« Spamming for the Lord | Main | Yahoo users targeted by FUD »

March 26, 2005

ZDnet site still a spam tool

Despite a partial fix, opportunistic spammers continue to abuse a security flaw at ZDnet.com.

A few days ago, admins at ZDnet managed to block a pharmacy site that had been misusing an open re-director at ZDnet.com. The good news: clicking the masked URL below, which was published in recent pill spams, now results in a message: "Forbidden to relay request through this server."

http://chkpt.zdnet.com/chkpt/howbad/rhnug.%72%65ta%69l%62%6c%6f%77s.%63%6f%6D/

The bad news: ZDnet has apparently left the re-director wide open to others. Clicking this (unmasked) link will take you to the Spam Kings page at Amazon:

http://chkpt.zdnet.com/chkpt/howbad/amazon.com/exec/obidos/ASIN/0596007329/

Judging from numerous spam samples submitted to the spam-sightings newsgroup in recent days, other spammers seem to think this ZDnet re-director is a neat trick.

My guess is that spammers hope the technique will serve two purposes. First, it will sneak their messages past URL blacklists. Second, it will "social engineer" spam recipients into thinking the spamvertised product is being offered by ZDnet.

I have no idea why ZDnet isn't just closing down the re-director completely, or at least making it off limits except to a whitelist of URLs.

At the risk of giving phishers any ideas, imagine someone abusing the re-director in conjunction with a copycat ZDnet.com site, and offering iPods for $10. "Just provide your credit card number, phone, email, and shipping address!"

Posted by brian at March 26, 2005 10:48 PM