Microsoft researchers follow Web spam money trail

Microsoft researchers follow Web spam money trail

Summary: Using a homegrown tool called Fiddler, researchers at Microsoft have come up with a system to track the money that flows from big-name advertisers to search engine spammers.


Using a homegrown tool called Fiddler, researchers at Microsoft have come up with a system to track the money that flows from big-name advertisers to search engine spammers.

The methodology, created by Microsoft Research in partnership with the University of California, Davis, has already uncovered a complex scheme where a small group using false doorway pages are able to profit by  redirecting traffic passed from search engines in one direction and then sending advertisements acquired from syndicators in the opposite direction.  (More at the New York Times).

According to a research paper released by Microsoft, a "five-layer, double-funnel model" can be used to pick apart the end-to-end redirection spam and analyze the layers to follow the money trail.

The five-layers (and findings) explained:

Layer #1 (Fake doorway sites) -- Doorway domains at Google's free Blogger ( site had an-order-of-magnitude higher spam appearances in top search results than other hosting domains in both benchmarks, and was responsible for about one in every four spam appearances (22% and 29% in the two benchmarks respectively, to be exact). In addition, at least three in every four unique blogspot URLs that appeared in top-50 results for commercial queries were spam (77% and 75%). The researchers also found that over 60% of unique .info URLs in search results investigated were spam, which was an-order-of-magnitude higher than the spam percentage number for .com URLs.

Layer #2 (Redirection domains) -- The researchers fond that the spammer domain was behind over 1,000 spam appearances in both benchmarks, and the IP block where it resided hosted multiple major redirection domains that collectively were responsible for 22-25% of all spam appearances. The majority of the top redirection domains were syndication-based, serving text-based ads-portal pages.

Layer #3 (The aggregators) -- Two IP blocks ~ and ~ appeared to be responsible for funneling an overwhelmingly large percentage of spam-ads clickthrough traffic. In the study, the researchers collected over 100,000 spam ads that were associated with these two IP blocks, including many ads served by non-redirection spammers as well. These two IP blocks occupy the “bottleneck” of the spam double-funnel andmay prove to be the best layer for attacking the search spamproblem.

Layer #4 (The syndicators) -- The study found that a handful of ad syndicators appeared to serve as the middlemen for connecting advertisers with the majority of the spammers. In particular, the top-3 syndicators were involved in 59-68% of the spam-ads clickthrough redirection chains sampled. By serving ads on a large number of low-quality spam pages at potentially lower prices, these syndicators could become major competitors to mainstream advertising companies who serve some of the same advertisers’ ads on search-result pages and other high-quality,non-spam pages.

Layer #5 (The advertisers)  -- The study showed that even well-known websites' ads --,,, and -- had a significant presence on spam pages. "Ultimately, it is advertisers' money that is funding the search spam industry, which is increasingly cluttering the web with low quality content and reducing web users' productivity. By exposing the end-to-end search  spamming activities, we hope to educate users not to click spam links and spam ads, and to encourage advertisers to scrutinize those syndicators and traffic affiliates who are profiting from spam traffic at the expense of the long-term health of the web," the researchers explained.

The project has been dubbed Strider Search Ranger and is the work of the research team at Microsoft that created the HoneyMonkey exploit detection system and URL Tracer, a system to track large-scale domain squatters.

Topics: Microsoft, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Why aren't the sellers being held accountable?

    OK, I understand its difficult and time consuming to try and back track the spam. But is that really needed? Here is why I ask:

    Lets say I get spam for product xyz. Instead of trying to track the spammers why not go directly to company xyz and roast them. I me they obviously are paying spammers because the spamemrs are in it for the money and don't give away their, ugh, services.

    Why not hold compnay xyz accountable for the actions of their "agents" acting on their behalf?

    If we start slapping some serious fines on the companies that pay the spammers it destroys the financial incesntive to use them...
    • Ar you sure that you want to go after the companies?

      I get a lot of spam for (besides bigger breasts, longer penis, longer erections, etc.) OEM software from companies like Microsoft and Adobe. Are you saying that we should go after some of the largest software companies to stop this problem? I have been getting spam for over 20 years now, this is not a new problem!
      • i doubt adobe/MS is fronting the marketing budjets for software pirates....

        and in any case, it would be the resellers who got nailed not the manufacturer.

        although I'm pretty sure you knew that already.
      • those aren't the companies sending you the spam

        MS and adobe will NEVER offer to sell the average consumer OEM versions of their software, are you daft?

        the company offering you those products is doing so most likely illegally, click on a link where those things are sold and THAT is the company that needs to be drilled, not MS or adobe.

        heck yes, bring those sites and advertisers DOWN

        Valis Keogh
        • Read what No_Ax_to_Grind suggested.

          Personally, I just use a mail filter and could care less about what is being sent to me, as I have been dealing with spam for over a decade with no major problems. Somewhere around 500 to 1000 (low estimate) of the pieces of email I get each day are spam, they are not that hard to filter out!
          • I think yiou should read it again.

            I said the people SELLING it, not the people that made it.

            If my local car dealer sends me spam I want his butt, not GMs.
      • I don't care who it is

        GO after them.
        • They would just go offshore

          same with the spammers, if they arent already gone. The best way to deal with people like this is to no include their results in the search engine.

          Its just like TV, we have been spammed for years, unfortunately now we have to actually do something besides change the channel.

          I would say, block their servers with RBL's or directly, block them via your firewall and walk away. I agree that these people are just annoying, but they have to make a penny without getting out of their chair somehow and this is how they do it. Heck, i wish i got into this earlier, i would make millions by now :P
          • Not really...

            Most of the spam I get (other than silly prices for software) is selling US made products. Lets clean them up first and that takes care of half the problem.
          • But what about these?

            75% of the sewage caught by my filters is pump and dump stock spams (You know, the ones with random words for subjects).

            Who do you go after in those cases?
            Hallowed are the Ori
          • Who is selling the stock?

            I mean they have links right?
          • RE: Who is selling the stock?

            [i]Who is selling the stock?
            I mean they have links right?[/i]

            The ones I get? No. They contain a GIF image which contains an image of the Spam's "message" at the top of the email, and a whole pot full of sentence fragments at the bottom. No URLs.

            I suppose you could trace the origin of the GIF if it's linked back to an image server, but I've never tried to do it.
            Hallowed are the Ori
    • One problem..

      Ok, I am selling the same product as you. I SPAM everyone with YOUR companies name and phone number. You get the fines, I get an increase in market share.
      Patrick Jones
      • Again, go back against the SELLER

        Not the person making the product.
        • YES...go against the manufacturer

          Manufacturing companies KNOW who their channels are. If spam is being used to promote their product, they do know how to track who is doing it via their advertising agencies, distributors, etc.

          Some plead NOT believe them...they can stop it if they want.
      • Because that would fall a step short..

        If you have the company, you have their spammer so get them BOTH.
    • I've said that forever

      spammers don't send spam out of the goodness of their hearts, they don't wake up one morning and decide to start sending ads for free.

      Every company KNOWS where their advertising funds go, they do not just hand a check to someone and say advertise. there are presentations or at the very least a campaign outline presented to the people who sign the checks, so they know where it's going.

      Spammers are hired, if spamming is illegal, then the people who hired them are no different.

      If I get spam for some product, I know the manufacturer, or their paid representative had a hand in it somewhere, and I make it a point to NOT buy products I have seen in spam.

  • 10 to 15 yeears late to the game!

    There has been spam for well over a decade and Microsoft (etc.) are starting to get motivated to deal with it? One can already get spam filters or set up mail rules, these are fairly simple processes (if subject line contains some string, delete or send to deleted items). Many spam servers are either compromised mail servers/routers or well out of the legal jurisdiction of several countries. This will be interesting to see if they can actually get something so simple that the average user (or worse yet, the average ZDNet talkback poster) could use.

    Time will tell.
    • LMAO

      [i]This will be interesting to see if they can actually get something so simple that the average user (or worse yet, the average ZDNet talkback poster) could use.[/i]

      Yeah? You mean like you?
      Hallowed are the Ori
      • Since 90% of what I get is spam, it is already filtered!

        This is not really a problem for me, I have gigabytes of space for the crud that will delete later (if I ever look).