Introduction[]
For the past two years up to March 2010, spammers have abused the Microsoft spaces.live.com free service to set up redirections to their spammed sites. Microsoft was chosen as the abuse victim for these reasons
- it is free, reducing the cost of the operation to the spammers
- live.spaces.com is such a large provider of web sites, that few URL blacklisting services would be likely to blacklist email containing links to it, in fear of creating many false positives
- Microsoft's abuse reporting system is inadequate, and the company's responsiveness is woeful
- redirection URLs in spam would result in only the redirectors being blacklisted if at all. The redirection target sites effectively "fly under the radar" and are less visible for reporting and suspending by registrars.
Microsoft is abundantly aware of the severity of this issue. The redirection URL lends itself to ready detection and suspension via an automated tool, given that it follows a fixed format, and redirects to an easily detectable, albeit growing, range of target sites.
Recent History[]
On these pages Microsoft were able to find a list of 25,000 compromised sites to be removed:
- Spaces.live.com.list.1
- Spaces.live.com.list.2
- Spaces.live.com.list.3
- Spaces.live.com.list.4
- Spaces.live.com.list.5
- Spaces.live.com.list.6
- Spaces.live.com.list.7
- Spaces.live.com.list.8
- Spaces.live.com.list.9
- Spaces.live.com.list.10
- Spaces.live.com.list.11
- Spaces.live.com.list.12
- Spaces.live.com.list.13
- Spaces.live.com.list.14
- Spaces.live.com.list.15
- Spaces.live.com.list.16
They have since been removed.
Each spaces.live.com URL spammed provides a web page on Microsoft's abused service that will redirect to one of a range of spam brands. Each brand represents an illegal web site that indulges in fraud and misrepresentation. It is strongly recommended that visitors do not provide their identity and credit card details on any of these sites. They are run by criminals who use stolen credit cards to order domain names for spamming, or to sell stolen identities within their own "carding" community.
Through spaces.live.com Microsoft supports
- software piracy - see EuroSoft
( eg http://cid-6155a71ae09c375b.spaces.live.com/ and http://cid-c35e9141fd58892d.spaces.live.com/ redirect to http://murgadobarotes.net/ described in this wiki at EuroSoft )
- Russian brides fraud - see http://ikillspammers.blogspot.com/2010/01/lady-marmelady-another-in-long-line-of.html
- unprotected pornography & bestiality
- illegal gambling casinos - see http://spamtrackers.eu/wiki/index.php/Gambling_Casinos
- fraud pharmacies - see Canadian Rx Drugs and Canadian Pharmacy and Online Pharmacy and Discount Pharmacy and Canadian Health&Care Mall and Pharmacy Express and Acai Elite
- counterfeit replicas - see Vertu Replica Luxury Phones
- a Russian family tree genealogy scam - http://yoursurneim.ru
Software piracy examples[]
Some of these redirections have subsequently been removed by Microsoft
Redirection from spaces.live.com | Target piracy site |
---|---|
bellyfull073.spaces.live.com | dramboveras.net |
borroughs78.spaces.live.com.spaces.live.com | dramboveras.net |
gibe46.spaces.live.com | dramboveras.net |
normal2204.spaces.live.com | dramboveras.net |
titian455.spaces.live.com | dramboveras.net |
phagocyte376.spaces.live.com | profekloreas.net |
rutgers8457.spaces.live.com | profekloreas.net |
stratton12.spaces.live.com | profekloreas.net |
suppression683.spaces.live.com | profekloreas.net |
vella328.spaces.live.com | profekloreas.net |
belying4471.spaces.live.com | dragohuneas.net |
mccracken688.spaces.live.com | dragohuneas.net |
latera8184.spaces.live.com | dragohuneas.net |
gyrfalcon071.spaces.live.com | kassiopenasas.net |
comanche1830.spaces.live.com | kassiopenasas.net |
instable9270.spaces.live.com | donaterrosas.net |
footwork70.spaces.live.com | donaterrosas.net |
caruso939.spaces.live.com | donaterrosas.net |
wrest5546.spaces.live.com | donaterrosas.net |
