PPC advertisers (e.g. lasikcookeye.com)
money viewers
   Yahoo Overture   
money viewers
64.14.206.59
money viewers
improvingyourlooks.com
money viewers
12.129.178.27
money viewers
Look2me / Ad-w-a-r-e

Packet Log - Yahoo Overture Click Fraud by Look2me / Ad-w-a-r-e, Improvingyourlooks.com, and Two Unknown Parties
The Spyware - Click-Fraud Connection -- and Yahoo's Role Revisited - Ben Edelman

This page gives a packet log of example traffic passing from Ad-w-a-r-e to 12.129.178.27 to improvingyourlooks.com to 64.14.206.59 to Yahoo Overture to a PPC advertiser (here, a Performics affiliate promoting Sportsmansguide.com), as shown in the diagram at right. All testing occurred on April 1, 2006.

This traffic is click fraud because it occurs without an underlying cilck on any PPC ad. See discussion in main article, as well as screenshots and video.

In each step of transmissions, yellow highlighting marks redirect instructions, green highlighting marks the next redirect step, and pink highlighting marks the names of the parties involved.

Ad-w-a-r-e Sends Untargeted Traffic to 12.129.178.27

POST /cgi-bin/UMonitorV2 HTTP/1.0
Host: www.ad-w-a-r-e.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Referer:
Connection: close
Content-Length: 110
Content-Type: application/x-www-form-urlencoded

!{...} HTTP ad.yieldmanager.com /imp?z=0&s=4047&t=3&y=23&w=720&h=300 NoPopup!

HTTP/1.1 200 OK
Date: Sat, 01 Apr 2006 22:29:32 GMT
Server: Apache/1.3.33 (Unix) PHP/4.3.11 mod_perl/1.29
Connection: close
Content-Type: text/html
Set-Cookie: BIGipServerWebServers=555621898.20480.0000; path=/

KEYWORD:http://64.194.221.33/cgi-bin/KeywordV2?query=4047&ID={...}

 

GET /cgi-bin/KeywordV2?query=4047&ID={...} HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Host: 64.194.221.33
Connection: Keep-Alive
Cookie: BIGipServerWebServers=538844682.20480.0000

