Packet Log - How Yahoo
Funds Spyware - Via 180solutions
Ben Edelman
This page gives a packet log of example traffic passing from 180solutions to InfoSpace to Yahoo Overture to a Yahoo Overture advertiser (here, Driverloans.com), as shown in the diagram at right. Such traffic may be considered ill-gotten to the extent that the underlying installation of 180solutions was nonconsensual or obfuscated, or where advertisers just don't want traffic originating at vendors like 180solutions. See discussion in main article.
In each step of transmissions, yellow highlighting marks redirect instructions, while green highlighting marks the next redirect step.
180solutions Popup Search Page Redirects to InfoSpace
GET /clicks.php?p=Y2M9VVMsc2VpPTIsYWk9NzAwMCxzaT0xLHNzPUJlc3QgQXV0byBMb2Fu
LHU9aHR0cCUzQSUyRiUyRm1zeG1sLmluZm9zcGFjZS5jb20lMkZfMV9ZV0NVOUowM0pVTDhGVl 9fMTgwc29sLmZlZWQlMkZjbGlja2l0JTJGc2VhcmNoJTNGcl9haWQlM0RCOUZDRDgyMUQ2M0I0
OEVDODNCOUIxODYwRTM2OTdDMCUyNnJfc2Fjb3AlM0Q5JTI2cl9zcGYlM0QxJTI2cl9jb3AlM0 R0aXRsZSUyNnJfc25wcCUzRDElMjZyX3NwcCUzRDglMjZxcW4lM0RjcE1hUUw4ZF9Jbm5XJTI2
cl9jb2lkJTNEMjM5MTM0JTI2cmF3dG8lM0RodHRwJTNBJTJGJTJGd3d3MTAub3ZlcnR1cmUuY2 9tJTJGZCUyRnNyJTJGJTNGeGFyZ3MlM0QxNUtQamcxJTI1NUZwUzFZSzlrN1B5TVBpSVJ2eWRo
UmxMaXNuMnE0MDdUYzBtVG9zZDdpRXlEUDh1THVQZW1ZVjVIT012JTI1MkR3MmtqcWZMdGZaT2 M2engzcXJXVjF1WUZsNklHdVQlMjU1Rnl0Mjl1WVk4TWFhZ1dOUlBoYlFzMEtpUTZvczdTbmwz
WkJxMGNOYTltJTI1MkRiRVZkUHhLU3dTcW9JQ3poU1o2NEkyZ3NLM3glMjUyRDRkRnJuYzJGUj klMjU1RlVxWGRNcEd2dmhkdWZIS1haMTdTTFpkZk55Y2xWU2ZCT2d6UCUyNTJEOUc5TFQ1YXkw
U2VCdVMlMjUyRDI0TXJGaUNMVGQ1b2E2NGFzeDZ0TFhueHZic1pPRDc3cTFZYlRhRnRyZHU2eG VRd0hhTGpmTWpOWGZRMXVjUWhnMVZGZlNpSVRlTXpVOXd1UHlLejdiTGFmWlRxU2JzTUt6VUZu
SHBhVnh5WWtSMlZMV3ZNVlhJUlRCJTI1MkRwa0RTTVpnZkw1JTI1NUZ4dVdQdlUlMjUyRFRwVG 1sNU5qd0QlMjUyRFpIbFpwMEw1QnVLbjMwdkJ0S2clMjUyRHF4ZWdHJTI1MkRoQ2Y4RDRTJTI1
MkQlMjUyRDhpUGRyZ2wwanNnSHlRJTI1MkUlMjUyRSUyNnlhcmdzJTNEd3d3LmRyaXZlcmxvYW 5zLmNvbSxwPTEscGk9MjcsZnA9MSxocmVmPWh0dHA6Ly93d3cuZHJpdmVybG9hbnMuY29t
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: searchresults.180searchassistant.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Sun, 04 Sep 2005 19:33:29 GMT
Server: Apache
X-Powered-By: PHP/4.3.4
Location: http://msxml.infospace.com/_1_YWCU9J03JUL8FV__180sol.feed/clickit/search?
