From Torrents to Casinos, Redirect Chaining Is Back in Fashion
Friday September 19, 2008 at 6:30 am CST
Posted by Chris Barton, Research Scientist and Artemis Geek
The casino spammers have been chaining together a lot of link redirectors recently to avoid being taken down by redirector sites checking anti-spam blacklists.
Here is a good example from one of our partner traps of how you go from one of the most popular torrent forums on the web to a Malta-based casino in one click.
This is the URL used in the email and our starting point:
http://demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h
Here is the redirection chain:
http://demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h
--> 301 Moved Permanently
http://www.demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h
--> 200 OK (and stops if you’re using LWP)
HEADER : Refresh: 0;url=http://tinyurl.com/4nr46h
GET http://tinyurl.com/4nr46h
--> 301 Moved Permanently
GET http://blog.com/redirect/?url=http://maltytotrough.com?6ccbe5z5p
--> 302 Found
GET http://maltytotrough.com?6ccbe5z5p
--> 302 Found
GET http://www.spinpalace.com/index.asp?a=634991
--> 301 Moved Permanently
(then they hide the affiliate string for some reason)
GET http://www.spinpalace.com/
--> 200 OK
Affiliate 634991, your time is up. 
This is not a new trick. Forward-thinking anti-spammers have been reputing against this type of behavior for quite a while, coupled with generic redirector detection. (This mail was three times over our usual deletion threshold.) The issue lies in the fact that some of these links stay alive for days, as it takes a long time and a lot of effort for the redirect sites to clean up the working redirectors. Spammers don’t re-try tricks like this without reason, however.
If any readers are going to be at MAAWG next week, be sure to say “Hi”!
(Slacker Ed. is going too!)