Search Engine Rankings SEO Spam

What kind of SEO company will send a promotional e-mail from a Lycos e-mail address? Only the kind that spams.

Every link in this e-mail pointed to http://222.47.60.130/webcheck/form.htm (do not visit this site, if you choose to do so, be advised that you do it at your own risk. Also note that 222.47.60.130 is the originating IP of the spam e-mail). A link like this should immediately raise some alarms. It is not a friendly, top-level domain, but rather an unfriendly, suspicious-looking URL. Links like these are common among spam, malware and phishing e-mails, so another question comes to mind: If you have a top-level domain for this site, why on earth would you want to use the IP address of the web server instead? For a spammer it is all about concealing the truth, bypassing the spam filters and covering your tracks (and making money off course).



What is so interesting about the Content-Type of this e-mail? The e-mail was encoded in Base64, so when you view the source of the e-mail you find no HTML, no logical text, only a huge block of garbled text.

Below is a sample of what Base64 encoded text looks like:



Base64 is used to encode binary data into plain text, for instance e-mail attachments. However, in this specific case, the entire e-mail was encoded in Base64. The e-mail contained no binary data, only HTML code, and HTML code is in essence plain text. There is no legitimate reason for encoding plain text into base64 encoded text. It is like putting a box into another box. You are simply concealing the smaller box with the bigger box. An entire e-mail encoded into base64, should raise another question mark.



The age-old trick of confirming the e-mail addresses of your recipients. Click the link and your stuck, you may think you removed your e-mail address from their list, but you only booked a first class ticket to more spam (in this specific case the unsubscribe link didn't work at all). Many of these unsubscribe links take you to a silly page where the spammers request your e-mail address once again. Just ask yourself, if they already have you on their list, why are they asking for your e-mail address again? In most cases you can enter any piece of garbage into the unsubscribe form and the site will confirm that the "garbage" was removed from their list. How can the spammers remove something from their list, if it wasn't even there in the first place? Always use the basic common sense test, if the requested action makes no sense, do not execute it.

What exactly did we find on the spamvertised site? An application form (with a couple of spelling errors) where you can request a free search engine ranking report for your website. The site asks for your name, telephone number, e-mail address, 4 key phrases for your website and off course your website's address. So we decided to test the form and submitted an application for an inactive, parked domain. Once we submitted the requested information, we were redirected to www.se-rankings.com. This site has exactly the same application form with exactly the same graphics and text (only with different surroundings). That was about it, we submitted the form and landed on se-rankings.com.

But week or so later we received the following e-mail from Steve Sullivan (and not Steve B) of East Midlands Internet. The name of the agent involved in this investigation, the domain and the key phrases that we used, have been removed for security reasons:



Wow, Steve! You went through all this trouble to analyse a parked domain? You say you found a few basic errors that are causing the problems with the parked domain's rankings? What do you plan to optimise, the placeholder page of the registrar? You don't need to be a rocket scientist to see what's wrong with the rankings of a parked domain. The main problem is, there is nothing to rank! Something tells us the software that generated this report needs some serious tuning.

A couple of hours later we received another e-mail, this time from Simon Humber.



Good for you Simon, great to see that you are using AVG, just too bad you are still using the older version. We guess you are too busy analysing parked domains, so you probably don't have time to upgrade to the latest version.

We browsed a bit through eastmidlandsinternet.co.uk and came across their E-mail Marketing Software (or rather E-mail Harvesting Software) page. Below is a screenshot of the software showcased on this page:



It all makes sense now, doesn't it. So if the shoe fits...

This is a great example of how spammers operate. The actual people behind the spam will never link themselves directly to the original spam e-mail, most spammers do not even get their hands dirty.

In this specific case the spammers operate in the following way:

• They send a spam e-mail from a server in China.
• The spam points to a form hosted on the same server where the spam came from.
• They use the IP address of the server, instead of an easy-to-remember top-level domain, because there is probably no top-level domain registered for this server (less paperwork, cheaper and easier to cover your tracks).
• They collect loads of personal information on the spamvertised site.
• The spamvertised website redirects to se-rankings.com, a site merely used as a landing page to divert attention away from the real spammers.
• The information submitted via the form on the spamvertised website, is passed on to East Midlands Internet Ltd in the U.K. (www.eastmidlandsinternet.co.uk).

In short: They spam you, mine your personal data and try to scam you with some deceiving SEO report. It's all in a day's work for an SEO spammer.