cookie: uid9500=1362582916-20170213090347-00e5225facfe7f80be971e74e6be97f3-; path=/; domain=lnksecure26.com
Location: http://bromilt.com/198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


RESPONSE CODE: 302
URL=http://bromilt.com/198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916
IP resolved to 5.255.64.228
DOMAIN: bromilt.com
IPv4: 5.255.64.228
REST OF URL: 198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916
REQUEST: GET /198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916 HTTP/1.1
Host: bromilt.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: bromilt.com/198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916
Connection: close

REQUEST LENGTH 405, ACTUALLY SENT 405
GOT CHUNK 444 BYTES
TOTAL BYTES RECEIVED: 444
RECEIVED:
___________________________________________
HTTP/1.1 200 OK
Date: Mon, 13 Feb 2017 17:03:47 GMT
Server: Apache
Set-Cookie: uid3825=555863914-20170213110347-9d3794996387fe0fe8a4dc97077f3c73-; expires=Thu, 16-Mar-2017 16:03:47 GMT; path=/
Content-Length: 165
Connection: close
Content-Type: text/html; charset=UTF-8

<script type="text/javascript">window.location.href="http://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555863914&s3=202510"</script>
RESPONSE CODE: 200
bash-3.2$ exit

FYI, 74.208.164.141 è un IP per i server di 1and1.

Un dominio è in California, dove lo spamming è presumibilmente illegale.

 Tech Organization: CAKE MARKETING
 Tech Street: 20411 SW BIRCH ST. STE. 250
 Tech City: NEWPORT BEACH
 Tech State/Province: CA
 Tech Postal Code: 92660
 Tech Country: US
 Tech Phone: +1.9495482253
 Tech Email: [email protected]

Se vai sul sito web CAKEMARKETING.COM, index.html è un errore 404.

Ho modificato il mio programma C per cercare reindirizzamenti JavaScript letterali, aggiungendo ulteriori reindirizzamenti da questo URL di spam:

    URL=http://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510
    IP resolved to 198.254.67.203
    DOMAIN: agorafinancial.cake.aclz.net
    IPv4: 198.254.67.203
    REST OF URL: ?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510
    REQUEST: GET /?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510 HTTP/1.1
    Host: agorafinancial.cake.aclz.net
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: identity        Referer: agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510
    Connection: close

    REQUEST LENGTH 413, ACTUALLY SENT 413
    GOT CHUNK 631 BYTES
    TOTAL BYTES RECEIVED: 631        === RECEIVED: ===
    HTTP/1.1 302 Found
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Location: https://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510&ckmguid=ebb014a1-d8a8-4d97-940c-9433c5d02915
    Server: Microsoft-IIS/7.5
    Date: Mon, 13 Feb 2017 17:36:31 GMT
    Connection: close
    Content-Length: 281

    <html><head><title>Object moved</title></head><body>
    <h2>Object moved to <a href="https://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&amp;s1=470402&amp;s2=555878517&amp;s3=202510&amp;ckmguid=ebb014a1-d8a8-4d97-940c-9433c5d02915">here</a>.</h2>
    </body></html>

    RESPONSE CODE: 302
    SECURE URL=https://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510&ckmguid=ebb014a1-d8a8-4d97-940c-9433c5d02915
    Error.
    bash-3.2$ <html><head><title>Object moved</title></head><body>
    <h2>Object moved to <a href="https://pro1.agorafinancial.com/617426">here</a>.</h2>
    </body></html>
    
posta Doej 13.02.2017 - 18:20
fonte

1 risposta

2

Una tecnica comune di filtraggio della posta spam (malware, phishing, ecc.) è la ricerca di URL (più comunemente solo i nomi di dominio) presenti nel messaggio (tipicamente contro un URLBL, utilizzando DNS, come un DNSBL).

Se la destinazione reale viene trovata solo dopo i reindirizzamenti, quella con il messaggio non verrà trovata con una semplice ricerca. Questo è particolarmente vero se il servizio di reindirizzamento fornisce anche contenuti legittimi. Il sistema di filtraggio può seguire anche i reindirizzamenti, ma (a) è generalmente limitato nel tempo, quindi non può seguire fino alla fine di una lunga catena, e (b) è più difficile seguire un reindirizzamento che non è un 301 o 302 risposta (ad es. Utilizzando JavaScript).

Inoltre, a volte i link sono reindirizzamenti semplicemente a causa del modello di business (che consente il monitoraggio e così via).

    
risposta data 14.02.2017 - 04:31
fonte

Leggi altre domande sui tag