Link exchange offer spam
The growing importance of search engines has given rise to a new type of spam: Link exchange offer spam. If you own a site listed by search engines, sooner or later you will end up getting offers to trade links with largely unrelated sites you probably never heard of before.
The value of a website to its owner is based on how many vistors access its content. These days, unless you are a big brand name such as Yahoo, Microsoft or Google or anyone with a large non-internet presence, the stream of visitors to your site is largely determined by search engine results. Visitors consult Google or another service about certain keywords and whatever that search engine happens to come up with will be amongst the most frequently visited sites for those particular terms.
Users judge search engines by the relevance of the hits they present first. If a search engine wants to succeed (as Google did), it needs to be able to judge relevancy. One good way of doing so is by taking into account the human factor: How many other Internet users have linked to that page yet? The more links to a site and the "better" the ranking of those sites, the better the ranking of the linked site will be too. So to get good ranking, there are two ways:
While link exchanges are nothing new, these days website owners often use harvesting software to extract contact email addresses from highly ranked pages found on Google or in web directories (DMOZ). They then spam those webmasters using bulk email software to offer link swaps. Here are some examples of such link swap offers.
The following example received on 11-June-2004 (left hand side) looks like a well-written letter, but I found it curious because it seemed almost too well written, better than what most people could come up with... A quick Google-search found a remarkably similar request for a link to a totally different website in some guestbook on the WWW, posted on 2-August-2003 by a totally different person. Compare for yourself:
I found the identical passages too much of a coincidence and so I googled some more. I came across a page that provided the template for both of these, as well as instructions on how to proceed. Here is it:
You will find plenty of hits looking for people who have followed this advice:
The following two spams are more conventional and quite typical. The product being advertised had no connection whatsoever to the site being asked for a link exchange:
Return-Path: <email@example.com> Received: from relay.inway.cz ([126.96.36.199]) by #####.#####.net (Post.Office MTA v3.5.3 release 223 ID# 0-58414U4500L450S0V35) with ESMTP id net for <myemailaddress>; Tue, 30 Mar 2004 09:25:22 -0800 Received: from localhost (localhost [127.0.0.1]) by relay.inway.cz (Postfix) with ESMTP id 42FA6A5CD5 for <myemailaddress>; Tue, 30 Mar 2004 19:27:42 +0200 (CEST) Received: from jan2 (unknown [188.8.131.52]) by relay.inway.cz (Postfix) with SMTP id E0F56A5D11 for <myemailaddress>; Tue, 30 Mar 2004 19:27:41 +0200 (CEST) From: "Peter Chagai" <firstname.lastname@example.org> To: <myemailaddress> Subject: Jamaica gleaner Date: Tue, 30 Mar 2004 19:27:37 +0200 Message-ID: <GGEOKEPNICIEHHHAOGCAKEMKDNAA.email@example.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Hello, We offer accommodation services and I thought you might be interested in link exchange. We provide several travel-related sites, one of them is http://www.prague-hotel.co.uk Due to the possible harming nature of too many reciprocal links we suggest non reciprocal links. You can link to us from your site and we will link back from another of our sites. I look forward to hearing from you soon. Best Regards, Peter firstname.lastname@example.org http://www.krakow-hotels.net
Return-Path: <email@example.com> Received: from tera ([184.108.40.206]) by our.mail.server (Post.Office MTA v3.5.3 release 223 ID# 0-58414U4500L450S0V35) with ESMTP id net for <ourmailbox>; Sat, 6 Mar 2004 19:19:39 -0800 Received: from home8 ([220.127.116.11]) by tera with Microsoft SMTPSVC(5.0.2195.6713); Sat, 6 Mar 2004 21:21:57 -0600 To: ourmailbox From: firstname.lastname@example.org Date: Sat, 6 Mar 2004 21:21:29 -0600 Subject: Changing Winds Partnership Return-Path: email@example.com Message-ID: <TERAX47sFoai8XKPl5G00000ab0@tera> X-OriginalArrivalTime: 07 Mar 2004 03:21:57.0437 (UTC) FILETIME=[58C3A6D0:01C403F3] Hello, Would you be interested in exchanging links between our sites? I noticed that your site is the type of quality web-site containing travel related information or consumer services that we would be interested in linking to. If you are interested, please reply to this email and I will be happy to discuss our link exchange requirements. Wishing you a great day and hope to hear from you soon. Steve http://www.changing-winds.com
DATE: 2 February 2005 SUBJECT: www.joewein.de/sw/spam-fraud-paypal.htm (Link Request For Study Project) FROM: Richard and Suzanna BSC Rhodes University To whom it may concern We are a group of students from Rhodes University who have set up a forum to talk about payment services on the internet. Our forum will be a place for users to post remarks, praise or yell at the various services they have used as well as to recommend these services to other users. Your site has been identified as recommending your users to use Western Union as a payment option. Would you be willing to direct your users to us using the following banner? http://www.international-money-transfers.com/images/payments-banner-wu.gif and from your site. (alternativly a text link would suffice: TITLE: International Money Transfers Forum DESCRIPTION: Talk about International Money Transfers and Wire Transfer Services. LINK: http://international-money-transfers.com/wire-transfer-service/index.php This will be a place for them to voice their opinion on the Western Union Service. In return you are free to post in our partner forum a short or a long blurb about your business. You are even welcome to refer your customers to this page to post their praises about your excellent service! Your help would be greatly appreciated in our study. Regards Richard and Suzanna BSC students firstname.lastname@example.org
This message was not sent to the email address listed on my contact page but to an address I mention somewhere on my website that no human would find. Only an address harvesting spider would come across it. Automated address harvesting of websites is a US federal felony under the CAN SPAM ACT of 2003.