HTTP/1.1 302 Found
Date: Sat, 01 Apr 2006 22:29:34 GMT
Server: Apache/1.3.33 (Unix) PHP/4.3.11 mod_perl/1.29
Location: http://12.129.178.27/redir?aid=1006&cid=162&xargs=ZmlkPTUxJmtleT1sYXNpayBleWUg c3VyZ2VyeSZyYT02Ni4zMS40NC4yMjImYWR2PXd3dy5sYXNpa2Nvb2tleWUuY29tJnBvcz0zJmJpZD0xJnVybD1h SFIwY0RvdkwzTmxZWEpqYUM1cGJYQnliM1pwYm1kNWIzVnliRzl2YTNNdVkyOXRMMmx1WkdWNExtaDBiV3cvY21W a1BURW1jVDFzWVhOcGF5VXlNR1Y1WlNVeU1ITjFjbWRsY25rbVl6MHlNVGc0Sm5BOU1qQTJPQ1prUFRFbVpHVnpQ VWQ0WjBkSGVEVkdRMmhyVWtSblkxUlRaMFZDVVRCRmQwSm9ORmhTVldOR1UwVkZRMVpyVmxKVE1VVlFVakJGYWtG R1JrUlliVGcyVkhkc1dGUnNOWGRSVm5kNlprZHpPVWd3YkVoTVZsbG1ZWGxKUlVsWFRWWk5RMmRtWXpORlZrTjNh RVpJTVZWM1VXaFplazVHYkZGTlowVXhXakYzT1ZGNGMyMUlXREJaWmtabkpUSTFNa0pRVm5OaFMxSjNiV0ZSU1hW U1FYTkpVRVl3VFZGRU1VUlVTRUpEVEZNNFUxRkJWVTVJVW04MVNVZEdXbGhEVFhsTU0yOWhTVEZ6WjJGUlJtaFNh VzlFVjJoYVZFWlNhMjlVZUUxU1NVRlpaMUpXUWpCUlJXeElURmRWUTFoVmRGVlFVVlpYUTJsak5XRXpNRTFIUTAx eVYwVTBZVkZUVlhWTlowSnpWWGxWYUZWdFVVNUplSE5MUzBJd1JsTlNhMlpQTUdSNlJrUTBVRlV4WjJsV2JEUXlU RUpKYkdaQmN5VXlOVEpHUjNoTlYwbG5hRWhqU0ZZNVZteHJNRTlGTkRWaE1WbHFUWGRHUWxCb1kyUmhNVEJIVDBO WkpUSTFNa1pKU0VGYVpIbHZkbEZIVmtORFVXTXdVVVpaVGtoQlowdENRa0ZpV0ZOVk1VRkhPV2RXVTFsMVptZFZP VXA1YkVOVk1VRkNWbmx2SlRJMU1rWkpXRGxOV0ZORlQxa3hTWGROYVd0SVNqTjNZMVJvTkdoTE1VbEhWbWx2SlRJ MU1rWkliREJ1VTNwWmIwRklZM05WVkRSTFJuZENlRkZXYzNoa1JqQklRMUpWV2twWVZXUlNRVkpFVkVoQ2FGWkRS VUZpYUZwNFRsSlJiMDFYU2xOa2JGa3lVMnc1TlZacVoxVkZkMVZzU1hwUlprZFhkemxXWjNNelJURTBSMVZUWjJG bWJrbHVVVkZCTkZjelRsQkdlVzlGVUVoNFdFdEVjMlpWVmtKNFNYcGFWVVZyVlZsUmFERmlSR3RHVlZOblNWZFdW bTkyUlVGTlpFRkZSVlJSUlVGR1JteHpKVEkxTTBRPSZ1dD0xMTQzOTMwNjA4OjE3OTcxOSZzPTE%3D
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://12.129.178.27/redir?aid=1006&amp;cid=162&amp;xargs=ZmlkPTUxJ mtleT1sYXNpayBleWUgc3VyZ2VyeSZyYT02Ni4zMS40NC4yMjImYWR2PXd3dy5sYXNpa2Nvb2tleWUuY29tJnBvcz0zJmJpZD0x JnVybD1hSFIwY0RvdkwzTmxZWEpqYUM1cGJYQnliM1pwYm1kNWIzVnliRzl2YTNNdVkyOXRMMmx1WkdWNExtaDBiV3cvY21Wa1B URW1jVDFzWVhOcGF5VXlNR1Y1WlNVeU1ITjFjbWRsY25rbVl6MHlNVGc0Sm5BOU1qQTJPQ1prUFRFbVpHVnpQVWQ0WjBkSGVEVk dRMmhyVWtSblkxUlRaMFZDVVRCRmQwSm9ORmhTVldOR1UwVkZRMVpyVmxKVE1VVlFVakJGYWtGR1JrUlliVGcyVkhkc1dGUnNOW GRSVm5kNlprZHpPVWd3YkVoTVZsbG1ZWGxKUlVsWFRWWk5RMmRtWXpORlZrTjNhRVpJTVZWM1VXaFplazVHYkZGTlowVXhXakYz T1ZGNGMyMUlXREJaWmtabkpUSTFNa0pRVm5OaFMxSjNiV0ZSU1hWU1FYTkpVRVl3VFZGRU1VUlVTRUpEVEZNNFUxRkJWVTVJVW0 4MVNVZEdXbGhEVFhsTU0yOWhTVEZ6WjJGUlJtaFNhVzlFVjJoYVZFWlNhMjlVZUUxU1NVRlpaMUpXUWpCUlJXeElURmRWUTFoVm RGVlFVVlpYUTJsak5XRXpNRTFIUTAxeVYwVTBZVkZUVlhWTlowSnpWWGxWYUZWdFVVNUplSE5MUzBJd1JsTlNhMlpQTUdSNlJrU TBVRlV4WjJsV2JEUXlURUpKYkdaQmN5VXlOVEpHUjNoTlYwbG5hRWhqU0ZZNVZteHJNRTlGTkRWaE1WbHFUWGRHUWxCb1kyUmhN VEJIVDBOWkpUSTFNa1pKU0VGYVpIbHZkbEZIVmtORFVXTXdVVVpaVGtoQlowdENRa0ZpV0ZOVk1VRkhPV2RXVTFsMVptZFZPVXA 1YkVOVk1VRkNWbmx2SlRJMU1rWkpXRGxOV0ZORlQxa3hTWGROYVd0SVNqTjNZMVJvTkdoTE1VbEhWbWx2SlRJMU1rWkliREJ1VT NwWmIwRklZM05WVkRSTFJuZENlRkZXYzNoa1JqQklRMUpWV2twWVZXUlNRVkpFVkVoQ2FGWkRSVUZpYUZwNFRsSlJiMDFYU2xOa 2JGa3lVMnc1TlZacVoxVkZkMVZzU1hwUlprZFhkemxXWjNNelJURTBSMVZUWjJGbWJrbHVVVkZCTkZjelRsQkdlVzlGVUVoNFdF dEVjMlpWVmtKNFNYcGFWVVZyVlZsUmFERmlSR3RHVlZOblNWZFdWbTkyUlVGTlpFRkZSVlJSUlVGR1JteHpKVEkxTTBRPSZ1dD0 xMTQzOTMwNjA4OjE3OTcxOSZzPTE%3D">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.33 Server at 64.194.221.33 Port 80</ADDRESS>
</BODY></HTML>

