Lord_Zero Ametuar Posts: 122
| As you probably have seen, there are a few new registered users on this forum, like this one: luffyplayaz His "website": http://www.carinsurancesavings.org/. Sending a HTTP GET request to that address returns the following:
Code: | HTTP/1.1 200 OK Date: Sun, 18 Mar 2007 14:01:39 GMT Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b Last-Modified: Sat, 17 Mar 2007 20:30:11 GMT ETag: "262c056-418-45fc4fd3" Accept-Ranges: bytes Content-Length: 1048 Keep-Alive: timeout=10, max=100 Connection: Keep-Alive Content-Type: text/html <html> <head> <title>Cheap Car Insurance</title> <meta name="description" content="Compare the lowest car insurance quotes online for free!"> <script src='css.js'></script> </head> <body> Looking for cheap car insurance? We have the lowest quotes online! Receive your quote in seconds! Don't settle for high rates, view our car insurance rates today! Included states are Georgia, Louisiana, Florida, Kansas, Washington, Texas. Affordable antique average cost company accident new jersey. Policy liability home premiums questions reviews. Inexpensive international liberty low income, lowest maryland minimum monthly temporary. Agents baltimore Boston broker, calculator card claims. Farmers full coverage general hartford, high risk eastwood direct line diamond. Rental student teen about american family buying. Cheapest classic collector compare direct discount, instant liability mercury nationwide. Commerce requirements compare distant equation quotes cost. <a href="http://www.carinsurancesavings.org/">car insurance</a> </body> </html> | This looks interesting... no links... no pictures... only a file called "css.js" Getting "css.js"...
Code: | HTTP/1.1 200 OK Date: Sun, 18 Mar 2007 14:02:49 GMT Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b Last-Modified: Sat, 17 Mar 2007 20:50:46 GMT ETag: "262c06f-3f3-45fc54a6" Accept-Ranges: bytes Content-Length: 1011 Keep-Alive: timeout=10, max=100 Connection: Keep-Alive Content-Type: application/x-javascript var JHNUhVIpCM215 = "d";var OLMEYpygPB130 = "ocument.l";var HNqECJFXOT244 = "oc";var NaNIwGlqXD256 = "a";var NUdWDJdQOx527 = "t";var IaHvpverJs716 = "i";var EXrtgyndQQ251 = "o";var TyUjIMRrGT113 = "n.";var JpGkQqRIeK717 = "hr";var OLeeuUeViJ480 = "ef='ht";var HMaTzMuGdL882 = "t";var NDcNpHEKBY311 = "p:";var SEkRasMFqz887 = "//www.jd";var OfMGDgrThB350 = "oq";var NNlOWBagUj867 = "oc";var LHElsFPmBP054 = "y.com/";var OkJLLtdMKg760 = "cl";var VWtkHMCTih424 = "ick-1";var EevRjPKOJI282 = "98";var SHjDtPqohg236 = "49";var MazUHQiwqc283 = "62-1";var WIvaTMDpzV258 = "03";var MOuwFPewhI726 = "60";var ADONcrINpX018 = "1";var WdEhcQfhOa486 = "92'"; eval(JHNUhVIpCM215+OLMEYpygPB130+HNqECJFXOT244+NaNIwGlqXD256+NUdWDJdQOx527+IaHvpverJs716+EXrtgyndQQ251+TyUjIMRrGT113+JpGkQqRIeK717+OLeeuUeViJ480+HMaTzMuGdL882+NDcNpHEKBY311+SEkRasMFqz887+OfMGDgrThB350+NNlOWBagUj867+LHElsFPmBP054+OkJLLtdMKg760+VWtkHMCTih424+EevRjPKOJI282+SHjDtPqohg236+MazUHQiwqc283+WIvaTMDpzV258+MOuwFPewhI726+ADONcrINpX018+WdEhcQfhOa486); | This looks interesing... The script actually does this:
Code: | document.location='http://www.jdoqocy.com/click-1984962-10360192' | Resolving that address:
Code: | track.cj.akadns.net , www.jdoqocy.com 63.215.202.74 = www.qksrv.net | Sending GET to www.jdoqocy.com ...
Code: | HTTP/1.0 200 OK Server: Resin/2.1.13 ETag: "AAAAQzwudWQ" Last-Modified: Wed, 09 Aug 2006 02:19:06 GMT Content-Type: text/html Content-Length: 383 Date: Sun, 18 Mar 2007 14:05:07 GMT <html> <head> <title>Commission Junction</title> <meta http-equiv="refresh" content="0; URL=http://www.cj.com/qksrv.jsp"> </head> <body bgcolor="#ffffff"> You are currently being redirected to an information page about qksrv.net. If your browser does not support redirects, please <a href="http://www.cj.com/qksrv.jsp">click here</a> to access the page directly. </body> </html> | Getting qksrv.jsp from that location...
Code: | HTTP/1.1 302 Found Date: Sun, 18 Mar 2007 14:06:34 GMT Server: Apache/2.0.52 (Red Hat) PHP/4.3.9 mod_ssl/2.0.52 OpenSSL/0.9.7a Location: http://www.cj.com/qksrv.html Content-Length: 212 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.cj.com/qksrv.html">here</a>.</p> </body></html> | "Following the redirect"...
Code: | HTTP/1.1 200 OK Date: Sun, 18 Mar 2007 14:07:34 GMT Server: Apache/2.0.52 (Red Hat) PHP/4.3.9 mod_ssl/2.0.52 OpenSSL/0.9.7a X-Powered-By: PHP/4.3.9 Connection: close Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Commission Junction - A global leader in the online advertising channels of affiliate marketing and managed search.</title> ...(there is more but irrelevant) | So the spammer "works" for cj.com and his ID that gives him money is 1984962-10360192 . Quote from "legal" part of cj.com:
Code: | The ValueClick Network is committed to proper Internet practices and full compliance with the CAN-SPAM Act of 2003 (15 U.S.C. § 7701). It is our policy to prohibit the sending of unsolicited or "Spam" e-mail by ValueClick or any of its marketing partners. Please note that under the CAN-SPAM Act, an advertiser is required to provide an opt-out mechanism for consumers to unsubscribe from future emails about the advertiser. Although not required to by law, many email marketers also include an opt-out mechanism to enable consumers to be removed from their mailing list. This has caused some confusion for consumers in opting out. The table below clarifies which opt-out mechanism you should use for commercial emails. To receive no further emails . . . Opt-Out Mechanism to Use about the advertiser Advertiser's from the email marketing company Opt-Out Mechanism to Use from the advertiser or email marketing company Both | Reporting spammer...
Code: | Your inquiry has been sent. |
|