A spam email got through to my inbox earlier this morning.
-
Subject: Having trouble gettin to sleep? Get Ambien
-
Date: Sat, 27 Oct 2007 14:38:59 -0500
-
MIME-Version: 1.0
-
Content-Type: text/html;
-
format=flowed;
-
charset="windows-1250"
-
reply-type=original
-
Content-Transfer-Encoding: 7bit
-
X-Priority: 3
-
X-MSMail-Priority: Normal
-
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
-
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
-
-
Order All of your favorite RxMedz today.<br>
-
With fast discreet trackable USPS shipping!<br>
-
No Prescription Needed!<br>
So who cares right everyone gets spammed? Well I thought this was pretty interesting...
Anytime a real spam email gets through our system I always analyze it looking for a footprint that will not only identify this but all like it to our email system. Dillsmack and I both have a background in building spam prevention systems... although what seems like a lifetime ago.. anyway so we look for stuff like that.
Ok so the meat of this is really that the spammer is using Google urls to spam with... and not like googlepages or something that would get there account banned.
Now if you drop the &btnI=ec you can see that this is the only result
http://www.google.com/search?q=blarack+tabs+unbelievable&btnI=ec
Now if you type that into or click directly you will see it goes directly to the domain.
Here is the headers:
-
GET /search?q=blarack+tabs+unbelievable&btnI=ec HTTP/1.1
-
Host: www.google.com
-
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8
-
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-
Accept-Language: en-us,en;q=0.5
-
Accept-Encoding: gzip,deflate
-
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
-
Keep-Alive: 300
-
Connection: keep-alive
-
-
Cookie: SID=DQAAAHkAAADq0nde5_nP-yi0cdJj39vm2ijF6s6o_6EO5hPWp8jLU-trJc_BeKFCKkMkiKegrQ960dzEUX_xQt5vz-gsDybqClcFwUG2TAtAQzINpm1XniTr1GV32Oeajn2De58rXmuoqsTKwnIGf-04kRj8FBy_EPiTTRM3IfGaCMT6wroYqg; adwords_api_devguide_version=10; adsenseReferralClickId=; adsenseReferralSourceId=aso; WebmastersLocale=en; __utmz=173272373.1179527652.13.9.utmccn=(referral)|utmcsr=video.google.com|utmcct=/|utmcmd=referral; PREF=ID=2f15fb27be015318:TB=2:LD=en:NR=100:TM=1136517732:LM=1181439120:FV=2:DV=AA:GM=1:IG=3:GC=1:S=wo9TxiBNLbJIAQLV; adsenseReferralSubId=us-en-et_homepagevublogannounce; rememberme=true; __utma=173272373.1754075842.1140672607.1179527652.1193525321.14; TZ=300
-
-
HTTP/1.x 302 Found
-
Location: http://blarack.org/
-
Cache-Control: private
-
Content-Type: text/html; charset=UTF-8
-
Server: gws
-
Transfer-Encoding: chunked
-
Content-Encoding: gzip
-
Date: Sun, 28 Oct 2007 18:18:40 GMT
So Google is passing a 302 redirect for this link. But its also dropping the full Google Cookie.
As a dirt bag affiliate marketer I gotta ask myself besides fooling search engines what other bonuses could there be for exploiting this flaw in the Google search string. Keep in mind this is my live imagination just running wild and there is absolutely no proof on these:
1) This would spike up there search value on Google Trends?
2) There are numerous bugs with 302 redirects... wonder if this would plague any of them.
3) Social Voting: Google gets a tremendous amount of data from the Google toolbar. Seeing traffic going to this site from the search engine and staying there would indicate its a "good quality experience" for the user? Therefore giving the domain some sort of serps boost (probably unlikely)
Or many its just a cleaver way to exploit the "I am feeling lucky" button and googles trusted links in spam filters and there is no other value 
Ricky Peterson (24) 
ZK @ Web Marketing Blog (23) 
R Kumar (12) 
Holly Mann (11) 
gurtey (9) 
Shanker Bakshi (9) 
Jacques Snyman | 3 Quotes (8) 
Yisraeli Foods (8) 
Find Affiliate Offers (5) 
Michael Zhao (77) 
almir (76) 
fas (75) 
R Kumar (74) 
Rick Kats (70) 
Jay @ work from home (62) 
Dino (60) 
Dick (628) 
Goran Website (495) 
Melvin (330) 
Ben Pei (329) 
Taris Janitens (274) 
meethere (269) 
Tushar Dhoot (265) 
Tushar (260) 
Moneybites (259) 
Surley Google could simply ban the offending from their search engine databases? am I right or wrong?
Surely Google could simply remove the offending url from their search engine databases…permanently? Yes or No?
