CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 927
Comments: 25
block bottom
spacer spacer

SIRT(TM)

Spam Incident Reporting and Termination(TM) Squad

A global spam termination operation launched by CastleCops, the volunteer SIRT Squad is comprised of folks who report spam, investigate spam, and actively work on spam takedown and termination. SIRT is funded by CastleCops. Become a SIRT Squad terminator by reporting spam today!

[ How-To / FAQ ]

SIRT -> Confirmed Spam | Terminated Spam


evidence status: confirmed spam

HTTP Response
05 Jul, 2008
10:09:38		HTTP/1.1 404 Not Found
ID174443 (termination link)
TitleBlogspot redirection, VPXL
Entry
SIRT Squad
Reporter		ai_hiya
Timestamp16 May, 2008 @ 08:28:06
Topic ID221837 - Read/respond to SIRT commentary.
Handler Note:
16 May, 2008
09:01:18		tembow: Consumed following related reports:

[174444] http://korezuwy17387.blogspot.com
Handler Note:
16 May, 2008
09:01:42		tembow: Consumed following related reports:

[174445] http://nubutawy12783.blogspot.com
Handler Note:
16 May, 2008
09:22:30		tembow:
Google Blogspot redirection.
Alleged perpetrator = William Lin, see http://www.siteadvisor.com/sites/anherbal.com
QUOTE

Visits to this fake pharmacy site is provided through the widespread abuse of Google Blogspot redirection. This is a sad indictment of Google's inability to tackle problems caused by their open framework for creating new blogspot entries. All you need is a Gmail account, and scammers are offering pre-registered Gmail accounts a million at a time. Direct quote from the bulkerforum.biz where scammers hang out:
-----
TOPIC: gmail accts, googlepages redirects, blogger redirects

William

Joined: 14 Nov 2007
Posts: 15

Posted: Fri Mar 28, 2008 1:55 pm
Post subject: gmail accts, googlepages redirects, blogger redirects

if you buy in volume please PM me, i have 1~10 mil of gmail accts for selling, 100k googlepags redirect + 100k blogger redirects.

my ICQ is 407-678-829
-----
William Lin, email address:williamlin89@gmail.com, skype id thealien2006

END QUOTE
Handler Note:
16 May, 2008
09:23:29		tembow:
This is a MAJOR incident. Escalate to Corporate Security.

Each of these 3 samples has a java script obfuscated redirector, and each decodes to
window.top.location.href='http://anherbal.com/';

Reference: http://www.spamtrackers.eu/wiki/index.php?title=Blogspot#Obfuscated_Java_Script_redirections


Suspend every site containing the matching redirection fingerprint:
var {TS}="{TS}";var {TS}=0;var {TS},{TS},{TS}="{HEX}";{TS}='';var {TS};for({TS}=0;{TS}<{TS}.length;{TS}+=2)

where {TS} is a variable length text string
and {HEX} is a long hexadecimal string comprised of 0-9 A-F

Remove all matching sites. Run continuously as new sites are registered. Check for changes in pattern and adapt.

To monitor for success, check new spammed sites reported at the Geocities URIBL tracker http://rss.uribl.com/hosters/

Further reference: Use the Removal instructions at http://www.castlecops.com/t221784-SIRT_173979_Blogspot_redirection_with_fingerprint_removal.html
Handler Note:
16 May, 2008
09:26:28		tembow: Generated and sent email spam alert to respective parties.
Fetched URLs
Slaves174444, 174445,

Report for at 16 May, 2008 @ 08:11:17

fetched page

at 16 May, 2008 @ 08:11:20
MD5 Fingerprint: 1a5dec15d1a8d16aba64f00f8e4a60cc
SHA1 Fingerprint: b4bea063648b427d89da3a5e24b310e7784486e0

fetched page

at 16 May, 2008 @ 09:03:14
MD5 Fingerprint: 58535279695f578ec9dddf5c29393650
SHA1 Fingerprint: b45eb2aec5b66e233e3c07392dd711a22c99a44f

fetched page

at 16 May, 2008 @ 09:03:41
MD5 Fingerprint: df7a1671e5c90b4c9e23dc12c024b845
SHA1 Fingerprint: 233df3abdb33a0215c58136d4f0073a979400e19
Version 1.0
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
201ppm 1.053s (0.926s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer