On the Trail of the Malevolent Redirect

Listener Jack Flynn had a question for me. "How do you disclose all of those redirects when you track down spammers?" Good question. In fact, it's not something that requires much know-how, just enough patience to perform a series of mind-numbing steps over and over. Prepare to have your mind numbed because I'm now going to show you how it's done.

Click for a larger view.The first step is finding a spam to analyze. Because my Gmail account receives copies of all e-mail messages (even the ones that are filtered out before reaching my standard account), I usually have a good choice. Spams stay on the system for 30 days and then Gmail deletes them, so I also have a running total of how much spam is trying to get to me.

Click for a larger view.I thought that maybe this Colonial Bank WebBiz Emergency Alert System message (left) might be a good candidate. To see larger view of each image, click the smaller image in this report.

So I opened the message and found that Colonial Bank (never heard of it) had installed some new security software and wanted me to update things.

Click for a larger view.That would have been difficult as I didn't have an account. And the message gave away a lot. My name was, of course, nowhere to be found and a series of grade-school punctuation errors revealed the message for what it was.

Click for a larger view.By hovering the mouse over the link that was provided in the message, I could see what the destination was.

Click for a larger view.So I copied the shortcut to the Windows clipboard. Then I pasted the URL into UltraEdit, but you can use any text editor (Notepad, for example.)

Click for a larger view.The domain is fnhgjd.com, which doesn't look much like a bank's URL. The next step I always take is to look up the domain registration information because I want to know who owns the domain and where that person is located.

Click for a larger view.CentralOps.net is a handy free online service that provides a lot of information.

Click for a larger view.The registrar for this domain is in China and it's probably safe to say the US-based banks never use domain registrars in China. So who does this domain belong to?

Click for a larger view.I scrolled down a bit further and found that the registration belongs to a gentleman in Saratov, the capital of the Saratovskaya Oblast (administrative region) in Russia.

Click for a larger view.Saratov is about 1000 miles southeast of Moscow, which puts it in central Russia. This is not an area known for international finance.

So now it's time to see if there are any redirects.

Click for a larger view.To find out, I use SamSpade. This is a free utility that you can download here.

Click for a larger view.I hand SamSpade the full URL and tell it to identify itself as a Windows 95 computer running an old version of Internet Explorer. This is safe because SamSpade will show just the raw HTML from the site. It has no ability to run any of the nasties that might be on the site, so it's a safe way to see what redirects are in place.

As it turns out, there aren't any redirects, the the site will attempt to run an executable file. Needless to say, this will do something to the computer that I won't be happy about. Although there were no redirects here, this explains how you can safely examine the target of a URL. Be extremely careful, though, when you're obtaining the URL because accidentally clicking the poisonous link will take you to the rogue site.

If at First You Don't Succeed, Try Second Base

Click for a larger view.So I went back to the starting point and scanned the list for another possible "winner".

Click for a larger view.Ah ... here's one. An offer for "free scholarships".

The URL is long and ugly, but that's not necessarily definitive. Legitimate URLs can be much longer than this.

Click for a larger view.Once again, I copied the link to the Windows clipboard.

Click for a larger view.CentralOps told me that the domain in question is registered to someone in Santee, California. So I asked Google Maps and, as it turns out, this is an area with a street-level view.

Click for a larger view.Click for a larger view.The view on the left is the overhead map view with a satellite photo. It appears to be a shopping center.

The view on the right confirms this. It's a small shopping center with a Von's supermarket. The address provided is probably nothing more than a mailbox.

Now that I know a bit about the spammer, it's time to look at the website.

Click for a larger view.SamSpade showed me the page. You'll note that the horizontal scroll bar reveals that some of the lines are quite long. Making it hard for someone to see the code is one technique spammers use to hide their work.
Click for a larger view.So I copied all of the text from SamSpade and pasted it into UltraEdit. I had UltraEdit remove extra vertical and horizontal spacing, then wrap the text so that everything would be visible. There wasn't much on the body of the page—just a form with no elements and no way to submit it.

But there it was, up in the <HEAD> element, a redirect.

Click for a larger view.I returned to CentralOps and found the address for the domain: San Francisco.

Click for a larger view.GoogleMaps was the next step, of course, and the address is in an area northeast of the Mission District. Keep this address in mind; you'll see it again.

 

Click for a larger view.It's SamSpade's turn again and there's another redirect.

You would be forgiven for thinking that we're going in circles here.

Click for a larger view.And this domain is registered to the same company at the same address as the one before. I can think of several reasons why one might do this, but I can't think of one that's ethical.