Those spammers are geniuses!
Ha ha! Thats some pretty cool spam. Apparently they are send there spam in mp3 files now too!
You would have to get a to of clicks on a pharmacy link to make a SERP difference. I think it is more likely the spammer is betting no one will do the work you did to track. Also, people trust Google. If you were going to buy pills online, why not from a Google link…
where theres a will theres a way! spam will haunt us all forever!
Yup – I agree
Just forward these emails to spam.gov
Wow. So I wonder what you use to have your email peace. I started to use something new 2 weeks ago that brought my spam intake down to less than 5%. I have been using different solutions now over the last 7 or so years, just to find myself micro-managing and presorting emails despite all marketing claims.
I blogged about the latest find that gave me email peace here:
http://www.semmy.name/index.php/88/email-peace/
I can so far highly recommend it, but if you can reveal what you use personally to deal with spam, let me/us know!
Mike we dont use some pre built software blacklist keyword package
Man, this is one of the meanest ways to spam!! I was not paying attention to what you said in the beginning but after reading carefully I have seen the light! It’s mean!!!
)
google links are always good to spam google.This will help us not to get ban for some time.
Way to spam the almighty Google! I love it.
dang, thats a sneaky way to advertise.
How is an email with Ambien in the subject-line getting through your filters?
if your blog becomes a popular target to be scraped by other re-blogger, i’m sure you can generate a buzz too
We cant blame jeremy for being a celebrity.
Yeah – You do.
That spammer is smart. not only he is able to get pass the spam filter. Clicking through rate at google results actually is one of the factor of the result position.
very interestign find man.
matt dont you think just disallowing the “Im feeling lucky” from remote requests would do it?
i need to make some kids shirts
There were also links for like winning $1000 free stuff and when you enter, you get spammed big time. Anything too good to be true is really not worth clicking, unless it’s endorsed by ShoeMoney
.
May I make a request for ShoeMoney shirts for little ones? I have a 6 year old girl and she likes cool shirts
. So far her favorite is her little penguin shirt(Tux).
I am not worthy.
hmm i show i am 3rd behind scrapers and spammers
sorry it just means that it drops the same cookie as if you were searching for the phrase itself.
as i said above this blog ranks poorly. almost every time you will get shit blogs that scrape my content before mine in google.
wow.. this quite tricky
Am I missing something? If I type blarack tabs unbelievable into Google, I don’t get Shoemoney at number 1, instead I get a site (readablog.com) that has scraped Shoe’s feed.
Can you clarify this? It looks like the cookie isn’t being touched. What do you mean?
Pretty clever type of spam mail format. Now the whole world knows.
Justin Cook, if it makes you feel better about it, I was talking with a Gmail person about this before Shoemoney posted about it.
The blarack link sent the shoemoney email to my spamtrapper. That is at least a little funny, and not particularly for any reason.
It’s sad – I blogged about this months ago, and generated no buzz over it. Shoe goes and say the same thing, and I’m sure Google will be all over it!
Anyhow, it is a smart way for spammers to bypass URLBLs. No anti-spam system will blog google after all!
Wow, that’s really clever way of using Google to spam.
Time for a Google human reviewer to sharpen his/her pencils and slap some sort of +30 (or plus anything, really) penalty on blarak.org and the “Feeling Lucky” trick will no longer work because they are not going to be #1 anymore. In fact, after this domain name has been mentioned on shoemoney.com, they might have already lost their #1 simply because Shoe has more weight (as in 800 lbs gorilla)
Sweet! Just ordered 5 bottles of viagra!!!1oneshiftone. Seriously a very clever way to spam a link. You gotta give the people props, for spammers, they are pretty creative.
Anywho, great read.
all these peeps that get the spam will now go to this site as it is the “feeling lucky” link. haha
A lot of the spam coming into my blog has links out to archived sites at archive.org, too. Looks like spammers don’t have to worry about losing their hosting account if archive.org maintains a page full of their affiliate links for life. They just keep getting more and more creative.
wow that’s amazing, you put this post up only about an hour or two ago and you’re ranked for that keyword.
Google is moving fast!
In this case you are wrong. You are already #1 for this term in the big G.
Yep, #1. Nicely done Shoemoney on capitalizing that spam:D
it is most likely to allow the link to pass through spam filters. google urls dont get flagged. there are other ways to do this using amazon etc.
Yeah it’s already #1..
LOL I get all my blarack tabs unbelievable from ShoeMoney!
I gotta be honest, I was a wee bit lost reading that!
this blog never ranks for anything in search engines
I wonder how long it will take for your blog to rank #1 for that search query and receive the complaints of annoyed users.