Don Marti

Wed 31 May 2006 12:00:00 AM PDT

Goodbye scripts

Goodbye scripts are the open relays of comment spam.

The basic idea is pretty simple. Somebody wants to get a log of which links people followed to leave a site, so you just write a script that does a redirect, and then make all the off-site links on the site point to the script with a query string of the off-site URL instead of straight to the off-site URL. Google does something similar in their results pages, with a little JavaScript to hide it.

The simplest goodbye script goes something like this:

#!/usr/bin/perl

print "Location: $ENV{'QUERY_STRING'}\n\n";

Please don't put that on your web server, though. I'll explain. You can do something similar with mod_rewrite, too. I think it's...

RewriteRule ^/goodbye/(.*) $1 [R]

...but my mod_rewrite rules never work the first time, so it's something, but not that. Another way to do it is with a meta tag in a regular HTML page, like so:

<meta http-equiv="REFRESH" content="5; url="http://www.example.com">

One .gov site has this one:

http://www.example.gov/cgi-bin/goodbye

...and if you stick a ? and a URL at the end of that, it'll send you anywhere. No, I'm not going to put a link in here to show off that I can make a .gov site send you to naughtypoopoo.com. And no, I'm not going to put in which .gov site it is (although I will send their webmaster some mail.) You get the idea. And if you're a comment spammer, you got it a while ago. Go around to people's blogs and post links to goodbye scripts on perfectly respectable sites, and let those sites redirect humans or bots to your spam site, and not get filtered out.

Whee. Time to go around and make sure you check HTTP_REFERER in any goodbye scripts you have installed.

People invent communications technology. Assholes spam it. People filter it. Repeat. Isn't this fun?