Capturing your details

After cutting the alpha-numeric string off the end of URL, we were just left with the URL that should have led us to the index page of us-nma.com. Instead, the spammers must have anticipated this approach, and we got the following page!

Hilarious! They are really keen for us to click on that URL in the email! There must be something in that string that the spammers want to see.

To examine this idea a little more, we re-routed our browser to go through a free proxy and modified the string a little, so that it would not be associated with the original email that we received. This turned out to be an OK approach, but we needed to modify the string a few times before we got one that worked. Eventually, we hit a page that redirected us almost immediately to another error page that we don't care about here. But the redirecting URL was as follows:

http://www.variousus.com/cgi-bin/whole.cgi?podstavos=X1NedFFeRkBRVh9RXLk=

And you wouldn't believe it! The variousus.com domain is registered to LeiMomi01 Design, with contact details that include the email address, leimomi01@tom.com, the same as that for the us-nma.com domain!

So, what do we conclude? It seems that:

• The original email was certainly spam.
• If you click on the URL in the email, you are redirected to a page with a CGI script that slurps up the string from the end of the original email URL.
• The string is probably uniquely associated with each email that is spammed out.

Our guess is that the spammers are cleaning up their database. When an unsuspecting reader clicks on the URL at the bottom of the email, the CGI script slurps up the unique string and adds it to a database. The spammer associates the unique string with the email address, and knows they have a valid address; armed with that information, the spammer can on-sell the list of guaranteed-valid addresses, or can just spam victim to pieces themselves!

The moral? Don't click on links in unsolicited emails!

[ < Back to Projects]