Click for a larger view.The next page is actually a legitimate HTML page with a form that allows the visitor to apply for a free college loan. This is probably a business that offers to find scholarships for students. Guidance counselors generally recommend avoiding these operations because they charge a fee and often find nothing more than students could find on their own. This isn't illegal. It may not even be unethical, but I'd certainly want to keep my eye on my wallet while dealing with someone who has sent me on such a circuitous path to get to the website.

Click for a larger view.I had questions about the operation, so I asked Google and the result was generally inconclusive.

Click for a larger view.There was no shortage of sites that claimed the operation is fraudulent, but none that I found was from a government agency or from the Better Business Bureau. And I found some colleges that provided links to the company's website.

Click for a larger view.When I checked with the Better Business Bureau, I was surprised to find that the company is a member of BBB OnLine.

Click for a larger view.Checking further, I found that the operation has only a few complaints filed against it.

Of the 4 complaints filed against the company, 2 were resolved and 2 were not.

Click for a larger view.At the left is the BBB's summary and it seems to indicate that the company is legitimate. One must question the justification that a legitimate business would use for sending spam, or the justification for a series of redirects.

If I am aware that a company deals with spam-spewing organizations, I will not deal with that company and I'm not bashful about communicating my reasons to corporate leaders.

There is a difference between commercial mail that I have invited to my inbox—from companies that I do business with and want to hear from—and that from people who have somehow managed to find one of my e-mail addresses and use it to send offers for things I don't want or need.

As I said at the outset, finding redirects isn't particularly difficult. But it is time consuming. Maybe it's a good activity if it's a rainy Fourth of July and you're sitting at home wondering what to do.

UltraEdit: Still the Champion, but Sometimes Annoying

"A new version of Ultra Edit is available," the message said. I downloaded it. I installed it. The next time I started my favorite text editor, I was told that it was now unregistered and that I had 45 days to register it. A flurry of messages between me and IDM revealed that: (1)The "step" upgrade from 14.0 to 14.1 was considered a "major" upgrade, (2)Some 14.0 users were eligible for a free upgrade to 14.1, but I wasn't one of them, (3)IDM provides no-cost upgrades for 1 year, regardless of version numbers, and (4)they were really sorry about the misunderstanding and hoped to find a better way to do things. As annoying as that event was, I'm still absolutely sold on UltraEdit.

So much, in fact, that I paid for the upgrade without even bothering to look at what's new in this version. That may be too trusting. That may be stupid. But I have a long history with UltraEdit and I know that each new version brings features that I didn't know I needed, but won't want to be without.

Ben at IDM said, "Because point releases (14.1, 14.2, etc.) are still considered to be major releases (based on the amount of development resources we commit to their new features/enhancements), they are considered to be major releases just as much as v14.00 was. V14.10 is as major release as v143.0, and many consider each point release from IDM as strong or stronger than the last. This is indeed a signature characteristic of IDM."

I would suggest to IDM that the value to the client has no relationship to "the amount of development resources we commit to their new features/enhancements". Users don't particularly care what resources were committed. They care about what the new version will do for them. I know that a small feature with minimal value to the user may consume an enormous amount of programming resources. If IDM chooses to commit resources to minor features, that's not the user's concern and presenting it that way isn't a convincing argument.

Ben also said, "I do understand your frustration, though, and we are evaluating options for making updates/upgrades clearer for users." That's good to know.

The enhancements in version 14.1 don't strike me as "major release" material, although they are certainly good and useful additions. For example:

So maybe the problem is that over the years UltraEdit has become so competent and so refined and so powerful that there really isn't much more to do. There's not much profit margin in doing nothing, though. IDM will continue to improve UltraEdit, but the improvements probably should be considered tweaks and minor enhancements.

This criticism doesn't mean that I'll abandon UltraEdit for some other program or that I no longer like the developers. What it means is that this time around I bought the "UNLIMITED UPGRADES" option. According to IDM, this means that I will never pay another upgrade fee. The price of the unlimited upgrades option is 150% of the retail price of the application. So I could have upgraded to the current version for about $30 or I could buy upgrades forever for about $70. That was an easy decision.

Nerdly News

Another Netflix Oops

Click for a larger view.I knew something was amiss when Netflix acknowledged 2 of the 3 DVDs I shipped back on the same day. Usually, the confirmations arrive like clockwork, early in the morning. Three "we've received" messages followed by three "we've shipped" messages later in the day. The third "received" message never arrived and there were no "shipped" messages. Then, a day later, "We're Sorry DVD Shipments Are Delayed: Our shipping system is unexpectedly down. We received a DVD back from you and should have shipped you a DVD, but we likely have not. Our goal is to ship DVDs as soon as possible, and we will keep you posted on the status of your DVD shipments." Three days later, Netflix was back.