If you look at the page on my site mentioned, it talks about how Western Union is used in online fraud. It doesn't seem like whoever sent this email had personally visited the site. More likely they had done an automated Google search for the highest ranking sites mentioning Western Union and then spidered those sites for contact infomration. By getting high-ranking sites mentioning this term to link to the spammers' brand new site (created 2005-01-28, about two weeks ago), they are hoping to get a high ranking for themselves for this term.
The domain doesn't look like a university project. It's registered to a company on the British Virgin Island, not to anyone called "Richard" or "Suzanna".
Here are message headers:
Received: from [18.104.22.168] (helo=mail.whsecure.net) by mxeu9.kundenserver.de with ESMTP (Nemesis), id 0MKt64-1Cyn0R13TE-0001k5; Wed, 09 Feb 2005 09:15:27 +0100 Received: (qmail 4227 invoked by uid 399); 9 Feb 2005 08:15:25 -0000 Received: from unknown (HELO BENNIE-HILL) (22.214.171.124) by mail.whsecure.net with SMTP; 9 Feb 2005 08:15:25 -0000 From: "Richard" <email@example.com> Subject: Please Link to our Money Transfer Talk Forum To: "Spamtrap" <spamtrap@domain> Date: Wed, 9 Feb 2005 08:15:25 +0000 Message-ID: <0MKt64-1Cyn0R13TEfirstname.lastname@example.org>
Registrar Name....: Register.com Registrar Whois...: whois.register.com Registrar Homepage: http://www.register.com Domain Name: international-money-transfers.com Created on..............: 28 Jan 2005 15:13:00 Expires on..............: 28 Jan 2007 15:13:00 Administrative Info: Five Beans Limited Brendan Nash 24 De Castro Street,Wickhams Cay, Road Town, Tortola, TO BVI IO Phone: +246.447786195350 Fax..: +442079003407 Email: email@example.com Billing Info: Five Beans Limited Brendan Nash 24 De Castro Street,Wickhams Cay, Road Town, Tortola, TO BVI IO Phone: +246.447786195350 Fax..: +442079003407 Email: firstname.lastname@example.org Technical Info: Five Beans Limited Brendan Nash 24 De Castro Street,Wickhams Cay, Road Town, Tortola, TO BVI IO Phone: +246.447786195350 Fax..: +442079003407 Email: email@example.com Registrant Info: Five Beans Limited Brendan Nash 24 De Castro Street,Wickhams Cay, Road Town, Tortola, TO BVI IO Phone: +246.447786195350 Fax..: +442079003407 Email: firstname.lastname@example.org Status: Locked Domain servers in listed order: ns1.bigbighosting.com ns2.bigbighosting.com
The following link exchange spam is from what claims to be an anti-fraud site. However, it's mostly a catcher site for search engines in order to sell ads. Some of sites listed on the "fake rolex" page of this supposedly anti-fraud site are sites selling counterfeit goods. Text on site has been directly lifted from other sites that document online scams. Email address email@example.com is not listed as a valid contact address on our contact page. This person never bothered to visit our website, he probably produced this spam using only software.
From: "Webmaster fraudwatchernetwork.com" <firstname.lastname@example.org>
These two link exchange spams, one to us, the other to a mailing list, were obviously fabricated using the same cookie-cutter spamtool. See this blog for more information about teh company behind this link exchange spam.