Posted on behalf of Nicholas Johnston, Senior Software Engineer, Symantec Hosted Services
Spammers abusing free hosting sites by using them for hosting spam-related content is nothing new, but this abuse has turned into much more sophisticated, multi-layer abuse.
Instead of just including a link to a free hosting site, and hosting spam-related content there, spammers are increasingly using URL shortening services. These services allow spammers to create an almost unlimited number of links, allowing each individual spam message sent to contain a new link. Increasingly, these links do not point directly to a spam-related site. Instead, they point to a free hosting site, often with extra randomized "junk" parameters added to the end of the URL like this:
var pcr= "var dilettante='http://';var m3='redacted.';var z1='com'; var lod=m3+z1;location";var fmd =".replace(dilettante+lod);"; eval(pcr+fmd);
var dilettante='http://';var m3='redacted.';var z1='com'; var lod=m3+z1;location";
This code is relatively simple. The "dilettante" variable name is randomized. It is set to "http://", i.e. the start of the URL. The "m3" variable is set to "redacted." (as in "redacted.com"). The "z1" variable is set to "com", and a new variable, "lod", is set to the values of "m3" and "z1" joined together, i.e. "redacted.com".
The process seems complex but is executed almost instantly by a web browser, and the user is then redirect to a spam site (with Christmas branding):
The overall process works as follows:
Redirecting users in this way shows that spammers are going to considerable lengths to hide the addresses of their actual spam sites, and actively trying to make more difficult detection by anti-spam companies.