Thursday, April 28, 2005

GooglePray Tricks

Ann and I have been trying to understand the GooglePray guestbook spammer better. He has found a way to force visitors to his "search" to send out his spam.

His code is rather confusing and neither of us being javascript experts doesn't help. But we have learned a lot. He has iframes that load about:blank, but they are named after the forms he is using to spam other sites. There is also some ActiveX (clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A) that appears to be an exploit to allow the script to access your clipboard and allows cross frame access. That could be what the empty iframes are for, I wasn't able to figure that part out. There is some other odd javascript that seems to be redirecting to different links, maybe its loading those iframes. That bit of code:
function cs(){
window.status='';
}

function ha(a){ }

function ca(a) {
top.location.href=document.getElementById(a).href;
}

function ga(o,e) {
if (document.getElementById) {
a=o.id.substring(1);
p = "";
r = "";
g = e.target;
if (g) {
t = g.id;
f = g.parentNode;
if (f) {
p = f.id;
h = f.parentNode;
if (h)r = h.id;
}
}
else {
h = e.srcElement;
f = h.parentNode;
if (f) p = f.id;
t = h.id;
}
if (t==a || p==a || r==a) return true;
top.location.href=document.getElementById(a).href;
}
}

Then he has this script to submit the spam to the forms he has targeted:
function dimattic() {
this.obj.submit();
}

dimattic()

The spammer's "forum" is:
http://baikalguide.com/guide/UmaxSearch/

You can see one of the posts directly:
http://baikalguide.com/forum/Tue%20Apr%2026%2005:48:07%202005/UmaxPPC

It seems safe to visit those links in Firefox, but don't do it in IE or you will be helping send out his spams.

The Preacher has been trying to get this spammer's ISP to shut him down but with no luck.

Another blogger really pissed off at this spam is boycotting UMAX in hopes they will go after the spammer for using their name.

Don't miss the discussion in the EV1 forums.

Reporting to Google for abuse seems like the best option for now. So I collected and chongqed a few URLs that are spamvertised by his scripts:
Some examples of his many victims can be seen here:
gmcsrinagar.net
sadlerphoto.com
planets.lamost.org

Update May 5, 2005:

I realized that much of that Javascript code is from Google. It doesn't seem to do what I guessed at all though it does have something to do with links at least. Some of it adds an onMouseOver text on Google Ads that says "go to sitename." I still don't get the ga function, but it also seems Google Ads releated.

The dimattic function is the spammer's own though.

Comments:
Strike back at the scum spamming guestbooks, wikis and blogs
More on the war against the socially inept guestbook pests
This is a post from the blogmaster here at Bob's blog in regards to my boycott UMAX thread and guestbook spammers in general:
And I will be cross posting this at interested links.
Apparently the attention these Idiot Children is receiving is working.
They have been chased off a few servers by complaints and by people with a much more technical savvy than I have.
Thanks to all the following bloggers and webmasters:
http://spamhuntress.com
http://www.berduszek.art.pl
http://chongq.blogspot.com
Please read their very well done research at the following links:
http://www.berduszek.art.pl/guestbook/addentry.php
http://spamhuntress.com/2005/04/27/googlepray/
http://spamhuntress.com/2005/04/29/googlepray-spammer-hits-back/
http://spamhuntress.com/2005/05/03/the-vendetta-against-neil-taylor/
http://spamhuntress.com/2005/05/05/umax-spammer-drops-hijacker/
http://spamhuntress.com/2005/05/05/ev1-booted-sids-spamming-bot/
http://berduszek.art.pl/guestbook/addentry.php http://wiki.chongqed.org//GooglePray
http://spamhuntress.com/w/index.php?title=The_Umax-search_spammer&action=submit
http://forum.ev1servers.net/showthread.php?t=55947
http://buffoons.blogspot.com/2005/06/new-beginning-for-umax-ppc-spammer.html
http://buffoons.blogspot.com/2005/02/umax-spam-continued.html
http://buffoons.blogspot.com/2005/04/im-not-alone-umax-spam-is-affecting.html
http://buffoons.blogspot.com/2005/04/spam-huntress-is-after-umax-ppc.html
http://buffoons.blogspot.com/2005/04/screw-everyones-internet-and-umax-ppc.html
http://chongq.blogspot.com/2005/04/googlepray-tricks.html
http://spam.gunters.org/archive/2005/05/15/umax-spammer-revenge
http://spam.gunters.org/archive/2005/05/05/umax-spammer-drops-hijacker
http://wiki.chongqed.org/WikiForumArchive_May2005
http://spammers.chongqed.org/&first_char=u
http://www.techspot.com/vb/all/windows/t-20009-A-way-to-strike-back-at-the-scum-spamming-my-guestbook.html
And this one shows what real idiot's these children are:
http://chongq.blogspot.com/2004/06/email-from-hakdata.html
And if you would like to submit a Wiki or Blog spammer try this link:
http://chongqed.org/submit.html
And of course my thread should be on this list
http://www.bobonit.com/html/2005/04/boycott-umax-umax-search-problem.html

I have noticed Idiot Sid/Dimitry has taken our reports personally he is now spamming with a message saying that myself and others such as spamhuntress are spamming here is an example of his post on a guestbook (http://www.lightfeather.net/guestbook.html) which was attacked = Wiki Spammers: bobonit.com, wiki.chongqed.org, spamhuntress.com, spam.gunters.org,
buffoons.blogspot.com, have been spamming wikis, blogs, or guest books

A better example is:
...!Wiki Spammers: bobonit.com, wiki.chongqed.org, spamhuntress.com, spam.gunters.org, buffoons.blogspot.com, have been spamming wikis, blogs, or guest books with the keyword spam any domain to improve their page rank on Google and other search engines. Wiki Spam Solutions. There have been a number of proposals for dealing with WikiSpam.[url]http://umax-se.com/login/GOOGLE+SPAM/baikalguide+Wiki+Spammers:[/url]....
Posted by: specific911 at May 12, 2005 05:42 PM
Note the specific 911 link is not an e-mail address but links to the same page as the post?

More importantly I may of found his database check out this link
http://fullup.org/gb.dat

We are winning this war keep up the attacks on these idiots, I wish I could really take 2x4 to one of them upside the head!
Bob
From Bob's News Blog - http://www.bobonit.com/html/bob_blog.html
Edit  
My way to fight again spam:
please try http://www.gadacz.info/guestbook
Not perfect, but useful.
I changed addentry.php and index.php! Now I have a "secret" entrance for my guestbook

spamfighter(+)gadacz(punkt)info
Edit  
Post a Comment

<< Home