r_aid=B9FCD821D63B48EC83B9B1860E3697C0&r_sacop=9&r_spf=1&r_cop=title&r_snpp=1
&r_spp=8&qqn=cpMaQL8d_InnW&r_coid=239134&rawto=http://www10.overture.com/d/sr/?
xargs=15KPjg1%5FpS1YK9k7PyMPiIRvydhRlLisn2q407Tc0mTosd7iEyDP8uLuPemYV5HOMv %2Dw2kjqfLtfZOc6zx3qrWV1uYFl6IGuT%5Fyt29uYY8MaagWNRPhbQs0KiQ6os7Snl3ZBq0cNa9m
%2DbEVdPxKSwSqoICzhSZ64I2gsK3x%2D4dFrnc2FR9%5FUqXdMpGvvhdufHKXZ17SLZdfNyclVSf
BOgzP%2D9G9LT5ay0SeBuS%2D24MrFiCLTd5oa64asx6tLXnxvbsZOD77q1YbTaFtrdu6xeQwHaLj
fMjNXfQ1ucQhg1VFfSiITeMzU9wuPyKz7bLafZTqSbsMKzUFnHpaVxyYkR2VLWvMVXIRTB%2DpkDS
MZgfL5%5FxuWPvU%2DTpTml5NjwD%2DZHlZp0L5BuKn30vBtKg%2DqxegG%2DhCf8D4S%2D%2D8iP
drgl0jsgHyQ%2E%2E&yargs=www.driverloans.com
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
InfoSpace Redirects to Overture
GET /_1_YWCU9J03JUL8FV__180sol.feed/clickit/search?r_aid=B9FCD821D63B48EC83B9B18
60E3697C0&r_sacop=9&r_spf=1&r_cop=title&r_snpp=1&r_spp=8&qqn=cpMaQL8d_InnW&r_coi
d=239134&rawto=http://www10.overture.com/d/sr/?xargs=15KPjg1%5FpS1YK9k7PyMPiIRvy
dhRlLisn2q407Tc0mTosd7iEyDP8uLuPemYV5HOMv%2Dw2kjqfLtfZOc6zx3qrWV1uYFl6IGuT%5Fyt2
9uYY8MaagWNRPhbQs0KiQ6os7Snl3ZBq0cNa9m%2DbEVdPxKSwSqoICzhSZ64I2gsK3x%2D4dFrnc2FR
9%5FUqXdMpGvvhdufHKXZ17SLZdfNyclVSfBOgzP%2D9G9LT5ay0SeBuS%2D24MrFiCLTd5oa64asx6t
LXnxvbsZOD77q1YbTaFtrdu6xeQwHaLjfMjNXfQ1ucQhg1VFfSiITeMzU9wuPyKz7bLafZTqSbsMKzUF
nHpaVxyYkR2VLWvMVXIRTB%2DpkDSMZgfL5%5FxuWPvU%2DTpTml5NjwD%2DZHlZp0L5BuKn30vBtKg%
2DqxegG%2DhCf8D4S%2D%2D8iPdrgl0jsgHyQ%2E%2E&yargs=www.driverloans.com
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: msxml.infospace.com
Connection: Keep-Alive
HTTP/1.1 302 Object Moved
Server: Microsoft-IIS/5.0
Date: Sun, 04 Sep 2005 19:33:29 GMT
Location: http://www10.overture.com/d/sr/?xargs=15KPjg1%5FpS1YK9k7PyMPiIRvydhRlL
isn2q407Tc0mTosd7iEyDP8uLuPemYV5HOMv%2Dw2kjqfLtfZOc6zx3qrWV1uYFl6IGuT%5Fyt29uYY8
MaagWNRPhbQs0KiQ6os7Snl3ZBq0cNa9m%2DbEVdPxKSwSqoICzhSZ64I2gsK3x%2D4dFrnc2FR9%5FU
qXdMpGvvhdufHKXZ17SLZdfNyclVSfBOgzP%2D9G9LT5ay0SeBuS%2D24MrFiCLTd5oa64asx6tLXnxv
bsZOD77q1YbTaFtrdu6xeQwHaLjfMjNXfQ1ucQhg1VFfSiITeMzU9wuPyKz7bLafZTqSbsMKzUFnHpaV
