Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence

Spammers abusing major domain parking service

Created: 25 May 2011
Nick Johnston's picture
0 0 Votes
Login to vote

Domain parking services allow registration of Internet domain names without using them for services like email or hosting a website. This is often done to reserve the domain name for future use, to prevent (or carry out) cybersquatting or earn money via advertising hosted on an automatically-generated web site on the domain.

We recently noticed a large domain parking service being abused by spammers on a massive scale. Each domain hosted on the service contains an open redirect script, allowing spammers to redirect to any URL of their choice. The only minor restriction is that URLs have to be base64-encoded: in other words, a redirect URL of "http://symantec.com" must be specified as "aHR0cDovL3N5bWFudGVjLmNvbQ==".

This type of abuse is particularly interesting, as it's important to note that spammers have not compromised the service directly: they are simply taking advantage of a feature of the software in use. Since the redirect does not affect the parking page, and domains parked on domain parking services are typically not used for any other purpose, it is unlikely that the domain owners will notice when their domains are inevitably added to anti-spam blocklists. It is also possible that the domain parking service was not aware of the abuse. We have informed the domain parking service of the abuse.

This abuse could be effective against some anti-spam products since many of the domains affected have been registered for years, and therefore seen as more likely to have a good reputation.

Spammers are currently using this to redirect to "get rich quick" sites, which spoof a popular US broadcaster, as shown in the screenshot below:

domain parking image

We have automatically blocked tens of thousands of these domains.

This latest abuse shows the lengths spammers are prepared to go to in attempting to conceal their spam sites.

To help prevent this type of abuse, we recommend that any redirecting scripts check the HTTP "Referer" [sic] header before redirecting. Using cryptographic hashing can also be useful, as can restricting the set of sites which can be redirected to.

Blog Entry Filed Under: