Hello everyone! Lately I’ve been pretty inspired by all of the spam fighting content I see on YouTube and in subreddits like this one. Particularly I liked The Programming Man’s video where he set up a python script to flood a scam website with fake data and eventually take down the site. I figured I’d try my hand at something similar. I figured I’d start with this random URL that was sent in a spam text the other day, though I’m having a little trouble navigating where to go next.
I got a text from a 216 phone number. The area code is from Cleveland OH, though I’m sure the phone number itself doesn’t really matter. You can spoof phone numbers fairly easily. The text message was pretty basic. It reads
"Hi do you want this: 2vd58u7.com shipped your residence at: ?"
Ok, so I cracked out an incognito tab and opened the network traffic. Pasted the link, enabled log preservation, and hit enter. The network traffic loaded up with a bunch of redirects and eventually I found myself on the website for Macy’s. Weird, but noted. I tried the link again, this time I found myself on a random cleaning supply website.
Macys site request
Cleaning supplies site request
Seeing as each time I visit the initial 2vd58u7.com url it just sends me to a random site, I figured I’d keep trying it to see where else it takes me. I pasted the link for a third time, and this time it brought me to some spam landing page at http://ww25.2vd58u7.com/. This page had the fewest requests for it, so I decided to analyze the network traffic for this.
Spam landing page
As seen above, in the network waterfall, I see the initial request for 2vd58u7.com was a 302 redirect. When I opened the request header, I saw that it requests this ww25 subdomain. Once the page and its contents load, it requests this caf.js file at https://www.google.com/adsense/domains/caf.js. Then it requests an ad script from this http://ads.pro-market.net/ads/ site, and some additional scripts. Each JS script request has a bunch of cookies in it. Then there is this XHR request for a http://tracking.bodis.com/ site and another google script request.
I’m not really sure where I’m going with this particular spam text. It seems like it’s just a URL that, when visited, redirects you to a bunch of tracking sites that are slapping a bunch of cookies on the browser instance, then randomizing the redirects to various store websites. I’m not really sure why it sends me to some random store website in some requests, and this landing page on others. My assumption is that the JS files requested are checking to see if these ad tracking cookies have been applied to the browser. If they haven’t, send the user to some random store website. If they have, then send the user to this landing page.
This is my first foray into spam battling so maybe I’m going about this all wrong. But it seems like this is just a junk URL that some crappy ad agency sends out in a marketing scam text. I guess the goal is simply just data collection. No idea what any of the cookies are for beyond tracking the sites that are visited. I’d like to find a way to mess with whoever was behind sending this link, but the only thing I can really think of is making a script that just floods the server with a bunch of requests for the URL. Though I don’t think that’ll actually do anything.
Any input would be appreciated. Thanks for reading.