That's the longest disruption since Netflix began, 9 years ago, and the company says subscribers will receive a 15% credit. That's going to add up because about 1/3 of the company's 8.4 million subscribers were affected. Netflix says the credits will be automatically applied in the next billing cycle.

Click for a larger view.If you had just signed up for a 2-week Netflix trial, you'll get an extra week.

Netflix won't say what caused the outage, but they did admit that it affected all 55 of the company's shipping centers. Some discs went out Wednesday and Thursday, but nothing was shipped on Tuesday.

On Saturday, I received a shipping notice telling me that I would receive a DVD yesterday. I think I'll need to use the Wayback Machine again.

Just a few months ago (March) Netflix had a 1-day outage and the company was out of service for about 18 hours in 2007. Once again the company got high marks from customers and from public relations professionals for making customers aware of a problem they might not even have noticed and for offering credits without being asked.

R U a Moron?

Here is a law that should never need to exist: According to the New York Times, a city council member wants to ban sending and receiving text messages while driving. The common-sense response to that would have to be to ask what kind of idiot would try to send a text message while driving. But having noticed "drivers" with televisions on the dash and other "drivers" who are reading books or newspapers, I have to admit that councilman David Weprin is right.

This week Weprin introduced legislation that would ban the sending or reading of text messages while driving within New York City. A story in the New York Times quoted Weprin: "It’s a risk to drivers, obviously, and also to passengers and pedestrians. You’re not looking at the road and you don’t have both hands on the wheel."

Why should legislators have to point this out to us. Are we really that stupid? Unfortunately, it appears that some of us are. New York State and California both have bans on the use of cell phones when driving. California's law allows the use of cell phones, but requires that the motorist us a hands-free device. New York's law bans all cell phone use when driving.

How bad is the problem? Here's an example: Five New York teens died last summer when the driver of the SUV they were riding in lost control of her car and struck a semi head-on. The driver was using her phone to send a text message when she died, along with 4 of her friends.

New York's state legislature is considering a similar measure.

Alaska, Minnesota, New Jersey, and Washington already ban text messaging while driving. A study by Nationwide Insurance in 2006 revealed that nearly 20% of drivers text message while at the wheel. Given the lunacy of doing that, this may explain several things about the United States of America.

The Weekly Podcast

Podcasts are usually in place no later than 9am (Eastern time) on the date of the program. The podcast that corresponds to this program is below. The most recent complete podcast is always located here.

Search this site: Looking for something you remember hearing about on TechByter Worldwide? Search me.
Subscribe to the newsletter:
 
Type your email to join Tech Corner today. • Hosted By Your Mailing List Provider
Subscribing to the podcast: I recommend Apple's Itunes for podcasts. Itunes will also install the latest version of QuickTime. The program is free. Need instructions?
Privacy Guarantee: I will not sell, rent, loan, auction, trade, or do anything else with your e-mail address. Period.
How the cat rating scale works.
Do you use a pop-up blocker? If so, please read this.
The AuthorTangerineThe author's image: It's that photo over at the right. This explains why TechByter Worldwide was never on television, doesn't it?
Feed the kitty: That's one of them on the left. Creating the information for each week's TechByter requires many hours of unpaid work. If you find the information helpful, please consider a contribution. (Think "NPR".)

My attorney says I really need to say this: The TechByter Worldwide website is for informational purposes only. Although I strive for accuracy, I cannot assume any responsibility for its accuracy. Any actions you take based on information from the podcast, streaming audio, or from this website are entirely at your own risk. Products and services are mentioned for informational purposes and their various trademarks and service marks are the property of their respective owners. TechByter Worldwide cannot provide technical support for products or services mentioned here.

If you're still reading, you're most thorough!

This is the only ad you'll ever see on this site. It's for my website host, BlueHost in Orem, Utah. Over the past several years, they have proven to be honest, reliable, and progressive. If you need to host a website, please click the banner below to see what BlueHost has to offer.
BlueHost
TechByter Worldwide receives a small advertising payment for each new client that signs up with BlueHost but I would make the same recommendation even if the affiliate program didn't exist. (If you don't see a banner ad above and you would like to know more, this link takes you to BlueHost.)

TechByter Worldwide is committed to maintaining appropriate technical standards:

Valid CSS! Valid RSS

Still here, are you? Well, then, if you really must have something to read, please examine the official TechByter Worldwide disclaimers.