Strider Search Ranger:

War on Search Spam: Shifting the Battleground by “Following the Money”

Created: January 2007

Last Updated: March 30, 2009

 

Recent Last Update: January 28, 2010

 

The Strider Family: [Gatekeeper] [GhostBuster] [HoneyMonkey] [URL Tracer] [Search Ranger]

[Security Tracer] [Troubleshooter] [Flight Data Recorder] [Patch Impact Analyzer]

See Strider at Assembling an All-Star Team of Research Talent and Imagining What Comes Next

[[Home Networking]] [[ISRC]] [[Yi-Min Wang]] [[Strider Foundation]]

 

 

 

·        Search Quality & Cyber-Intelligence Lab (SQ-CIL)

·        “Detecting Stealth Web Pages That Use Click-Through Cloaking,” MSR-TR-2006-178, December 2006

·         “Spam Double-Funnel: Connecting Web Spammers with Advertisers,” in Proc. WWW, May 2007

o   “Researchers Track Down a Plague of Fake Web Pages,” by John Markoff, The New York Times, March 19, 2007

o   “Microsoft Tracks Down Mass Fake Web Pages,” Slashdot, March 20, 2007

o   “Microsoft researchers follow Web spam money trail,” by Ryan Naraine, ZDNet, March 19, 2007

o   “Research paper uncovers root of nuisance Web pages,” by Jeremy Kirk, IDG News Service, London Bureau, March 19, 2007

o   Chris OHara’s Jan. 23, 2007 blog on his contact with ISPrime regarding the involvement of 66.230.138.211 in comment spamming

o   How you can help fight search spam by “following the money” (download the Fiddler HTTP proxy first):

1.    If you are a blog owner like Chris and your blog is being spammed by cyber-scammers who serve ads:

·         Turn on Fiddler to monitor the HTTP traffic.

·         Click on an ad on the spam page and watch Fiddler output to see which IP addresses and domains are receiving (and therefore profiting from) spam-ads click-through traffic; for example, the first Fiddler screenshot at http://research.microsoft.com/SearchRanger/Spam_ads_click-through_analysis.htm shows that the IP address 66.230.173.28 and the domain looksmart.com are involved.

·         Do a Whois lookup at http://whois.domaintools.com/66.230.173.28, find out that it is hosted by ISPrime, Inc., and call their abuse phone number to report the spam. Any responsible ISP would respond immediately by removing the spammer because they don’t want to be knowingly involved in making money from spam.

·         Do a Whois lookup at http://whois.domaintools.com/looksmart.com to find looksmart.com’s phone number and call them to report the spam. Any responsible advertising syndicator would respond immediately by disabling the spammer’s account because they don’t want to be knowingly involved in making money from spam.

2.   If you are a legitimate company like Orbitz and you don’t want to have the bad reputation of funding the search-spam industry:

·         Use the following queries to find lots of spam pages and click on the orbitz.com ads to see which ISPs and syndicators are responsible:

·         http://search.live.com/results.aspx?q=cheap+airfare+site%3Ahometown.aol.com&form=QBRE

·         http://search.live.com/results.aspx?q=cheap+ticket+site%3Ablogspot.com&form=QBRE&go.x=18&go.y=8

Call the ISPs to complain. Call the syndicators to complain. Who knows, they may apologize and give you a big discount on the rest of your good ad impressions. If they had explicitly promised you that they would not serve your ads on low-quality pages, there may be more actions you can take. (Note: to verify that a suspicious-looking page like http://zcheapticket.blogspot.com is indeed a comment-spammed URL, do a query of “link:http://zcheapticket.blogspot.com” at live.com and visit the cached pages to see where the URL is being spammed.