 

12.129.178.27 Redirects to Improvingyourlooks.com

GET /redir?aid=1006&cid=162&xargs=ZmlkPTUxJmtleT1sYXNpayBleWUgc3VyZ2VyeSZyYT02Ni4zMS40NC4 yMjImYWR2PXd3dy5sYXNpa2Nvb2tleWUuY29tJnBvcz0zJmJpZD0xJnVybD1hSFIwY0RvdkwzTmxZWEpqYUM1cGJY QnliM1pwYm1kNWIzVnliRzl2YTNNdVkyOXRMMmx1WkdWNExtaDBiV3cvY21Wa1BURW1jVDFzWVhOcGF5VXlNR1Y1W lNVeU1ITjFjbWRsY25rbVl6MHlNVGc0Sm5BOU1qQTJPQ1prUFRFbVpHVnpQVWQ0WjBkSGVEVkdRMmhyVWtSblkxUl RaMFZDVVRCRmQwSm9ORmhTVldOR1UwVkZRMVpyVmxKVE1VVlFVakJGYWtGR1JrUlliVGcyVkhkc1dGUnNOWGRSVm5 kNlprZHpPVWd3YkVoTVZsbG1ZWGxKUlVsWFRWWk5RMmRtWXpORlZrTjNhRVpJTVZWM1VXaFplazVHYkZGTlowVXhX akYzT1ZGNGMyMUlXREJaWmtabkpUSTFNa0pRVm5OaFMxSjNiV0ZSU1hWU1FYTkpVRVl3VFZGRU1VUlVTRUpEVEZNN FUxRkJWVTVJVW04MVNVZEdXbGhEVFhsTU0yOWhTVEZ6WjJGUlJtaFNhVzlFVjJoYVZFWlNhMjlVZUUxU1NVRlpaMU pXUWpCUlJXeElURmRWUTFoVmRGVlFVVlpYUTJsak5XRXpNRTFIUTAxeVYwVTBZVkZUVlhWTlowSnpWWGxWYUZWdFV VNUplSE5MUzBJd1JsTlNhMlpQTUdSNlJrUTBVRlV4WjJsV2JEUXlURUpKYkdaQmN5VXlOVEpHUjNoTlYwbG5hRWhq U0ZZNVZteHJNRTlGTkRWaE1WbHFUWGRHUWxCb1kyUmhNVEJIVDBOWkpUSTFNa1pKU0VGYVpIbHZkbEZIVmtORFVXT XdVVVpaVGtoQlowdENRa0ZpV0ZOVk1VRkhPV2RXVTFsMVptZFZPVXA1YkVOVk1VRkNWbmx2SlRJMU1rWkpXRGxOV0 ZORlQxa3hTWGROYVd0SVNqTjNZMVJvTkdoTE1VbEhWbWx2SlRJMU1rWkliREJ1VTNwWmIwRklZM05WVkRSTFJuZEN lRkZXYzNoa1JqQklRMUpWV2twWVZXUlNRVkpFVkVoQ2FGWkRSVUZpYUZwNFRsSlJiMDFYU2xOa2JGa3lVMnc1TlZa cVoxVkZkMVZzU1hwUlprZFhkemxXWjNNelJURTBSMVZUWjJGbWJrbHVVVkZCTkZjelRsQkdlVzlGVUVoNFdFdEVjM lpWVmtKNFNYcGFWVVZyVlZsUmFERmlSR3RHVlZOblNWZFdWbTkyUlVGTlpFRkZSVlJSUlVGR1JteHpKVEkxTTBRPS Z1dD0xMTQzOTMwNjA4OjE3OTcxOSZzPTE%3D HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Connection: Keep-Alive
Host: 12.129.178.27

