Packet Log - How Yahoo Funds Spyware

PPC advertisers (i.e. Driverloans)
money

viewers
Yahoo Overture
money

viewers
InfoSpace
money

viewers
180solutions

Packet Log - How Yahoo Funds Spyware - Via 180solutions
Ben Edelman

This page gives a packet log of example traffic passing from 180solutions to InfoSpace to Yahoo Overture to a Yahoo Overture advertiser (here, Driverloans.com), as shown in the diagram at right. Such traffic may be considered ill-gotten to the extent that the underlying installation of 180solutions was nonconsensual or obfuscated, or where advertisers just don't want traffic originating at vendors like 180solutions. See discussion in main article.

In each step of transmissions, yellow highlighting marks redirect instructions, while green highlighting marks the next redirect step.

180solutions Popup Search Page Redirects to InfoSpace

GET /clicks.php?p=Y2M9VVMsc2VpPTIsYWk9NzAwMCxzaT0xLHNzPUJlc3QgQXV0byBMb2Fu LHU9aHR0cCUzQSUyRiUyRm1zeG1sLmluZm9zcGFjZS5jb20lMkZfMV9ZV0NVOUowM0pVTDhGVl 9fMTgwc29sLmZlZWQlMkZjbGlja2l0JTJGc2VhcmNoJTNGcl9haWQlM0RCOUZDRDgyMUQ2M0I0 OEVDODNCOUIxODYwRTM2OTdDMCUyNnJfc2Fjb3AlM0Q5JTI2cl9zcGYlM0QxJTI2cl9jb3AlM0 R0aXRsZSUyNnJfc25wcCUzRDElMjZyX3NwcCUzRDglMjZxcW4lM0RjcE1hUUw4ZF9Jbm5XJTI2 cl9jb2lkJTNEMjM5MTM0JTI2cmF3dG8lM0RodHRwJTNBJTJGJTJGd3d3MTAub3ZlcnR1cmUuY2 9tJTJGZCUyRnNyJTJGJTNGeGFyZ3MlM0QxNUtQamcxJTI1NUZwUzFZSzlrN1B5TVBpSVJ2eWRo UmxMaXNuMnE0MDdUYzBtVG9zZDdpRXlEUDh1THVQZW1ZVjVIT012JTI1MkR3MmtqcWZMdGZaT2 M2engzcXJXVjF1WUZsNklHdVQlMjU1Rnl0Mjl1WVk4TWFhZ1dOUlBoYlFzMEtpUTZvczdTbmwz WkJxMGNOYTltJTI1MkRiRVZkUHhLU3dTcW9JQ3poU1o2NEkyZ3NLM3glMjUyRDRkRnJuYzJGUj klMjU1RlVxWGRNcEd2dmhkdWZIS1haMTdTTFpkZk55Y2xWU2ZCT2d6UCUyNTJEOUc5TFQ1YXkw U2VCdVMlMjUyRDI0TXJGaUNMVGQ1b2E2NGFzeDZ0TFhueHZic1pPRDc3cTFZYlRhRnRyZHU2eG VRd0hhTGpmTWpOWGZRMXVjUWhnMVZGZlNpSVRlTXpVOXd1UHlLejdiTGFmWlRxU2JzTUt6VUZu SHBhVnh5WWtSMlZMV3ZNVlhJUlRCJTI1MkRwa0RTTVpnZkw1JTI1NUZ4dVdQdlUlMjUyRFRwVG 1sNU5qd0QlMjUyRFpIbFpwMEw1QnVLbjMwdkJ0S2clMjUyRHF4ZWdHJTI1MkRoQ2Y4RDRTJTI1 MkQlMjUyRDhpUGRyZ2wwanNnSHlRJTI1MkUlMjUyRSUyNnlhcmdzJTNEd3d3LmRyaXZlcmxvYW 5zLmNvbSxwPTEscGk9MjcsZnA9MSxocmVmPWh0dHA6Ly93d3cuZHJpdmVybG9hbnMuY29t
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: searchresults.180searchassistant.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2005 19:33:29 GMT
Server: Apache
X-Powered-By: PHP/4.3.4
Location: http://msxml.infospace.com/_1_YWCU9J03JUL8FV__180sol.feed/clickit/search? r_aid=B9FCD821D63B48EC83B9B1860E3697C0&r_sacop=9&r_spf=1&r_cop=title&r_snpp=1 &r_spp=8&qqn=cpMaQL8d_InnW&r_coid=239134&rawto=http://www10.overture.com/d/sr/? xargs=15KPjg1%5FpS1YK9k7PyMPiIRvydhRlLisn2q407Tc0mTosd7iEyDP8uLuPemYV5HOMv %2Dw2kjqfLtfZOc6zx3qrWV1uYFl6IGuT%5Fyt29uYY8MaagWNRPhbQs0KiQ6os7Snl3ZBq0cNa9m %2DbEVdPxKSwSqoICzhSZ64I2gsK3x%2D4dFrnc2FR9%5FUqXdMpGvvhdufHKXZ17SLZdfNyclVSf BOgzP%2D9G9LT5ay0SeBuS%2D24MrFiCLTd5oa64asx6tLXnxvbsZOD77q1YbTaFtrdu6xeQwHaLj fMjNXfQ1ucQhg1VFfSiITeMzU9wuPyKz7bLafZTqSbsMKzUFnHpaVxyYkR2VLWvMVXIRTB%2DpkDS MZgfL5%5FxuWPvU%2DTpTml5NjwD%2DZHlZp0L5BuKn30vBtKg%2DqxegG%2DhCf8D4S%2D%2D8iP drgl0jsgHyQ%2E%2E&yargs=www.driverloans.com
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