3.   If you are a legitimate ISP like ISPrime, Inc. and you don’t want to have the bad reputation of making money from search spam:

·         Do the following queries, visit the cached pages of those spammed forums, pick a few blogspot spam URLs to visit, click on the spam ads, and you can easily see how much of the click-through traffic is going into ISPrime-hosted IP addresses like 64.111.214.154 and 66.230.138.211:

·         http://search.live.com/results.aspx?q=link%3Ahttp%3A%2F%2Fzcheapticket.blogspot.com&form=QBRE

·         http://search.live.com/results.aspx?q=link%3Ahttp%3A%2F%2Fonline-discountphentermine.blogspot.com%2F&mkt=en-us&FORM=LVCP

·         More seriously, do the following queries to see malicious spam URLs that are exploiting browser vulnerabilities to install malware through an ISPrime-hosted IP address:

·         http://www.google.com/search?hl=en&q=site%3Alaw.harvard.edu%2Fharmonizer+free+porn

Many of these law.harvard.edu doorway pages redirect to the malicious domain stlinx.info sitting on the ISPrime-hosted malicious IP address 66.230.138.194. This IP address has been hosting several generations of malicious domains including (1) Alllinx.info/Linim.net, (2) Frdolls.net/Frlynx.info/Joutweb.net, (3) Stlinx.info/Recdir.org, and (4) Trfred.info (e.g., this malicious blogspot URL http:// bimanzj. blogspot. com redirects to http:// trfred. info/ lc22.html.)

·         Looks like a lot of spam-ads click-through traffic is now moving to 206.161.121.115 hosted by Beyond The Network America, Inc.; see http://research.microsoft.com/SearchRanger/Spam_ads_click-through_analysis_March_11_2007.htm#Beyond.

·         ISPs against Spammers:

·         ISPrime took actions around March 19, 2007, and the spammer moved to 67.15.239.42 (and near-by IP addresses) – see http://whois.domaintools.com/67.15.239.42

4.   If you are a legitimate advertising syndicator and you are considering doing business with IP addresses that are known to be involved in search spam (or you don’t want to do due diligence in stopping your partners/affiliates from doing that):

·         Think twice, because you may be getting angry phone calls from some of your biggest advertising customers, now that everybody knows how the search-spam industry works. It’s just not worth it.

·         For example, kanoodle.com did not have a heavy presence in our Spam Double-Funnel study. But we are now seeing kanoodle.com connecting to the double-funnel through 66.230.138.211.

·         Syndicators against Spammers:

·         LookSmart took actions around March 19, 2007 and wants to take more actions. As the first step, they should scrutinize click-through traffic from 206.161.121.115 and 67.15.239.42 (and their nearby IP addresses). For example, http://ch-airfares-hoo.blogspot.com, http://hometown.aol.com/allhandbags/index.html, and http://www.searchadv.com/search.php?aid=45034&q=cheap%20airfares.

5.   If you are a search engine user and you see a list of ads AFTER you click on a search result:

·         Don’t click on any of the ads on that page because you will be helping the spammer make money if you do that.

·         Better yet, click on one of the ads with the Fiddler monitor on and call the involved domain owners to complain, as described in (1).

6.   If you are a legitimate website owner:

·         Beware of spam parasites like http://PornStar-Finder.IEEEpcs.org/ and http://www.HistMed.org/Gambling-Online.phtml.

·         If you own law.harvard.edu, do a query of “site:law.harvard.edu phentermine” at live.com to discover search spam on your website.

·        Spam Ads Click-Through Analysis Examples:

·         February 2007

·         March 2007

·         “A Quantitative Study of Forum Spamming Using Context-based Analysis,” in Proc. NDSS, February 2007

o   Honey Forums, Click-Through Cloaking, Universal Redirectors, and malicious spam pages

·        “Strider Search Ranger: Towards an Autonomic Anti-Spam Search Engine,” in Proc. ICAC, June 2007

o   Three types of redirection spam

·        Other Spam Analysis

o   Spam Attack by Website Clones

o   Spam Hosted on .edu Domains

·        Other Strider Projects:

o   Strider HoneyMonkey Malicious Website Detection

o   Strider Typo-Patrol Cybersquatter Detection

o   Strider GhostBuster Rootkit Detection

o   Strider Gatekeeper Spyware Management

 

Contact Us             Terms of Use          Trademarks            Privacy Statement                 ©2010 Microsoft Corporation. All rights reserved.