Un nuovo messaggio di spam è arrivato oggi con un URL al suo interno:
http://agreementpoint.cricket/Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
Reindirizza molte volte prima che completi la pagina finale.
Mi sto chiedendo perché? Dopotutto posso seguire l'intera sequenza di reindirizzamenti, quindi non nascondono nulla ... da me.
Ho seguito i reindirizzamenti usando il mio programma C che esegue un HTTP GET, che ho rivisto per imitare la capacità dei browser di cercare tag in 302 reindirizzare le pagine e seguirli, quando manca l'intestazione "Location:" il caso qui.
Se i filtri antispam non seguono i reindirizzamenti, perché qualcuno paga per il filtro antispam?
Ad ogni modo, per questo messaggio spam, la lunga serie di reindirizzamenti risultante è divertente:
bash-3.2$ ./get http://agreementpoint.cricket/Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
URL=http://agreementpoint.cricket/Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
IP resolved to 66.228.35.10
DOMAIN: agreementpoint.cricket
IPv4: 66.228.35.10
REST OF URL: Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
REQUEST: GET /Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO HTTP/1.1
Host: agreementpoint.cricket
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: agreementpoint.cricket/Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
Connection: close
REQUEST LENGTH 333, ACTUALLY SENT 333
GOT CHUNK 536 BYTES
TOTAL BYTES RECEIVED: 536
RECEIVED:
___________________________________________
HTTP/1.1 302 Found
Date: Mon, 13 Feb 2017 17:03:46 GMT
Server: Apache/2.2.15 (CentOS)
Location: i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO">here</a>.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at agreementpoint.cricket Port 80</address>
</body></html>
RESPONSE CODE: 302
URL=http://agreementpoint.cricket/i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO
IP resolved to 66.228.35.10
DOMAIN: agreementpoint.cricket
IPv4: 66.228.35.10
REST OF URL: i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO
REQUEST: GET /i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO HTTP/1.1
Host: agreementpoint.cricket
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: agreementpoint.cricket/i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO
Connection: close
REQUEST LENGTH 345, ACTUALLY SENT 345
GOT CHUNK 310 BYTES
TOTAL BYTES RECEIVED: 310
RECEIVED:
___________________________________________
HTTP/1.1 302 Found
Date: Mon, 13 Feb 2017 17:03:46 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.45
Location: http://74.208.164.141/r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
RESPONSE CODE: 302
URL=http://74.208.164.141/r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv
DOMAIN: 74.208.164.141
IPv4: 74.208.164.141
REST OF URL: r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv
REQUEST: GET /r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv HTTP/1.1
Host: 74.208.164.141
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: 74.208.164.141/r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv
Connection: close
REQUEST LENGTH 415, ACTUALLY SENT 415
GOT CHUNK 316 BYTES
TOTAL BYTES RECEIVED: 316
RECEIVED:
___________________________________________
HTTP/1.1 302 Found
Date: Mon, 13 Feb 2017 17:03:46 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.42
Location: http://www.lnksecure26.com/rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3=
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
RESPONSE CODE: 302
URL=http://www.lnksecure26.com/rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3=
IP resolved to 64.71.235.16
DOMAIN: www.lnksecure26.com
IPv4: 64.71.235.16
REST OF URL: rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3=
REQUEST: GET /rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3= HTTP/1.1
Host: www.lnksecure26.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: www.lnksecure26.com/rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3=
Connection: close
REQUEST LENGTH 427, ACTUALLY SENT 427
GOT CHUNK 376 BYTES
TOTAL BYTES RECEIVED: 376
RECEIVED:
___________________________________________
HTTP/1.1 302 Found
Date: Mon, 13 Feb 2017 17:03:47 GMT
Server: Apache
Set-Cookie: uid9500=1362582916-20170213090347-00e5225facfe7f80be971e74e6be97f3-; path=/; domain=lnksecure26.com
Location: http://bromilt.com/198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
RESPONSE CODE: 302
URL=http://bromilt.com/198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916
IP resolved to 5.255.64.228
DOMAIN: bromilt.com
IPv4: 5.255.64.228
REST OF URL: 198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916
REQUEST: GET /198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916 HTTP/1.1
Host: bromilt.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: bromilt.com/198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916
Connection: close
REQUEST LENGTH 405, ACTUALLY SENT 405
GOT CHUNK 444 BYTES
TOTAL BYTES RECEIVED: 444
RECEIVED:
___________________________________________
HTTP/1.1 200 OK
Date: Mon, 13 Feb 2017 17:03:47 GMT
Server: Apache
Set-Cookie: uid3825=555863914-20170213110347-9d3794996387fe0fe8a4dc97077f3c73-; expires=Thu, 16-Mar-2017 16:03:47 GMT; path=/
Content-Length: 165
Connection: close
Content-Type: text/html; charset=UTF-8
<script type="text/javascript">window.location.href="http://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555863914&s3=202510"</script>
RESPONSE CODE: 200
bash-3.2$ exit
FYI, 74.208.164.141 è un IP per i server di 1and1.
Un dominio è in California, dove lo spamming è presumibilmente illegale.
Tech Organization: CAKE MARKETING
Tech Street: 20411 SW BIRCH ST. STE. 250
Tech City: NEWPORT BEACH
Tech State/Province: CA
Tech Postal Code: 92660
Tech Country: US
Tech Phone: +1.9495482253
Tech Email: [email protected]
Se vai sul sito web CAKEMARKETING.COM, index.html è un errore 404.
Ho modificato il mio programma C per cercare reindirizzamenti JavaScript letterali, aggiungendo ulteriori reindirizzamenti da questo URL di spam:
URL=http://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510
IP resolved to 198.254.67.203
DOMAIN: agorafinancial.cake.aclz.net
IPv4: 198.254.67.203
REST OF URL: ?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510
REQUEST: GET /?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510 HTTP/1.1
Host: agorafinancial.cake.aclz.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity Referer: agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510
Connection: close
REQUEST LENGTH 413, ACTUALLY SENT 413
GOT CHUNK 631 BYTES
TOTAL BYTES RECEIVED: 631 === RECEIVED: ===
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: https://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510&ckmguid=ebb014a1-d8a8-4d97-940c-9433c5d02915
Server: Microsoft-IIS/7.5
Date: Mon, 13 Feb 2017 17:36:31 GMT
Connection: close
Content-Length: 281
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510&ckmguid=ebb014a1-d8a8-4d97-940c-9433c5d02915">here</a>.</h2>
</body></html>
RESPONSE CODE: 302
SECURE URL=https://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510&ckmguid=ebb014a1-d8a8-4d97-940c-9433c5d02915
Error.
bash-3.2$ <html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://pro1.agorafinancial.com/617426">here</a>.</h2>
</body></html>