As first reported on the Symantec blog, Symantec software recently detected spammers abusing a security hole at large domain parking services. Symantec has consequently “automatically blocked tens of thousands of these domains”.
The security hole relates to an open redirect script hosted on said parking service providers, which can be used by spammers to redirect to other sites.
How exactly did spammers exploit this security hole?
It’s actually quite simple. Say cooking.com happens to be parked on a parking service provider with this particular security hole. The spammers send an email with text similar to the one below to people they spam:
“Hello, I’d love for you to check out what I have been cooking lately. Just click below:
The aHR0cDovL3d3dy5teXNwYW13ZWJzaXRlLmNvbQ== above is actually url http://www.myspamwebsite.com base64 encoded as the said exploit requires base64 encoded urls to work.
So, the people being spammed are seeing a legitimate looking domain name like cooking.com in their emails which gives them confidence that their click will take them to a legitimate website – only to be redirected to www.myspamwebsite.com.
Obviously, Symantec has spam blocked a huge number of these domain names which might even end up being banned by search engines – this is quite bad. Symantec has informed the parking service providers about the security hole so hopefully the parties involved will work to fix the problem. Let’s hope Symantec will then remove the domain names from their block lists to prevent long term damage.