levity680.spaces.live.com | donaterrosas.net |
technique2653.spaces.live.com | donaterrosas.net |
value6424.spaces.live.com | donaterrosas.net |
2annapolis257.spaces.live.com | donaterrosas.net |
pekypyviq.spaces.live.com | cowdetionses.ru |
kahuzytohi.spaces.live.com | cowdetionses.ru |
hatyfynuk.spaces.live.com | cowdetionses.ru |
jodusipipuk.spaces.live.com | cowdetionses.ru |
gapemulyxe.spaces.live.com | cowdetionses.ru |
byfucekydo.spaces.live.com | cowdetionses.ru |
cujubecizy.spaces.live.com | cowdetionses.ru |
hinizyzaw.spaces.live.com | vietongeras.net |
vucyxiwyhy.spaces.live.com | vietongeras.net |
rubidakir.spaces.live.com | privatoneas.net |
dyzoxynos.spaces.live.com | flopertoveres.ru |
ribedyryd.spaces.live.com | flopertoveres.ru |
On the few occasions when Microsoft has taken action following complaints, attempting to view the pages returns the message:
Sorry, Spaces is temporarily unavailable at this time. If you are the owner of this Space, here's a few of the potential reasons why you may be seeing this message: * Operational Issues: Please check The Space Craft to verify overall Windows Live Spaces availability. If problems persist, you can be sure we're working on it -- please check back later and allow us time to resolve the issue. * Code of Conduct Violation: You may have posted content to your Space (often unintentionally) that violates our Code of Conduct. Check your Hotmail Inbox, or the inbox associated with your Windows Live ID, for messages from Support. If you're still not sure why your Space is unavailable but the rest of the site seems to be working, please contact Windows Live support for additional assistance.
How Microsoft can fix the problem[]
The methodology for fixing the problem is now well established. Other major providers have had to deal with this problem, and have successfully cleaned it up.
- The first step is to remove all existing infections.
- The second step is to remove the ability to create new infections.
1. Removing existing infections involves a process of examining the contents of infected pages, and collecting a set of unique signatures. These are sections of code that are unique to the infection, and that would have a low likelihood of appearing on legitimate pages. With enough such signatures, you have a high probability of being able to mark a page as either legitimate or infected. Next you start a continually running program that scans through every page, and removes the infected ones. The removal can be a complete deletion, or a request for the page owner to contact Microsoft to explain why the page should be reinstated. Either way, the general public can no longer access the original page.
Sample signatures
- a href="http://gals.jerked.com/
- a href="http://briefnine.com/
- a href="http://topdieta.ru/
- a href="http://yoursurneim.ru/
- a href="http://blowagain.com/
- a href="http://blowscreen.com/
- a href="http://www.blowdream.com/
- a href="http://yoursurneim.ru/
- a href="http://ballspice.com/
- a href="http://thesemap.com/
- a href="http://www.spinskipspin2.net/
- a href="http://www.hotrxmedspot.com/
- a href="http://www.dealsformeds.com/
- a href="http://promorxnow.com/
- a href="http://dramboveras.net/
- a href="http://profekloreas.net/
- a href="http://united-states-russian-dating.ru/
- a href="http://redactjuri.info/
- a href="http://gonow99999.net/
- a href="http://www.cropcatch.com/
- a href="http://angerdeluxe.com/
- a href="http://myninsanerx.com/
- a href="http://mightypharm1.com/
- a href="http://reliablerxsource1.com/
- a href="http://aglowfavor.com/
- a href="http://directrxblog.com/
- a href="http://meekthick.com/
- a href="http://pronoerositio.co
- a href="http://nuevopronoero.co
- a href="http://seedvary.com/
- a href="http://sendspruce.com/
- a href="http://wowkickoj.net/
- a href="http://warrantyfox.com/
- a href="http://dragohuneas.net/
- a href="http://minutewe.com/
- a href="http://aglowson.com/
