A spam email got through to my inbox earlier this morning.
Subject: Having trouble gettin to sleep? Get Ambien Date: Sat, 27 Oct 2007 14:38:59 -0500 MIME-Version: 1.0 Content-Type: text/html; format=flowed; charset="windows-1250" reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Order All of your favorite RxMedz today.<br /> With fast discreet trackable USPS shipping!<br /> No Prescription Needed!<br /> Order Now! - <a href="http://www.google.com/search?q=blarack+tabs+unbelievable&btnI=ec">ClicK Here</a><br />
So who cares right everyone gets spammed? Well I thought this was pretty interesting…
Anytime a real spam email gets through our system I always analyze it looking for a footprint that will not only identify this but all like it to our email system. Dillsmack and I both have a background in building spam prevention systems… although what seems like a lifetime ago.. anyway so we look for stuff like that.
Ok so the meat of this is really that the spammer is using Google urls to spam with… and not like googlepages or something that would get there account banned.
Now if you drop the &btnI=ec you can see that this is the only result
Now if you type that into or click directly you will see it goes directly to the domain.
Here is the headers:
GET /search?q=blarack+tabs+unbelievable&btnI=ec HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:18.104.22.168) Gecko/20071008 Firefox/22.214.171.124 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: SID=DQAAAHkAAADq0nde5_nP-yi0cdJj39vm2ijF6s6o_6EO5hPWp8jLU-trJc_BeKFCKkMkiKegrQ960dzEUX_xQt5vz-gsDybqClcFwUG2TAtAQzINpm1XniTr1GV32Oeajn2De58rXmuoqsTKwnIGf-04kRj8FBy_EPiTTRM3IfGaCMT6wroYqg; adwords_api_devguide_version=10; adsenseReferralClickId=; adsenseReferralSourceId=aso; WebmastersLocale=en; __utmz=173272373.1179527652.13.9.utmccn=(referral)|utmcsr=video.google.com|utmcct=/|utmcmd=referral; PREF=ID=2f15fb27be015318:TB=2:LD=en:NR=100:TM=1136517732:LM=1181439120:FV=2:DV=AA:GM=1:IG=3:GC=1:S=wo9TxiBNLbJIAQLV; adsenseReferralSubId=us-en-et_homepagevublogannounce; rememberme=true; __utma=173272373.1754075842.1140672607.1179527652.1193525321.14; TZ=300 HTTP/1.x 302 Found Location: http://blarack.org/ Cache-Control: private Content-Type: text/html; charset=UTF-8 Server: gws Transfer-Encoding: chunked Content-Encoding: gzip Date: Sun, 28 Oct 2007 18:18:40 GMT
So Google is passing a 302 redirect for this link. But its also dropping the full Google Cookie.
As a dirt bag affiliate marketer I gotta ask myself besides fooling search engines what other bonuses could there be for exploiting this flaw in the Google search string. Keep in mind this is my live imagination just running wild and there is absolutely no proof on these:
1) This would spike up there search value on Google Trends?
2) There are numerous bugs with 302 redirects… wonder if this would plague any of them.
3) Social Voting: Google gets a tremendous amount of data from the Google toolbar. Seeing traffic going to this site from the search engine and staying there would indicate its a “good quality experience” for the user? Therefore giving the domain some sort of serps boost (probably unlikely)
Or many its just a cleaver way to exploit the “I am feeling lucky” button and googles trusted links in spam filters and there is no other value 😉