InfoSpace Redirects to Overture

GET /_1_YWCU9J03JUL8FV__180sol.feed/clickit/search?r_aid=B9FCD821D63B48EC83B9B18 60E3697C0&r_sacop=9&r_spf=1&r_cop=title&r_snpp=1&r_spp=8&qqn=cpMaQL8d_InnW&r_coi d=239134&rawto=http://www10.overture.com/d/sr/?xargs=15KPjg1%5FpS1YK9k7PyMPiIRvy dhRlLisn2q407Tc0mTosd7iEyDP8uLuPemYV5HOMv%2Dw2kjqfLtfZOc6zx3qrWV1uYFl6IGuT%5Fyt2 9uYY8MaagWNRPhbQs0KiQ6os7Snl3ZBq0cNa9m%2DbEVdPxKSwSqoICzhSZ64I2gsK3x%2D4dFrnc2FR 9%5FUqXdMpGvvhdufHKXZ17SLZdfNyclVSfBOgzP%2D9G9LT5ay0SeBuS%2D24MrFiCLTd5oa64asx6t LXnxvbsZOD77q1YbTaFtrdu6xeQwHaLjfMjNXfQ1ucQhg1VFfSiITeMzU9wuPyKz7bLafZTqSbsMKzUF nHpaVxyYkR2VLWvMVXIRTB%2DpkDSMZgfL5%5FxuWPvU%2DTpTml5NjwD%2DZHlZp0L5BuKn30vBtKg% 2DqxegG%2DhCf8D4S%2D%2D8iPdrgl0jsgHyQ%2E%2E&yargs=www.driverloans.com
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: msxml.infospace.com
Connection: Keep-Alive