HTTP/1.1 302 Found
Date: Sat, 01 Apr 2006 22:30:08 GMT
Server: Apache/2.0.54 (Ubuntu) mod_perl/2.0.1 Perl/v5.8.7
Location: http://search.improvingyourlooks.com/index.html?red=1&q=lasik%20eye%20surgery &c=2188&p=2068&d=1&des=GxgGGx5FChkRDgcTSgEBQ0EwBh4XRUcFSEECVkVRS1EPR0EjAFFDXm86TwlXTl5w QVwzfGs9H0lHLVYfayIEIWMVMCgfc3EVCwhFH1UwQhYzNFlQMgE1Z1w9QxsmHX0YfFg%252BPVsaKRwmaQIuRAs IPF0MQD1DTHBCLS8SQAUNHRo5IGFZXCMyL3oaI1sgaQFhRioDWhZTFRkoTxMRIAYgRVB0QElHLWUCXUtUPQVWCi c5a30MGCMrWE4aQSUuMgBsUyUhUmQNIxsKKB0FSRkfO0dzFD4PU1giVl42LBIlfAs%252FGxMWIghHcHV9Vlk0O E45a1YjMwFBPhcda10GOCY%252FIHAZdyovQGVCCQc0QFYNHAgKBBAbXSU1AG9gVSYufgU9JylCU1ABVyo%252F IX9MXSEOY1IwMikHJ3wcTh4hK1IGVio%252FHl0nSzYoAHcsUT4KFwBxQVsxdF0HCRUZJXUdRARDTHBhVCEAbhZ xNRQoMWJSdlY2Sl95VjgUEwUlIzQfGWw9Vgs3E14GUSgafnInQQA4W3NPFyoEPHxXKDsfUVBxIzZUEkUYQh1bDk FUSgIWVVovEAMdAEETQEAFFls%253D
Content-Length: 920
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://search.improvingyourlooks.com/index.html?red=1&amp;q=lasik%20eye %20surgery&amp;c=2188&amp;p=2068&amp;d=1&amp;des=GxgGGx5FChkRDgcTSgEBQ0EwBh4XRUcFSEECVkVRS1EPR0EjAFFDXm86T wlXTl5wQVwzfGs9H0lHLVYfayIEIWMVMCgfc3EVCwhFH1UwQhYzNFlQMgE1Z1w9QxsmHX0YfFg%252BPVsaKRwmaQIuRAsIPF0MQD1DTHB CLS8SQAUNHRo5IGFZXCMyL3oaI1sgaQFhRioDWhZTFRkoTxMRIAYgRVB0QElHLWUCXUtUPQVWCic5a30MGCMrWE4aQSUuMgBsUyUhUmQNI xsKKB0FSRkfO0dzFD4PU1giVl42LBIlfAs%252FGxMWIghHcHV9Vlk0OE45a1YjMwFBPhcda10GOCY%252FIHAZdyovQGVCCQc0QFYNHAg KBBAbXSU1AG9gVSYufgU9JylCU1ABVyo%252FIX9MXSEOY1IwMikHJ3wcTh4hK1IGVio%252FHl0nSzYoAHcsUT4KFwBxQVsxdF0HCRUZJ XUdRARDTHBhVCEAbhZxNRQoMWJSdlY2Sl95VjgUEwUlIzQfGWw9Vgs3E14GUSgafnInQQA4W3NPFyoEPHxXKDsfUVBxIzZUEkUYQh1bDkF USgIWVVovEAMdAEETQEAFFls%253D">here</a>.</p>
</body></html>