- a href="http://sexy4sex.info/
- a href="http://oncewest.com/
- href="http://www.sie-sollten-auch-abnehmen.com
- a href="http://safeonce.com/
- a href="http://sexlightarea.com/
- href="http://www.direkt-hilfe-potenz.com
- a href="http://domainurlsales.com/
- a href="http://storyso.com/
- a href="http://trademay.com/
- a href="http://prevalidoteas.net/
- a href="http://donaterrosas.net/
- a href="http://kassiopenasas.net/
- a href="http://wirecount.com/
- a href="http://bestwatchstyle1.com/
- a href="http://www.extrawind.com/
- a href="http://bandegg.com/
- a href="http://planebird.com/
- a href="http://setadore.com/
- a href="http://hugespicy.com/
- a href="http://vietongeras.net/
- a href="http://privatoneas.net/
- a href="http://burspin.net/
- a href="http://www.recordten.com/
- a href="http://aliner.info/
- a href="http://flopertoveres.ru/
- a href="http://americanwarrantyexpress.com/
- a href="http://rosegone.com/
- a href="http://cowdetionses.ru/
- a href="http://theirdoes.com/
- a href="http://bdoghepl.com
- a href="http://towardown.com/
- a href="http://www.sailallow.com/
- a href="http://www.clockride.com/
- a href="http://radiosize.com/
- a href="http://www.victorif.com/
- a href="http://bestcarwarranty4u.com/quote/index/118737
- a href="http://dofe.info/?idAff=132
- a href="http://airfreshsite.com/
- a href="http://nowcallhere.com/
- a href="http://datinggood.com/
- a href="http://toreplasmoptes.net/
- a href="http://gerl-007.ru/index.php?action=3
- a href="http://themrelax.com
- a href="http://qualitymedicaloffer.com
- a href="http://pornorate.ru/index.php?idAff=136
- a href="http://www.methodteam.com/
- a href="http://checklong.com//
- a href="http://www.alfamedshop.in/
- a href="http://west-rx-med.net/
- a href="http://greatbestman.com/
- a href="http://www.sixarrive.com/
- a href="http://altzspin.net/
- a href="http://murgadobarotes.net/
- a href="http://sundowutortes.net/
- a href="http://jink.ru/index.php?idAff=136
- a href="http://www.ledbroad.com/
- a href="http://www.feelgoodbaby.com/
- a href="http://viagrow-sales.com/
- a href="http://writeselect.com/
- a href="http://thegohub.com
- a href="http://www.rxcenterzone.com.cn/
- a href="http://www.abc-rx724.net.cn/
- a href="http://hopenfaras.net/
- a href="http://www.maleviagrow.com/
- a href="http://probastondtes.net/
- a href="http://www.clotheto.com/
- a href="http://www.canadapharmsite.com/
- a href="http://sexualmeet.ru/
- a href="http://www.gathermakey.com/
- a href="http://pove.ru/?idAff=132
- a href="http://men-secret2010.info/
- a href="http://spaceburn.com/
- a href="http://varietyofrxmeds.com/
- a href="http://dorehatotes.net/
- a href="http://movercanotes.net/
- a href="http://startgo-win.net/
- a href="http://prettynote.com/
- href="http://thequickereasierway
- a href="http://getprescriptionsnow.com
- a href="http://www.truckhungry.com/
- a href="http://www.dadyard.com/
- a href="http://thegohub.com/
- a href="http://zionetovates.net/
- a href="http://thequickereasierway.com/
- a href="http://intewreadees.com/
- a href="http://www.aglowlook.com/
- a href="http://bestrussiansex.ru/
- a href="http://www.stoodguide.com/
- a href="http://www.causekept.com/
- a href="http://www.pharm-iwant.net/
- a href="http://guesslight.com/
- a href="http://bornsugar.com/
- a href="http://fabledon.com/
- a href="http://avrasuportas.net/
- a href="http://russiabride2010.com/index.php?idAff=136
- a href="http://www.royalvegas-play.net/
- a href="http://www.topjacksbucks.net/
- a href="http://www.tireequal.com/
- a href="http://stars-dating.com/index.php?idAff=136
- a href="http://lovesexdatings.com/index.php?idAff=136
- a href="http://cheaper-pharma.cn
- http://mdok.net/Ebulk-Img.JPG
- a href="http://mdok.net/
- img height="529" src="http://www.jvdomain1.org/cow1.jpg
- img src="http://www.cornerregion.com/about.jpg
- img src="http://nydeta.ru/vb.gif
- a href="http://pharmsawesomeuse.comz
- a href="http://www.rxsuperspell.com/
