This week Yahoo! permanently closed down its venerable Geocities service.  This move ended one of the internet’s longest standing free web site hosting services and one of the most frustrating spam problems of more recent years.

Geocities became popular in the last 1990s as a free and easy way for people to publish web sites about their businesses and hobbies.  Although in recent years it stood as a monument to horrible website design in its prime it was one of the most visited sites on the internet.

After a takeover by Yahoo! in 1999 the website began a slow but steady decline due to various changes by the new owner.  However one demographic that remained strong on Geocities was spammers.

The attractiveness of Geocities for spammers came down to a few key elements:

1. Geocities.com was a trusted and recognizable domain name to normal internet users
2. As a Yahoo! property it was unlikely that the various Geocities domain names would be blocked by anti-spam product vendors
3. Geocities permitted JavaScript on the web pages it hosted

User Trust and Social Engineering

A social engineering attack is one in which the attacker convinces the victim to perform a certain task.  These attacks involve establishing the appearance of legitimacy and trustworthiness in the eyes of the victim.

For a spammer who wants to convince a person to click on a link in an email the Geocities.com domain name was a perfect way to gain the trust of the victim because it was highly likely the person would recognize it as a place for legitimate web sites.

Free Services and Combating Abuse

As most internet security experts will attest, if there is a free service available on the web then spammers will abuse it.  The problem with this is that many free services are hosted by large, trustworthy internet companies and have millions of users.This presents security vendors with an obvious dilemma – the service is being exploited by spammers and should be blocked, however the service is also heavily used by legitimate users and so blocking it would likely cause customers some pain.

JavaScript Redirection

JavaScript is a web programming language commonly used on web sites all over the internet.  JavaScript has many useful applications but like all useful things can also be used maliciously.

Although JavaScript redirection in itself is not malicious, it is obviously able to be used in that way to redirect users from one seemingly harmless URL to another one that a spammer wants people to visit.

Geocities Was Perfect for Spammers

When you combine all of the above three elements it is not hard to see why Geocities was perfect for spammers.

A spammer could start a new Geocities web site, add the JavaScript code to redirect visitors to their real web site, and then blast out millions of spam messages with the Geocities URL to try and trick people into clicking the links.

The Geocities shutdown is a minor relief for security vendors and professionals.  Unfortunately it was only one of hundreds of similar sites that still remain today.