AuthorMessage
Lord_Zero
Ametuar
Posts: 122

As you probably have seen, there are a few new registered users on this forum, like this one: luffyplayaz
His "website": http://www.carinsurancesavings.org/.
Sending a HTTP GET request to that address returns the following:
Code:
HTTP/1.1 200 OK
Date: Sun, 18 Mar 2007 14:01:39 GMT
Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b
Last-Modified: Sat, 17 Mar 2007 20:30:11 GMT
ETag: "262c056-418-45fc4fd3"
Accept-Ranges: bytes
Content-Length: 1048
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>
<head>
<title>Cheap Car Insurance</title>
<meta name="description" content="Compare the lowest car insurance quotes online for free!">
<script src='css.js'></script>
</head>
<body>
Looking for cheap car insurance? We have the lowest quotes online! Receive your quote in seconds! Don't settle for high rates, view our car insurance rates today! Included states are Georgia, Louisiana, Florida, Kansas, Washington, Texas. Affordable antique average cost company accident new jersey. Policy liability home premiums questions reviews. Inexpensive international liberty low income, lowest maryland minimum monthly temporary. Agents baltimore Boston broker, calculator card claims. 
Farmers full coverage general hartford, high risk eastwood direct line diamond. Rental student teen about american family buying.  Cheapest classic collector compare direct discount, instant liability mercury nationwide. Commerce requirements compare distant equation quotes cost.   <a href="http://www.carinsurancesavings.org/">car insurance</a>
</body>
</html>

This looks interesting... no links... no pictures... only a file called "css.js"
Getting "css.js"...
Code:
HTTP/1.1 200 OK
Date: Sun, 18 Mar 2007 14:02:49 GMT
Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b
Last-Modified: Sat, 17 Mar 2007 20:50:46 GMT
ETag: "262c06f-3f3-45fc54a6"
Accept-Ranges: bytes
Content-Length: 1011
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: application/x-javascript
var JHNUhVIpCM215 = "d";var OLMEYpygPB130 = "ocument.l";var HNqECJFXOT244 = "oc";var NaNIwGlqXD256 = "a";var NUdWDJdQOx527 = "t";var IaHvpverJs716 = "i";var EXrtgyndQQ251 = "o";var TyUjIMRrGT113 = "n.";var JpGkQqRIeK717 = "hr";var OLeeuUeViJ480 = "ef='ht";var HMaTzMuGdL882 = "t";var NDcNpHEKBY311 = "p:";var SEkRasMFqz887 = "//www.jd";var OfMGDgrThB350 = "oq";var NNlOWBagUj867 = "oc";var LHElsFPmBP054 = "y.com/";var OkJLLtdMKg760 = "cl";var VWtkHMCTih424 = "ick-1";var EevRjPKOJI282 = "98";var SHjDtPqohg236 = "49";var MazUHQiwqc283 = "62-1";var WIvaTMDpzV258 = "03";var MOuwFPewhI726 = "60";var ADONcrINpX018 = "1";var WdEhcQfhOa486 = "92'";
eval(JHNUhVIpCM215+OLMEYpygPB130+HNqECJFXOT244+NaNIwGlqXD256+NUdWDJdQOx527+IaHvpverJs716+EXrtgyndQQ251+TyUjIMRrGT113+JpGkQqRIeK717+OLeeuUeViJ480+HMaTzMuGdL882+NDcNpHEKBY311+SEkRasMFqz887+OfMGDgrThB350+NNlOWBagUj867+LHElsFPmBP054+OkJLLtdMKg760+VWtkHMCTih424+EevRjPKOJI282+SHjDtPqohg236+MazUHQiwqc283+WIvaTMDpzV258+MOuwFPewhI726+ADONcrINpX018+WdEhcQfhOa486);

This looks interesing... The script actually does this:
Code:
document.location='http://www.jdoqocy.com/click-1984962-10360192'

Resolving that address:
Code:
track.cj.akadns.net , www.jdoqocy.com
63.215.202.74 = www.qksrv.net

Sending GET to www.jdoqocy.com ...
Code:
HTTP/1.0 200 OK
Server: Resin/2.1.13
ETag: "AAAAQzwudWQ"
Last-Modified: Wed, 09 Aug 2006 02:19:06 GMT
Content-Type: text/html
Content-Length: 383
Date: Sun, 18 Mar 2007 14:05:07 GMT
<html>
<head>
<title>Commission Junction</title>
<meta http-equiv="refresh" content="0; URL=http://www.cj.com/qksrv.jsp">
</head>
<body bgcolor="#ffffff">
You are currently being redirected to an information page about
qksrv.net. If your browser does not support redirects, please
<a href="http://www.cj.com/qksrv.jsp">click here</a> to access
the page directly.
</body>
</html>

Getting qksrv.jsp from that location...
Code:
HTTP/1.1 302 Found
Date: Sun, 18 Mar 2007 14:06:34 GMT
Server: Apache/2.0.52 (Red Hat) PHP/4.3.9 mod_ssl/2.0.52 OpenSSL/0.9.7a
Location: http://www.cj.com/qksrv.html
Content-Length: 212
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.cj.com/qksrv.html">here</a>.</p>
</body></html>

"Following the redirect"...
Code:
HTTP/1.1 200 OK
Date: Sun, 18 Mar 2007 14:07:34 GMT
Server: Apache/2.0.52 (Red Hat) PHP/4.3.9 mod_ssl/2.0.52 OpenSSL/0.9.7a
X-Powered-By: PHP/4.3.9
Connection: close
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Commission Junction - A global leader in the online advertising channels of affiliate marketing and managed search.</title>            ...(there is more but irrelevant)

So the spammer "works" for cj.com and his ID that gives him money is 1984962-10360192 .
Quote from "legal" part of cj.com:
Code:
The ValueClick Network is committed to proper Internet practices and full compliance with the CAN-SPAM Act of 2003 (15 U.S.C. § 7701). It is our policy to prohibit the sending of unsolicited or "Spam" e-mail by ValueClick or any of its marketing partners.
Please note that under the CAN-SPAM Act, an advertiser is required to provide an opt-out mechanism for consumers to unsubscribe from future emails about the advertiser. Although not required to by law, many email marketers also include an opt-out mechanism to enable consumers to be removed from their mailing list. This has caused some confusion for consumers in opting out. The table below clarifies which opt-out mechanism you should use for commercial emails.
To receive no further emails . . .   Opt-Out Mechanism to Use
about the advertiser   Advertiser's
from the email marketing company   Opt-Out Mechanism to Use
from the advertiser or email marketing company   Both

Reporting spammer...
Code:
Your inquiry has been sent.

CrazyGuy
n00b
Posts: 32

LOL  8)
Ashura
Unstopable
Posts: 370

nice 1 
Meka][Meka
Unstopable
Posts: 700

cool lol, i should of wrote something for anti spamming on forum a long time ago, but im too caught up in work atm :> thanks lz... i owe u