 

Improvingyourlooks.com Redirects to 64.14.206.59

GET /index.html?red=1&q=lasik%20eye%20surgery&c=2188&p=2068&d=1&des=GxgGGx5FChkRDgcTSgEB Q0EwBh4XRUcFSEECVkVRS1EPR0EjAFFDXm86TwlXTl5wQVwzfGs9H0lHLVYfayIEIWMVMCgfc3EVCwhFH1UwQhYz NFlQMgE1Z1w9QxsmHX0YfFg%252BPVsaKRwmaQIuRAsIPF0MQD1DTHBCLS8SQAUNHRo5IGFZXCMyL3oaI1sgaQFh RioDWhZTFRkoTxMRIAYgRVB0QElHLWUCXUtUPQVWCic5a30MGCMrWE4aQSUuMgBsUyUhUmQNIxsKKB0FSRkfO0dz FD4PU1giVl42LBIlfAs%252FGxMWIghHcHV9Vlk0OE45a1YjMwFBPhcda10GOCY%252FIHAZdyovQGVCCQc0QFYN HAgKBBAbXSU1AG9gVSYufgU9JylCU1ABVyo%252FIX9MXSEOY1IwMikHJ3wcTh4hK1IGVio%252FHl0nSzYoAHcs UT4KFwBxQVsxdF0HCRUZJXUdRARDTHBhVCEAbhZxNRQoMWJSdlY2Sl95VjgUEwUlIzQfGWw9Vgs3E14GUSgafnIn QQA4W3NPFyoEPHxXKDsfUVBxIzZUEkUYQh1bDkFUSgIWVVovEAMdAEETQEAFFls%253D HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Connection: Keep-Alive
Host: search.improvingyourlooks.com

HTTP/1.1 302 Moved
Date: Sat, 01 Apr 2006 22:29:36 GMT
Server: Apache/2.0.53 (Debian GNU/Linux) mod_perl/1.99_14 Perl/v5.8.4
P3P: policyref="/w3c/p3p.xml", CP="NOI CUR ADM DEV OUR BUS NAV"
Set-Cookie: stuff=q%3Dlasik%2520eye%2520surgery%3Bc%3D2188%3Bp%3D2068%3Bd%3D1%3Bdes%3DGxgGGx5FChkR DgcTSgEBQ0EwBh4XRUcFSEECVkVRS1EPR0EjAFFDXm86TwlXTl5wQVwzfGs9H0lHLVYfayIEIWMVMCgfc3EVCwhFH1UwQhYzNF lQMgE1Z1w9QxsmHX0YfFg%25252BPVsaKRwmaQIuRAsIPF0MQD1DTHBCLS8SQAUNHRo5IGFZXCMyL3oaI1sgaQFhRioDWhZTFR koTxMRIAYgRVB0QElHLWUCXUtUPQVWCic5a30MGCMrWE4aQSUuMgBsUyUhUmQNIxsKKB0FSRkfO0dzFD4PU1giVl42LBIlfAs% 25252FGxMWIghHcHV9Vlk0OE45a1YjMwFBPhcda10GOCY%25252FIHAZdyovQGVCCQc0QFYNHAgKBBAbXSU1AG9gVSYufgU9Jy lCU1ABVyo%25252FIX9MXSEOY1IwMikHJ3wcTh4hK1IGVio%25252FHl0nSzYoAHcsUT4KFwBxQVsxdF0HCRUZJXUdRARDTHBh VCEAbhZxNRQoMWJSdlY2Sl95VjgUEwUlIzQfGWw9Vgs3E14GUSgafnInQQA4W3NPFyoEPHxXKDsfUVBxIzZUEkUYQh1bDkFUSg IWVVovEAMdAEETQEAFFls%25253D; path=/; expires=Sat, 01-Apr-2006 22:29:46 GMT
Location: http://search.improvingyourlooks.com/?1143930576
Content-Length: 232
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Moved</title>
</head><body>
<h1>Moved</h1>
<p>The document has moved <a href="http://search.improvingyourlooks.com/?1143930576">here</a>.</p>
</body></html>