HTTP/1.1 302 Object Moved
Server: Microsoft-IIS/5.0
Date: Sun, 04 Sep 2005 19:33:29 GMT
Location: http://www10.overture.com/d/sr/?xargs=15KPjg1%5FpS1YK9k7PyMPiIRvydhRlL isn2q407Tc0mTosd7iEyDP8uLuPemYV5HOMv%2Dw2kjqfLtfZOc6zx3qrWV1uYFl6IGuT%5Fyt29uYY8 MaagWNRPhbQs0KiQ6os7Snl3ZBq0cNa9m%2DbEVdPxKSwSqoICzhSZ64I2gsK3x%2D4dFrnc2FR9%5FU qXdMpGvvhdufHKXZ17SLZdfNyclVSfBOgzP%2D9G9LT5ay0SeBuS%2D24MrFiCLTd5oa64asx6tLXnxv bsZOD77q1YbTaFtrdu6xeQwHaLjfMjNXfQ1ucQhg1VFfSiITeMzU9wuPyKz7bLafZTqSbsMKzUFnHpaV xyYkR2VLWvMVXIRTB%2DpkDSMZgfL5%5FxuWPvU%2DTpTml5NjwD%2DZHlZp0L5BuKn30vBtKg%2Dqxe gG%2DhCf8D4S%2D%2D8iPdrgl0jsgHyQ%2E%2E&yargs=www.driverloans.com
Content-type: text/html
Set-Cookie: krta=A13F4A064D6F48C69417B18787748970; path=/; domain=.infospace.com
Set-Cookie: krtt=1F9AFBC5CCF44F8680CBB18787748970; path=/; domain=.infospace.com
Set-Cookie: krts=CC19D88E34D14B429E04B18787748970; expires=Sun, 04-Sep-2005 19:53:30 GMT; path=/; domain=.infospace.com
Content-Length: 0

Overture Redirects to Driverloans.com

GET /d/sr/?xargs=15KPjg1%5FpS1YK9k7PyMPiIRvydhRlLisn2q407Tc0mTosd7iEyDP8uLuPem YV5HOMv%2Dw2kjqfLtfZOc6zx3qrWV1uYFl6IGuT%5Fyt29uYY8MaagWNRPhbQs0KiQ6os7Snl3ZBq 0cNa9m%2DbEVdPxKSwSqoICzhSZ64I2gsK3x%2D4dFrnc2FR9%5FUqXdMpGvvhdufHKXZ17SLZdfNy clVSfBOgzP%2D9G9LT5ay0SeBuS%2D24MrFiCLTd5oa64asx6tLXnxvbsZOD77q1YbTaFtrdu6xeQw HaLjfMjNXfQ1ucQhg1VFfSiITeMzU9wuPyKz7bLafZTqSbsMKzUFnHpaVxyYkR2VLWvMVXIRTB%2Dp kDSMZgfL5%5FxuWPvU%2DTpTml5NjwD%2DZHlZp0L5BuKn30vBtKg%2DqxegG%2DhCf8D4S%2D%2D8 iPdrgl0jsgHyQ%2E%2E&yargs=www.driverloans.com
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www10.overture.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2005 19:33:30 GMT
Server: Apache/1.3.33 (Unix) mod_perl/1.29
Set-Cookie: SessionData=02u3hs9yoaT4tKLixNTUk1sQEAA0MjM0cjA0MzS7Vj1ODi4vzMoDzmQWambqYm5m6WRsYmFi7mAOZKiQIO; domain=.overture.com; path=/; expires=Sun, 04-Sep-2005 19:38:30 GMT
Set-Cookie: ConvData= 02u3hs9yoazhUOMSCAQAzb0RcwFCgGBkgUgDwxs4zKOoF7eJ%2FD8N%2FD23tHgDmx4Fx872O1AXBcK IWrjpPXHesmYCrBJRWreL9FNLa5KVxcCdZ5yWaz9ivnURkACmsvoTlaRKRMPxwpxg%3D%3D; domain=.overture.com; path=/; expires=Wed, 02-Sep-2015 19:33:30 GMT
Set-Cookie: UserData=02u3hs9yoaT4tKLixNTUk1sQEAA0MjM0cjA0MzS7Vj4tCQVOZRZqZupibmbpZGxiYWLuYA5oFVvQw%3D; domain=.overture.com; path=/; expires=Wed, 02-Sep-2015 19:33:30 GMT
P3P: CP=" NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR STP IND UNI COM NAV INT STA "
Pragma: no-cache
Location: http://www.driverloans.com/app/2p1a?x=seoyahoo:value
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain