Slightly Shady SEO | Blackhat is Back, Baby.

Oooo I’m feeling all giddy for this post. The stuff in this one might be illegal, so I’m not going to provide the tools for it. Beyond that, a lot(though not all) of it is speculative, since the whole probably illegal nature prevents me from doing test runs. Although, at the very bottom, I’ll point out a variation of this on how to use it to mess with e-mail spammers. Because why the fuck not. Neither of these are easy, common, reccomended, or 100% tested. It’s a one in a thousand+ shot, but you do NOT want to be a victim of it.

Introduction
You spend hours a day, for months on end, promoting your domain to the top of your respective key term. You finally get success and then…voila. Your site is replaced with a landing page, and you’ve lost all domain control. Congrats, you’ve been hi-jacked. Targets are tough to find, but the technique is easy enough. And probably illegal. It’s clever as shit though.

First I’ll put the definitely-really-bad version, and I’ll follow that with the way to hijack spammer domains. Lastly, I’ll write how to protect yourself against this. Although that should be self-explanatory.

I wrote this in the 1st person, but that DOES NOT MEAN you should do it.

Method 1: Backorder Blasphemy
Alright, many of us order domains on backorder, or order domainsthat existed at one point or another. Some were even quite popular. Many had e-mail hosting. Uh-oh. For this, we’ll pretend you just acquired rocks.com 

1. Whois Gathering – You need to find out everyone that registered a domain, using an e-mail address @YourNewDomain.com. There are 2 ways I’ve found to do this.
   1. DomainTools Registrant Search – This one will cost you some green. Search for @yourdomain.com, for example, it could take you here for rocks.com. In this case, it lists 706 domains registered with an @rocks.com domain.
   2. Dedicated IPs – Before backordering the domain, one could simple check to see where the domain is currently(or has been in the past) hosted. Next, dump the list of other domains hosted on that IP, and check there whois(there’s MANY bulk whois checkers out there, and I believe Linux has a command line app for it). An IP history can normally be gotten via http://www.netcraft.com (our example can be found here)
2. Create the E-mail Address on Your BackOrdered Domains
3. Hi-Jack Completed! – Just contact the registrar, and with any luck, shit should be sent to the administrative handle. Which is you. And the transfer may continue.

Method 2: Spammer Domain HiJacking
A lot of e-mail spammers are pretty fucking intense about anonymity, understandably. They use almost exclusively faked whois information, and on occasion, even a fake administrative contact e-mail. Also, they occasionally pretend it’s @yahoo.com, @hotmail.com, or with another free e-mail service.

1. Spam Filters, and You
   Set up a nice little script to dump a daily list of all domains that hit the “spam” box of your e-mail server.
2. Check Whois, Parse Out All But Free E-Mail Services
   Use a command line whois checker to get the whois information for each domain. You’re looking for contact e-mails that are at free e-mail services. @aol.com, @yahoo.com, @gmail.com, @hotmail.com, @aim.com, these are all good choices.
3. Verify the E-Mails to See If They Exist(Simple)
   Standard e-mail verifications are just *pretending* to send an e-mail. Before you send the message, you disconnect. You should’ve gotten either a “200 Ok” response, or a response indicating the mailbox does not exist. Not hard to setup, not a big bandwidth drain. HOWEVER, places like yahoo(and I believe most other free providers) do not send bounce messages if the e-mail address does not exist. Give it a test run, and see which domains check out and which don’t. Don’t use this method for a LOT of e-mail addresses, since most services force you to do rate-limiting, and will ban your bootay if you try to do it too fast.
4. Verify the E-Mails to See If They Exist(Advanced)
   Most services now have something to verify if the e-mail address exists or not on their signup form. Head over to the yahoo signup, and you’ll see what I mean. Just type in an id, and it will tell you if it exists or not, no captcha required. I believe gmail is the same. Write a script that will check this(manual sucks). Make sure it throttles itself, so you don’t have to worry about proxies, as they DO block this eventually, due to abuse. But for small quantities (less than 250 domains) don’t sweat it.
5. Create your E-mail, and voila!
   Do as stated in the previous method. Request a transfer, password request, anything of that variety, and you have seized control of the domain.
6. Part 6: Extra Credit
   There’s probably spam reports out there about this domain. Check to see what DNS servers it’s using, then lookup the list of domains on that site. Maybe they used the same contact info.

Warning About Method #2: Yeah, I’m STILL not advocating doing any of this. REALLY. DONT. But be advised. Pointing a spammer domain to your server will bring a hell storm upon to you like nothing you’ve ever seen. Let it sit for a few weeks, unhosted, or else you’re screwed. Also, be prepared for a terrible retribution if the mailer ever figured out what happened.

Protecting Against This Technique
You might be expecting something complex here, but really, there’s nothing. Register all your domains to the same e-mail address, and guard that with your life. Do not let it lapse. If it’s on your own domain, set it to automatically re-register, and use a credit card you know you’ll have for a long time. Register it multiple years at a time. It ain’t brain surgery.

Posted on Monday, December 3rd, 2007 at 2:39 pm in the category:Exploits. Comment RSS 2.0 feed. Comment it , or trackback this post.