xyYkR2VLWvMVXIRTB%2DpkDSMZgfL5%5FxuWPvU%2DTpTml5NjwD%2DZHlZp0L5BuKn30vBtKg%2Dqxe
gG%2DhCf8D4S%2D%2D8iPdrgl0jsgHyQ%2E%2E&yargs=www.driverloans.com
Content-type: text/html
Set-Cookie: krta=A13F4A064D6F48C69417B18787748970; path=/; domain=.infospace.com
Set-Cookie: krtt=1F9AFBC5CCF44F8680CBB18787748970; path=/; domain=.infospace.com
Set-Cookie: krts=CC19D88E34D14B429E04B18787748970; expires=Sun, 04-Sep-2005
19:53:30 GMT; path=/; domain=.infospace.com
Content-Length: 0
Overture Redirects to Driverloans.com
GET /d/sr/?xargs=15KPjg1%5FpS1YK9k7PyMPiIRvydhRlLisn2q407Tc0mTosd7iEyDP8uLuPem
YV5HOMv%2Dw2kjqfLtfZOc6zx3qrWV1uYFl6IGuT%5Fyt29uYY8MaagWNRPhbQs0KiQ6os7Snl3ZBq
0cNa9m%2DbEVdPxKSwSqoICzhSZ64I2gsK3x%2D4dFrnc2FR9%5FUqXdMpGvvhdufHKXZ17SLZdfNy
clVSfBOgzP%2D9G9LT5ay0SeBuS%2D24MrFiCLTd5oa64asx6tLXnxvbsZOD77q1YbTaFtrdu6xeQw
HaLjfMjNXfQ1ucQhg1VFfSiITeMzU9wuPyKz7bLafZTqSbsMKzUFnHpaVxyYkR2VLWvMVXIRTB%2Dp
kDSMZgfL5%5FxuWPvU%2DTpTml5NjwD%2DZHlZp0L5BuKn30vBtKg%2DqxegG%2DhCf8D4S%2D%2D8
iPdrgl0jsgHyQ%2E%2E&yargs=www.driverloans.com
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www10.overture.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Sun, 04 Sep 2005 19:33:30 GMT
Server: Apache/1.3.33 (Unix) mod_perl/1.29
Set-Cookie: SessionData=02u3hs9yoaT4tKLixNTUk1sQEAA0MjM0cjA0MzS7Vj1ODi4vzMoDzmQWambqYm5m6WRsYmFi7mAOZKiQIO;
domain=.overture.com; path=/; expires=Sun, 04-Sep-2005 19:38:30 GMT
Set-Cookie: ConvData= 02u3hs9yoazhUOMSCAQAzb0RcwFCgGBkgUgDwxs4zKOoF7eJ%2FD8N%2FD23tHgDmx4Fx872O1AXBcK
IWrjpPXHesmYCrBJRWreL9FNLa5KVxcCdZ5yWaz9ivnURkACmsvoTlaRKRMPxwpxg%3D%3D; domain=.overture.com;
path=/; expires=Wed, 02-Sep-2015 19:33:30 GMT
Set-Cookie: UserData=02u3hs9yoaT4tKLixNTUk1sQEAA0MjM0cjA0MzS7Vj4tCQVOZRZqZupibmbpZGxiYWLuYA5oFVvQw%3D;
domain=.overture.com; path=/; expires=Wed, 02-Sep-2015 19:33:30 GMT
P3P: CP=" NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR STP IND
UNI COM NAV INT STA "
Pragma: no-cache
Location: http://www.driverloans.com/app/2p1a?x=seoyahoo:value
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain