home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

How to spot a spam website

Through the years that I’ve been studying spam (and that’s longer than I care to think), I’ve seen lots and lots of spammers’ websites, and I’ve gotten to where I can spot a spamvertized website practically before it finishes loading. While my interest in spam generally extends only to its congestion of the e-mail system (I pretty much don’t care who sets up whatever websites as long as they don’t spam me), the study of spam websites can be an edifying descent into stupidity and mendacity. There are several ways in which these sites stand out from others, and I’ll discuss them here.

Attack of the mutant clip-art midgets.

Many businesses like to decorate their websites with stock-art photos of real, but anonymous people. This is, I suppose, a way to hint to the visitor that there are real humans involved with the enterprise at some point. Sober-sided business-to-business sites like to use images of attractive, well-dressed professionals seated around conference tables (deciding where to have lunch), talking on cell phones (negotiating a later pick-up time with their children’s day-care), or tapping away on laptops (entering cheat codes for Doom 3). Retail operations that deal with the general public like to use hip, quirky-looking twenty-somethings, preferably of color (but not too much color), as if to say “hey, we’re not a bunch of old white guys trying to cook the quarterly income statements”

Spammers, oddly enough, seem to be disproportionately attracted to a type of illustration that I have dubbed the “mutant clip-art midget.” These unfortunate folks stare druggedly up into the fisheye lens held at twelve-o’clock high, giving them a weird foreshortened appearance. These mutants are so prevalent on spam websites (and almost nowhere else) that they might as well be replaced with a bold headline reading “I’M A CLUELESS SPAMMER.”

Recent mutant clip-art midget sightings from around the spam web,
including special guest mutant Matthew “Send Me Free Money” Lesko (top far right).

The big, blank main page

Every website is supposed to have a default “main page,” which is where your browser will go if you don’t enter a specific file name after the URL; usually this page is named “index.html” (e.g., “www.rickconner.net/” goes to a file named “index.html” in my main directory, while “www.rickconner.net/spamweb/” goes to another file called “index.html” in the “spamweb” directory). If you operate a business website, it is important to have a good main page, since your visitors aren’t likely to enter specific filenames in the URL when they look you up.

A spammer, on the other hand, will typically send you to a specific page on his website (e.g., “www.spamidiot.foo/1/5/get_rich_quick.php?sucker=1229384”) rather than to such a default main page. Consequently, he doesn’t have to have a main page at all. Whenever you visit a spamvertised website, you might try deleting the filename part of the URL (the part after the last foward slash “/”) and reloading; you’re likely to see any of the following:

A business website is a pretty big investment of time and technology, and it stands to reason that operators of such sites would want to make it as easy as possible for visitors to stop by, and for search-engine “robots” or “spiders” to collect info about the website to add it to their listings (the main page of a site is the robot’s entrée to the other pages of the site). If the website has no useful main page, or no main page at all, this should raise some suspicions in your mind about the enterprise.

A long, strange trip

Next time you go to load up a possible spam website, keep a careful eye on your browser’s URL window (the one usually at the top that shows what address you’re connected to) and your status bar (the one that shows what the browser is doing each moment, usually at the bottom). You may see a succession of URLs fly by before you finally land at your destination, and it is likely to be completely different from the one you started at or clicked on.

Of course, legitimate businesses often redirect you from their “main” URL to some other; there are good reasons for this I suppose (like selecting the correct page for you based on your geographic location or your browser type), but it always reminds me of those movies where the hero gets blindfolded, shoved in a car, and driven across town to a secret meeting. In any case, such firms almost never redirect you outside their own domains (e.g., you’ll go from “www.bigcompany.com” to “www3.bigcompany.com/index.asp?where_we_want_you_to_go”)

Spammers will often redirect you literally all over the globe, from one cryptic URL to another (often these URLs are identified by IP address and not by name). What is often happening here is that you’re being redirected from a simple “portal” website whose only reason for being is to serve as a gateway to the spammer’s main site. These portal URLs are included in the spam mailings, and may often be shut down; however, the spammer’s main site is intact and he needs only to set up a couple of new portals.

Another reason for being redirected by a spammer is that the spammer is merely a front, or “affiliate”, for the real perps; like the beaters in a stockyard, the affiliates use their internet resources to herd more cattle into the chutes.

A great URL, but not mine

As any “branding” expert can tell you (at least any expert in the type of branding that doesn’t involve livestock and red-hot iron doohickeys), a nice, catchy URL can help you attract customers. Even if you don’t actually have such a URL, you can pretend to have it and thereby inspire some confidence among your potential suck— er, I mean customers.

Sometimes you’ll see a nifty URL emblazoned across a web page, but when you look at your browser’s URL window, you’ll see something completely different. Here’s an example: the spammer claims to be “rx-online-store.com,” but the browser actually reports “brigade.costpharm.com.”

There are two possibilities here: either the spammer actually does own the domain, but is simply redirecting you to a duplicate site or “mirror” in order to save the real domain from being shut down (this seems the be the case in the example above), or the spammer may have no rights whatsoever to the domain that appears on the webpage (there’s nothing in particular that prevents him from putting such a URL on the page, although the real owner might put his lawyers on the job).

While I would rather have presented an example of a true URL “forgery” (and I may post one the next time I spot it), I’m not too upset about using this guy as an example here, since I’ve gotten dozens of spams from him or his affiliates pointing me to this same site on dozens of different URLs.

Don’t peek

While this site isn’t about pop-ups and other annoying web advertising per se (that’s a field I leave for others to conquer), you do sometimes find them in the course of tracking down spam. Some spam websites, but mainly pop-up or pop-under ads, desparately want to keep you from seeing the advanced 23rd-century HTML coding techniques they use to try to sell you online casino access or worthless cache-cleaning software. Or maybe they just don’t want you to find out ahead of time where they want to redirect you when you click on the button. This is usually done with a JavaScript that intercepts right-clicks (see the “click(e)” function in my sample spam analysis #5) and suppresses the “view source HTML” command. If these guys can also create the HTML window such that it doesn’t have menu bars, they can pretty effectively prevent you from snooping. That is, they can do so if you use Microsoft Internet Explorer. At work (where I must use Microsoft Windows), I’ll re-open such pages in the open-source Mozilla or Firefox browsers, which appear to be immune to this trick.

If you’re stuck with Mr. Gates’ spammer-friendly and huckster-friendly MSIE, you can still get at the source of these windows with just a bit of work: simply find out where MSIE is storing its cache files (usually this directory is identified somewhere within the “Internet Settings” dialog), then do a search by content in this directory; use “*.*” as the file to find, and use some text that appears in the popup as the content to find (usually, something from the popup’s title bar works best). The search may take awhile, but the page will eventually show up (and you can then open it with a text editor -- not MSIE -- to get a look at it).

Another way (the hard way) to prevent web visitors and pop-up recipients from seeing webpage markup is to use a markup encryption tool (like “HTMLzip” or “HTMLcrypt”); usually, these tools transmit the website data in an encrypted form, along with a JavaScript or other bit of code that decrypts the content and displays it. Again, see my sample analysis #5 for a example of how such encryption can be dealt with.

Trust us, it’s secure

Many spam websites claim that they offer “secure ordering,” but is this always true?

At the moment, the principal means of providing security for web transactions is the use of HTTP over SSL (secure socket layer) along with 128-bit “strong” encryption. When your browser is connected to a site protected in this fashion, you will see “https” rather than “http” up in the URL window, and (depending upon the browser) a little “closed padlock” icon (and not an “open padlock”) around the periphery of the browser window. If you see these, you can be relatively certain that your credit card numbers (or other sensitive information) will not be transmitted “in the clear” over the internet where others might be able to capture them.

Of course, running a secure server takes a bit more effort and expense than simply collecting orders on unencrypted pages, and many users might not really know the difference (particularly if you just lie about it and claim that your order process is secure). Here’s an example taken from a recent spam website; I navigated the order process, filling in bogus info until I reached the moment of truth (i.e., the part where you enter and transmit your credit card info).

As you can see, although the form button says “submit secure order,” the URL has no “https” and there was no “closed padlock” on the page. Doesn’t look good.

Of course, even if the spammer provides a 100% up-to-date encryption system for collecting your order, it is still a pretty bad idea to do any sort of business with a spammer.

Remove links and disclaimers

Many websites prominently feature mailing list removal links or buttons on their main pages, as well as lengthy, earnest disclaimers about how they do not tolerate spam. Now, ask yourself: does the official website of the Roman Catholic Church at the Vatican have a “remove” button on its main page? (The website is at http://www.vatican.va/, but I’ll save you the trip: it does not). Does the official website of the President of the United States (http://www.whitehouse.gov/, but be careful because whitehouse.com is a porn site) devote a big chunk of space on its main page to the President’s repudiation of spam in all its forms? Again, nope. These institutions do not use spam and do not need to use it.

 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2006, Richard C. Conner ( )

16586 hits since March 27 2009

Updated: Sat, 06 May 2006