- img src="http://www.falllike.com/about.jpg
- img src="http://www.fourinfinty.eu/about.jpg
- a href="http://healthcentersoutlet.com
- a href="http://secure.takeacainow.com/track
- img src="http://www.costinch.com/about.jpg
- http://theoldhelt.com/250x250_3.gif
- a href="http://cheap-price-codeine.com
- a href="http://famous-rxpills.com
- font color="#a3a3a3" size="+3">Crazy party</font
- font style="font-size:22px;color:blue">BEST ONLINE STORE !</font></a>/nowiki> * <nowiki>font color="#ff0000" size="18">>>>Enter To Our Drugstore </font
- font style="font-size:22px;color:blue">You can buy your meds online!</font
- font color="red" size="4"><b>You can buy your meds online!</b></font
- font style="font-size:22px;color:blue">Click here to get free pills</font
- font color="red" size="4"><b>Click here to meet hot and wet girls!</b></font
- font style="font-size:22px;color:blue">HOT AND WET GIRLS!</font
- <b>>>>Click on Picture Below and Download Our Free Software for Play and Win.
2. Preventing further infections involves examining the process for creating new sites, and ensuring it is not open to easy abuse. Where CAPTCHA methods are used, they need to be able to withstand the existing CAPTCHA automation tools that are prevalent on the Internet today. In fact, CAPTCHA is rapidly becoming an ineffective method of abuse prevention. A rugged CAPTCHA used in conjunction with an email challenge/response would be better. Manual activation would also improve security. Read about how inadequate the Live captcha is.
3. Recording the incoming IP address of new accounts would lead to another part of the fingerprint for automated detection and deletion.
4. Cleaning out existing and new sites needs to be a continuous, automated process. Simply removing sites reported by volunteers after the damage is done does not meet even the basic requirements for security. Currently that's all that Microsoft is doing.
Sample spams[]
Creating the perfect replica Designer phones is our most involved, complex and dedicated pursuit. Beneath the slick polished exterior of a Vertu, lies the complicated and precise interior chipset and software. To replicate them well requires a high level of expertise, and that’s exactly where we seek to differentiate ourselves from our competitors. We create the highest quality range of Vertu replicas in the market, easily distinguishable by the high level of finish as well as the firmware and software, which are identical to the originals’ http://grassy46.spaces.live.com
Subject: Russian wives are the best. 11 new ladies profiles (dating) http://sent69.spaces.live.com
Subject: Meet and marry a gorgeous Russian queen. Julia sent new message for you http://facile5371.spaces.live.com
Subject: Double your size in just two weeks Get a jump on the competition with your huge rod - blow them all away http://nottingham9337.spaces.live.com
Subject: A year ago you came to Russia, I remember you, write me! I'll see you I really liked - let's get acquainted! I am from Russia! http://goggle094.spaces.live.com
How to report this spam[]
You can fill in a report form to notify Microsoft of this problem, if you go to http://mobile.spaces.live.com/ and click on "Report Abuse" Provide the details to help Microsoft resolve the problem under the form heading
Please provide as much detail as possible regarding the abuse or offensive behavior you are reporting to help us investigate the issue quickly
Refer Microsoft to the listing at http://rss.uribl.com/hosters and to the sites to remove starting at at Spaces.live.com.list.1
Further Reading[]
- Spaces.live.com blog about redirection abuse
- Wake-up call to Microsoft
- McAfee Site Advisor review of spaces.live.com
- Blog on spaces.live.com reviewing the problem
- Washington Post story, November 2008
- Fight Back campaign forum
- Spamnation blog
- Russian brides scam
- Part 1 of Dancho Danchev's exposure on the EWC gambling casino fraud
- The inadequate live.com CAPTCHA system has been bypassed