Hoy llegó un nuevo correo electrónico no deseado con una URL:
http://agreementpoint.cricket/Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
Redirige muchas veces antes de que finalice, llega a su página final.
Me pregunto por qué? Después de todo, puedo seguir toda la secuencia de redireccionamientos, para que no me oculten nada ... de mí.
Seguí las redirecciones usando mi programa C que realiza un GET HTTP, que revisé para imitar la capacidad de los navegadores para buscar etiquetas A en 302 páginas de redireccionamiento y seguirlas, cuando falta el encabezado "Ubicación:" como está el caso aquí.
Si los filtros de spam no siguen las redirecciones, ¿por qué alguien paga por el filtrado de spam?
De todos modos, para este mensaje de spam, la larga serie de redirecciones resultantes es divertida:
bash-3.2$ ./get http://agreementpoint.cricket/Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
URL=http://agreementpoint.cricket/Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
IP resolved to 66.228.35.10
DOMAIN: agreementpoint.cricket
IPv4: 66.228.35.10
REST OF URL: Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
REQUEST: GET /Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO HTTP/1.1
Host: agreementpoint.cricket
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: agreementpoint.cricket/Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO
Connection: close
REQUEST LENGTH 333, ACTUALLY SENT 333
GOT CHUNK 536 BYTES
TOTAL BYTES RECEIVED: 536
RECEIVED:
___________________________________________
HTTP/1.1 302 Found
Date: Mon, 13 Feb 2017 17:03:46 GMT
Server: Apache/2.2.15 (CentOS)
Location: i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO">here</a>.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at agreementpoint.cricket Port 80</address>
</body></html>
RESPONSE CODE: 302
URL=http://agreementpoint.cricket/i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO
IP resolved to 66.228.35.10
DOMAIN: agreementpoint.cricket
IPv4: 66.228.35.10
REST OF URL: i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO
REQUEST: GET /i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO HTTP/1.1
Host: agreementpoint.cricket
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: agreementpoint.cricket/i.php?Q1U7E0r7l2OpXBD/OKDDyDDhDO/iKOXO
Connection: close
REQUEST LENGTH 345, ACTUALLY SENT 345
GOT CHUNK 310 BYTES
TOTAL BYTES RECEIVED: 310
RECEIVED:
___________________________________________
HTTP/1.1 302 Found
Date: Mon, 13 Feb 2017 17:03:46 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.45
Location: http://74.208.164.141/r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
RESPONSE CODE: 302
URL=http://74.208.164.141/r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv
DOMAIN: 74.208.164.141
IPv4: 74.208.164.141
REST OF URL: r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv
REQUEST: GET /r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv HTTP/1.1
Host: 74.208.164.141
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: 74.208.164.141/r.php?Q1U7E0r7l2OpXBD-OKDDyDDhDO-iKOXO==17q55h5jmnl9jmz3q93d5m@xyzAuzusxzsxt@wBrv
Connection: close
REQUEST LENGTH 415, ACTUALLY SENT 415
GOT CHUNK 316 BYTES
TOTAL BYTES RECEIVED: 316
RECEIVED:
___________________________________________
HTTP/1.1 302 Found
Date: Mon, 13 Feb 2017 17:03:46 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.42
Location: http://www.lnksecure26.com/rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3=
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
RESPONSE CODE: 302
URL=http://www.lnksecure26.com/rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3=
IP resolved to 64.71.235.16
DOMAIN: www.lnksecure26.com
IPv4: 64.71.235.16
REST OF URL: rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3=
REQUEST: GET /rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3= HTTP/1.1
Host: www.lnksecure26.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: www.lnksecure26.com/rd/r.php?sid=9500&pub=202510&c1=120090030112031020200000001559193296460961&c2=&c3=
Connection: close
REQUEST LENGTH 427, ACTUALLY SENT 427
GOT CHUNK 376 BYTES
TOTAL BYTES RECEIVED: 376
RECEIVED:
___________________________________________
HTTP/1.1 302 Found
Date: Mon, 13 Feb 2017 17:03:47 GMT
Server: Apache
Set-Cookie: uid9500=1362582916-20170213090347-00e5225facfe7f80be971e74e6be97f3-; path=/; domain=lnksecure26.com
Location: http://bromilt.com/198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
RESPONSE CODE: 302
URL=http://bromilt.com/198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916
IP resolved to 5.255.64.228
DOMAIN: bromilt.com
IPv4: 5.255.64.228
REST OF URL: 198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916
REQUEST: GET /198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916 HTTP/1.1
Host: bromilt.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer: bromilt.com/198024fa95c9ed6800/202510/120090030112031020200000001559193296460961/1362582916
Connection: close
REQUEST LENGTH 405, ACTUALLY SENT 405
GOT CHUNK 444 BYTES
TOTAL BYTES RECEIVED: 444
RECEIVED:
___________________________________________
HTTP/1.1 200 OK
Date: Mon, 13 Feb 2017 17:03:47 GMT
Server: Apache
Set-Cookie: uid3825=555863914-20170213110347-9d3794996387fe0fe8a4dc97077f3c73-; expires=Thu, 16-Mar-2017 16:03:47 GMT; path=/
Content-Length: 165
Connection: close
Content-Type: text/html; charset=UTF-8
<script type="text/javascript">window.location.href="http://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555863914&s3=202510"</script>
RESPONSE CODE: 200
bash-3.2$ exit
FYI, 74.208.164.141 es una IP para los servidores de 1and1.
Un dominio está en California, donde el spamming es presumiblemente ilegal.
Tech Organization: CAKE MARKETING
Tech Street: 20411 SW BIRCH ST. STE. 250
Tech City: NEWPORT BEACH
Tech State/Province: CA
Tech Postal Code: 92660
Tech Country: US
Tech Phone: +1.9495482253
Tech Email: [email protected]
Si vas al sitio web CAKEMARKETING.COM, index.html es un error 404.
Revisé mi programa de C para buscar redirecciones de Javascript literales, agregando aún más redirecciones desde esta URL de spam:
URL=http://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510
IP resolved to 198.254.67.203
DOMAIN: agorafinancial.cake.aclz.net
IPv4: 198.254.67.203
REST OF URL: ?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510
REQUEST: GET /?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510 HTTP/1.1
Host: agorafinancial.cake.aclz.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity Referer: agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510
Connection: close
REQUEST LENGTH 413, ACTUALLY SENT 413
GOT CHUNK 631 BYTES
TOTAL BYTES RECEIVED: 631 === RECEIVED: ===
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: https://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510&ckmguid=ebb014a1-d8a8-4d97-940c-9433c5d02915
Server: Microsoft-IIS/7.5
Date: Mon, 13 Feb 2017 17:36:31 GMT
Connection: close
Content-Length: 281
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510&ckmguid=ebb014a1-d8a8-4d97-940c-9433c5d02915">here</a>.</h2>
</body></html>
RESPONSE CODE: 302
SECURE URL=https://agorafinancial.cake.aclz.net/?E=TV4IHEar%2bGfZZ8ABzPP4XA%3d%3d&s1=470402&s2=555878517&s3=202510&ckmguid=ebb014a1-d8a8-4d97-940c-9433c5d02915
Error.
bash-3.2$ <html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://pro1.agorafinancial.com/617426">here</a>.</h2>
</body></html>