 

GET /?1143930576 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Cookie: stuff=q%3Dlasik%2520eye%2520surgery%3Bc%3D2188%3Bp%3D2068%3Bd%3D1%3Bdes%3DGxgGGx5FC hkRDgcTSgEBQ0EwBh4XRUcFSEECVkVRS1EPR0EjAFFDXm86TwlXTl5wQVwzfGs9H0lHLVYfayIEIWMVMCgfc3EVCwhF H1UwQhYzNFlQMgE1Z1w9QxsmHX0YfFg%25252BPVsaKRwmaQIuRAsIPF0MQD1DTHBCLS8SQAUNHRo5IGFZXCMyL3oaI 1sgaQFhRioDWhZTFRkoTxMRIAYgRVB0QElHLWUCXUtUPQVWCic5a30MGCMrWE4aQSUuMgBsUyUhUmQNIxsKKB0FSRkf O0dzFD4PU1giVl42LBIlfAs%25252FGxMWIghHcHV9Vlk0OE45a1YjMwFBPhcda10GOCY%25252FIHAZdyovQGVCCQc 0QFYNHAgKBBAbXSU1AG9gVSYufgU9JylCU1ABVyo%25252FIX9MXSEOY1IwMikHJ3wcTh4hK1IGVio%25252FHl0nSz YoAHcsUT4KFwBxQVsxdF0HCRUZJXUdRARDTHBhVCEAbhZxNRQoMWJSdlY2Sl95VjgUEwUlIzQfGWw9Vgs3E14GUSgaf nInQQA4W3NPFyoEPHxXKDsfUVBxIzZUEkUYQh1bDkFUSgIWVVovEAMdAEETQEAFFls%25253D
Connection: Keep-Alive
Host: search.improvingyourlooks.com

HTTP/1.1 200 OK
Date: Sat, 01 Apr 2006 22:29:36 GMT
Server: Apache/2.0.53 (Debian GNU/Linux) mod_perl/1.99_14 Perl/v5.8.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

<html>
<head>
<noscript>
<meta http-equiv="refresh" content='0;url=http://64.14.206.59/cgi-bin/feedred?c=2188 &p=2068&q=lasik%20eye%20surgery&des=GxgGGx5FChkRDgcTSgEBQ0EwBh4XRUcFSEECVkVRS1EPR0Ej AFFDXm86TwlXTl5wQVwzfGs9H0lHLVYfayIEIWMVMCgfc3EVCwhFH1UwQhYzNFlQMgE1Z1w9QxsmHX0YfFg% 252BPVsaKRwmaQIuRAsIPF0MQD1DTHBCLS8SQAUNHRo5IGFZXCMyL3oaI1sgaQFhRioDWhZTFRkoTxMRIAYg RVB0QElHLWUCXUtUPQVWCic5a30MGCMrWE4aQSUuMgBsUyUhUmQNIxsKKB0FSRkfO0dzFD4PU1giVl42LBIl fAs%252FGxMWIghHcHV9Vlk0OE45a1YjMwFBPhcda10GOCY%252FIHAZdyovQGVCCQc0QFYNHAgKBBAbXSU1 AG9gVSYufgU9JylCU1ABVyo%252FIX9MXSEOY1IwMikHJ3wcTh4hK1IGVio%252FHl0nSzYoAHcsUT4KFwBx QVsxdF0HCRUZJXUdRARDTHBhVCEAbhZxNRQoMWJSdlY2Sl95VjgUEwUlIzQfGWw9Vgs3E14GUSgafnInQQA4 W3NPFyoEPHxXKDsfUVBxIzZUEkUYQh1bDkFUSgIWVVovEAMdAEETQEAFFls%253D&des2=&d=1 ' >
</noscript>
</head>
<body onload='document.forms[0].submit()'>
<form action='http://64.14.206.59/cgi-bin/feedred' method='GET'>

<input type='hidden' name='c' value='2188'>
<input type='hidden' name='p' value='2068'>
<input type='hidden' name='d' value='1'>
<input type='hidden' name='nr' value='search.improvingyourlooks.com'>
<input type='hidden' name='q' value='lasik%20eye%20surgery'>
<input type='hidden' name='des' value='GxgGGx5FChkRDgcTSgEBQ0EwBh4XRUcFSEECVkVRS1EPR0EjAFFDXm86TwlXTl5wQ VwzfGs9H0lHLVYfayIEIWMVMCgfc3EVCwhFH1UwQhYzNFlQMgE1Z1w9QxsmHX0YfFg%2BPVsaKRwmaQIuRAsIPF0MQD1DTHBCLS8SQAU NHRo5IGFZXCMyL3oaI1sgaQFhRioDWhZTFRkoTxMRIAYgRVB0QElHLWUCXUtUPQVWCic5a30MGCMrWE4aQSUuMgBsUyUhUmQNIxsKKB0 FSRkfO0dzFD4PU1giVl42LBIlfAs%2FGxMWIghHcHV9Vlk0OE45a1YjMwFBPhcda10GOCY%2FIHAZdyovQGVCCQc0QFYNHAgKBBAbXSU 1AG9gVSYufgU9JylCU1ABVyo%2FIX9MXSEOY1IwMikHJ3wcTh4hK1IGVio%2FHl0nSzYoAHcsUT4KFwBxQVsxdF0HCRUZJXUdRARDTHB hVCEAbhZxNRQoMWJSdlY2Sl95VjgUEwUlIzQfGWw9Vgs3E14GUSgafnInQQA4W3NPFyoEPHxXKDsfUVBxIzZUEkUYQh1bDkFUSgIWVVo vEAMdAEETQEAFFls%3D'>
<input type='hidden' name='des2' value=''>
</form>
</body>
</html>

 

Unknown Party at IP 64.14.206.59 Redirects to Yahoo Overture

GET /cgi-bin/feedred?c=2188&p=2068&d=1&nr=search.improvingyourlooks.com&q=lasik%2520eye%2520surgery&de s=GxgGGx5FChkRDgcTSgEBQ0EwBh4XRUcFSEECVkVRS1EPR0EjAFFDXm86TwlXTl5wQVwzfGs9H0lHLVYfayIEIWMVMCgfc3EVCwhF H1UwQhYzNFlQMgE1Z1w9QxsmHX0YfFg%252BPVsaKRwmaQIuRAsIPF0MQD1DTHBCLS8SQAUNHRo5IGFZXCMyL3oaI1sgaQFhRioDWh ZTFRkoTxMRIAYgRVB0QElHLWUCXUtUPQVWCic5a30MGCMrWE4aQSUuMgBsUyUhUmQNIxsKKB0FSRkfO0dzFD4PU1giVl42LBIlfAs% 252FGxMWIghHcHV9Vlk0OE45a1YjMwFBPhcda10GOCY%252FIHAZdyovQGVCCQc0QFYNHAgKBBAbXSU1AG9gVSYufgU9JylCU1ABVy o%252FIX9MXSEOY1IwMikHJ3wcTh4hK1IGVio%252FHl0nSzYoAHcsUT4KFwBxQVsxdF0HCRUZJXUdRARDTHBhVCEAbhZxNRQoMWJS dlY2Sl95VjgUEwUlIzQfGWw9Vgs3E14GUSgafnInQQA4W3NPFyoEPHxXKDsfUVBxIzZUEkUYQh1bDkFUSgIWVVovEAMdAEETQEAFFl s%253D&des2= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://search.improvingyourlooks.com/?1143930576
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Host: 64.14.206.59
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sat, 01 Apr 2006 22:29:36 GMT
Server: Apache/2.0.53 (Debian GNU/Linux) mod_perl/1.99_14 Perl/v5.8.4
Location: http://www10.overture.com/d/sr/?xargs=15KPjg17hS%2DZXyl%5FruNLbXU6TFhUBQxd7tqZgxUMosVoBAoy0w TvYrY6XDm9MrQO1j7gzWyfeS%5FaIAef6InvKKE3yMTVL9G5WO2%5Fq1290wN6%2DhWcc03%5FAhx%2D3unINMNHkOY3jpdKHK6O7K VtWIPwxC9olwyBqPpPxukf%2DG6OYeYb%5Ff0VF9%5FSjSN8EJ7bZyjMnBKJMKTsRDI9SamiCfeIodxo4qxKSyYC1HYX6yTE08tkrD YXIo9OyEatAEuLXvkpGRd%2DH8nc8ZZkSFtPln6R%5FRnCzykNQwaj%5FB0OwH%5FxZZF8S8P3iZ2Vc56aPXmrHWseQjh%5FmXAc2l J0W%2DbEJtLUhwc5PZ&yargs=www.lasikcookeye.com
Content-Length: 631
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www10.overture.com/d/sr/?xargs=15KPjg17hS%2DZXyl%5FruNLbXU6 TFhUBQxd7tqZgxUMosVoBAoy0wTvYrY6XDm9MrQO1j7gzWyfeS%5FaIAef6InvKKE3yMTVL9G5WO2%5Fq1290wN6%2DhWcc03%5FA hx%2D3unINMNHkOY3jpdKHK6O7KVtWIPwxC9olwyBqPpPxukf%2DG6OYeYb%5Ff0VF9%5FSjSN8EJ7bZyjMnBKJMKTsRDI9SamiCf eIodxo4qxKSyYC1HYX6yTE08tkrDYXIo9OyEatAEuLXvkpGRd%2DH8nc8ZZkSFtPln6R%5FRnCzykNQwaj%5FB0OwH%5FxZZF8S8P 3iZ2Vc56aPXmrHWseQjh%5FmXAc2lJ0W%2DbEJtLUhwc5PZ&amp;yargs=www.lasikcookeye.com">here</a>.</p>
</body></html>

 

Yahoo Overture Redirects to PPC Advertiser (lasikookeye.com)

GET /d/sr/?xargs=15KPjg17hS%2DZXyl%5FruNLbXU6TFhUBQxd7tqZgxUMosVoBAoy0wTvYrY6XDm9Mr QO1j7gzWyfeS%5FaIAef6InvKKE3yMTVL9G5WO2%5Fq1290wN6%2DhWcc03%5FAhx%2D3unINMNHkOY3jpd KHK6O7KVtWIPwxC9olwyBqPpPxukf%2DG6OYeYb%5Ff0VF9%5FSjSN8EJ7bZyjMnBKJMKTsRDI9SamiCfeI odxo4qxKSyYC1HYX6yTE08tkrDYXIo9OyEatAEuLXvkpGRd%2DH8nc8ZZkSFtPln6R%5FRnCzykNQwaj%5F B0OwH%5FxZZF8S8P3iZ2Vc56aPXmrHWseQjh%5FmXAc2lJ0W%2DbEJtLUhwc5PZ&yargs=www.lasikcookeye.com HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://search.improvingyourlooks.com/?1143930576
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Connection: Keep-Alive
Host: www10.overture.com

HTTP/1.1 302 Found
Date: Sat, 01 Apr 2006 22:29:37 GMT
Server: Apache/1.3.33 (Unix) mod_perl/1.29
Set-Cookie: SessionData=02u3hs9yoaT4tKLixNTUk1sQEAA0NTR0tzM2NXI7Vz1ODi4vzMoDwGQRYWrpYujhaWZs5ubibOAMbhjloO; domain=.overture.com; path=/; expires=Sat, 01-Apr-2006 22:34:37 GMT
Set-Cookie: ConvData=02u3hs9yoazhUOMSCAQAzb0bcwWoAGBpKEAHhiZ1mQdYP28D%2BG4b%2B3X%2BuUDxWeSpP1ehbW985qUJzalSHb9O1CMNMIzOJ5rL1RaW4EUCvD0mVjBiRgP7UMbZEAkOPFHOc5zWhYDx1RFw%3D%3D; domain=.overture.com; path=/; expires=Tue, 29-Mar-2016 22:29:37 GMT
Set-Cookie: UserData=02u3hs9yoaT4tKLixNTUk1sQEAA0NTR0tzM2NXI7Vz4tCQVAZRFhauli6OFpZmzm5uJs4AxrtaFQ0%3D; domain=.overture.com; path=/; expires=Tue, 29-Mar-2016 22:29:37 GMT
P3P: CP=" NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR STP IND UNI COM NAV INT STA "
Pragma: no-cache
Location: http://www.lasikcookeye.com/
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain