Facebook spam / ipiniadto.ru

The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto.ru:

Date:      Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]
From:      FilesTube [filestube@filestube.com]
Subject:      You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
BERTIE Goldstein has posted statuses, photos and more on Facebook.
Go To Facebook
   
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303 

The malicious payload is at [donotclick]ipiniadto.ru:8080/forum/links/column.php (report here) hosted on the same IPs as used in this attack:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)

Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
heepsteronst.ru
hillairusbomges.ru
hillaryklinton.ru
hinakinioo.ru
hiskinta.ru
hjuiopsdbgp.ru
hohohomaza.ru
hondatravel.ru
humaniopa.ru
humarikanec.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru
ipiniadto.ru

Facebook spam / scriptuserreported.org

This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on scriptuserreported.org:

Date:      Thu, 21 Mar 2013 10:56:28 -0500
From:      Facebook [update+oi=MKW63Z@facebookmail.com]
Subject:      John Jenkins commented photo of you.

facebook
   
John Jenkins commented on {l5}.
reply to this email to comment on this photo.
see comment
this message was sent to {mailto_username}@{mailto_domain}. if you don't want to receive these emails from facebook in the future, please unsubscribe.

facebook, inc., attention: department 415, po box 1000{digit}, palo alto, ca 9{digit}3{digit}

The malicious payload is at [donotclick]scriptuserreported.org/close/keys-importance-mention.php hosted on 5.39.37.31 and there are no surprises that this is OVH in France.. but wait a minute because this is in a little suballocated block thusly:

inetnum:        5.39.37.24 - 5.39.37.31
netname:        n2p3DoHost
descr:          DoHost n2 p3
country:        FR
admin-c:        OTC2-RIPE
tech-c:         OTC2-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
source:         RIPE # Filtered

Let's start with the server at 5.39.37.31 which is distributing the Blackhole Exploit Kit (report here). This server also hosts the following potentially malicious domains:
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com

Go back a few IPs to 5.39.37.28 and there is are a couple of work-at-home scam sites:
workhomeheres01.com
workhomeheres02.com

There's also a work-at-home scam on 5.39.37.24:
makeworkhome12.pl

5.39.37.26 appears to be hosting a control panel for the Neutrino Exploit kit:
myadminspanels.info
supermyadminspanels.info

So you can pretty much assume that 5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at 5.39.37.29 which is the domain rl-host.net. The WHOIS details for rl-host.net are anonymised, but on the day of registration were:

    Queste Julien
    Email:julien@queste.fr
    50 rue Arthur lamendin
    62330 isbergues
    France
    Tel: +33.649836105

Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..

Minimum blocklist:
5.39.37.31
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com

Recommended blocklist:
5.39.37.24/29
makeworkhome12.pl
myadminspanels.info
supermyadminspanels.info
workhomeheres01.com
workhomeheres02.com
rl-host.net
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com

Facebook spam / heelicotper.ru

This fake Facebook spam leads to malware on heelicotper.ru:

Date:      Tue, 19 Mar 2013 08:37:37 +0200
From:      Facebook [updateSIXQG03I44AX@facebookmail.com]
Subject:      You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
TAMISHA Gore has posted statuses, photos and more on Facebook.
Go To Facebook
   
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The malicious payload is at [donotclick]heelicotper.ru:8080/forum/links/column.php which isn't resolving at the moment, but was earlier hosted on:

50.22.0.2 (SoftLayer, US)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)

The payload and associated IPs are the same as in this attack.

Facebook spam / lazaro-sosa.com

This fake Facebook spam leads to malware on lazaro-sosa.com:

Date:      Tue, 26 Feb 2013 14:26:20 +0200
From:      "Facebook" [twiddlingv29@informer.facebook.com]
Subject:      Brian Parker commented your photo.

facebook
   
Brian Parker commented on Your photo.
Reply to this email to comment on this photo.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.

Facebook, Inc., Attention: Department 415, PO Box 10001, Palo Alto, CA 90307

The malicious payload is at [donotclick]lazaro-sosa.com/detects/queue-breaks-many_suffering.php (report here) hosted on:

118.97.77.122 (PT Telkom, Indonesia)
147.91.83.31 (AMRES, Serbia)

Blocking these IPs is probably prudent.

"Most recent events on Facebook" spam / gonita.net

This fake Facebook spam leads to malware on gonita.net:

Date:      Mon, 28 Jan 2013 17:30:50 +0100
From:      "Facebook" [addlingabn2@bmatter.com]
Subject:      Most recent events on Facebook

facebook   
Hi [redacted],
You have disabled your Facebook account. You can reveal your account whenever you wish by logging into Facebook with your old login email address and password. After that you will be able to enjoy the site in the same way as before.
Kind regards,
The Facebook Team
   
Log in to Facebook and start connecting
Sign in

Please use the link below to resume your account :
http://www.facebook.com/resume/
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 419 P.O Box 10007 Palo Alto CA 94301

The malicious payload is at [donotclick]gonita.net/detects/sign_on_to_resume.php (report here) hosted on the well-known IP of 222.238.109.66 (Hanaro Telecom, Korea).

The following malicious domains are active on the same IP:
morepowetradersta.com
kendallvile.com
alphabeticalwin.com
ehadnedrlop.com
postofficenewsas.com
prepadav.com
masterseoprodnew.com
vespaboise.net
duriginal.net
shininghill.net
euronotedetector.net
fx-points.net
africanbeat.net
ensconcedattractively.biz
gonita.net

Facebook spam / 46.249.58.211 and 84.200.77.218

There are various Facebook spams doing the rounds pointing to a variety of malware sites on 46.249.58.211 and 84.200.77.218, for example:

From: FB.Team
Sent: 19 December 2012 14:30
Subject: Re-activate account

Hi [redacted],
Your account has been blocked due to spam activity.
To verify account, please follow this link:
http://www.facebook.com/confirmemail.php?e=[redacted]

You may be asked to enter this confirmation code: [redacted]
The Facebook Team

Didn't sign up for Facebook? Please let us know. 

46.249.58.211 (Serverius Holding, Netherlands)
newmeeting2012.asia
datingbest2012.asia
dating-2013.asia
new-dating2013.asia
mobimemcashnesh.com
domainssguibulkniner.com
innersdomainsinser.com
domainssinglsdoms.com
site-dating-2012.info
best-dating-2012.info
new-dating-2012.info
greatdating-2012.info
newdatingworld2012.info
site-dating2012.info
sitedating2012.info
freshdating2012.info
cooldating2012.info
greatdating2012.info
latestdating2012.info
datingcool2012.info
newdatingafter2012.info
datingbest2012.info
fresh-dating-2013.info
greatdating-2013.info
moderndating2013.info
latestdating2013.info
newdatingafter2013.info
shareself.info
searchersstippich.info
adeptsponsorlin.info
domssvorastwo.info
domainsqiprnodes.info
searchersnextdoms.info
lubertylibcenterns.info
netsplacesformss.info
domainssinglssunss.info
domainssinglsnetss.info
omnihiteuropapluss.info
domainderight.info
domainsreidstable.net
mobimemcashnesh.net
namessguibulk.net
adeptsponsorlin.net
domssvorastwo.net
domainssguibulk9r.net
domainssidorsneeds.net
searchersnextdoms.net
domainssinglssunss.net
bursttsnetsbest.net

84.200.77.218 (Misterhost, Germany)
namesstressadd.com
bitnovembersgate.com
domainssinglgirs.com
left4deadfi3.info
importslatenot.info
monchianolist.info
left4deadfi3.net
gamesduoswin9.net
domainsstressadd.net
oregonsitynet.net

GFI have some more details on this one here.

Facebook "You have notifications pending" spam / francese.ru

This fake Facebook spam leads to malware on francese.ru:

Date:      Tue, 4 Dec 2012 03:38:42 +0000
From:      KaseyElleman@victimdomain.com
Subject:      You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
SALLIE FELIX has posted statuses, photos and more on Facebook.
Go To Facebook
   
See All Notifications
This message was sent to postinialerts@[redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The malicious payload is at [donotclick]francese.ru:8080/forum/links/column.php  hosted on the following IP addresses:

42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks , US)
219.255.134.110 (SK Broadband, Korea)

Plain list for copy-and-pasting:
42.121.116.38
202.180.221.186
203.80.16.81
208.87.243.131
219.255.134.110

"Most recent events on Facebook" spam / attachedsignup.pro

This fake Facebook spam leads to malware on Most recent events on attachedsignup.pro:

Date:      Tue, 4 Dec 2012 15:19:16 +0100
From:      " Facebook Security Team" [fractionallyb9@hendrickauto.com]
Subject:      Most recent events on Facebook

facebook
   
Hi [redacted],

You have closed your Facebook account. You can rebuild your account whenever you wish by logging into Facebook using your current login email address and password. Subsequently you will be able to take advantage of the site as usually.
Please use the link below to reactivate :
http://www.facebook.com/home.php
If this was you, please pass over this informer. If this wasn't you, please secure your account, as some outlaw person may be explore it.
Best regards, The FaceBook Team
Please note: Facebook will never ask for your personal data through email.

This message was sent to [redacted] from your profile details. Facebook, Inc., Attention: Department 437, PO Box 20000, Palo Alto, CA 96906

The malicious payload is at [donotclick]attachedsignup.pro/detects/links-neck.php (report here) hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) which also hosts the probably malicious domain sessionid0147239047829578349578239077.pl

"Changlog 10.2011" spam / efaxinok.ru

This spam leads to malware on efaxinok.ru:

Date:      Fri, 23 Nov 2012 10:14:22 +0600
From:      "Contact" [customer-notification@ups.com]
Subject:      Re: Changlog 10.2011
Attachments:     changelog-212.htm

Good morning,

as promised changelog (Internet Explorer File)

The victim is enticed to click on the attachment which leads to a malicious payload on [donotclick]efaxinok.ru:8080/forum/links/column.php hosted on the following IPs:

202.180.221.186
203.80.16.81
208.87.243.131
216.24.196.66

These are the same IPs as used in this attack yesterday, and it forms part of a long-running malcious spam run which appears to have been going on forever. Of note, there's a new domain in this cluster of delemiator.ru which I haven't seen yet being used in a malicious spam run, but it probably will be.

Facebook spam / ceredinopl.ru

This fake Facebook (or is it Habbo?) spam leads to malware on ceredinopl.ru:

Date:      Thu, 22 Nov 2012 01:30:38 -0700
From:      Habbo Hotel [auto-contact@habbo.com]
Subject:      You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
REFUGIA MERRILL has posted statuses, photos and more on Facebook.
Go To Facebook
   
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The malicious payload is at [donotclick]ceredinopl.ru:8080/forum/links/column.php hosted on the following IPs:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)
216.24.196.66 (Psychz Networks, US)

The following IPs and domains are all connected:
202.180.221.186
203.80.16.81
208.87.243.131
216.24.196.66
ceredinopl.ru
investinindia.ru
hamasutra.ru
feronialopam.ru
monacofrm.ru
bamanaco.ru
ionalio.ru
investomanio.ru
veneziolo.ru
fanatiaono.ru
analunakis.ru

Facebook spam / o.anygutterkings.com

This fake Facebook spam leads to malware on o.anygutterkings.com:

Date:      Mon, 15 Oct 2012 20:02:21 +0200
From:      "FB Account"
Subject:      Facebook account

facebook    
Hi [redacted],
You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook with your former login email address and password. Subsequently you will be able to take advantage of the site as before
Kind regards,

The Facebook Team
   
Sign in to Facebook and start connecting
Sign in


Please use the link below to resume your account :
http://www.facebook.com/home.php
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

Other subjects are: "Account blocked" and "Account activated"

The payload is at [donotclick]o.anygutterkings.com/links/assure_numb_engineers.php hosted on 198.136.53.38 (Comforthost, US)

Sophos: "Your phone number may not be as private on Facebook as you think - and how to fix it"

From Sophos.. another good reason not to use Facebook.

So, as well as leaking email addresses through a reverse lookup, Facebook also does a reverse lookup for telephone numbers. What could possibly go wrong?

Well, until somebody figures out how to write a script to harvest the phone numbers automatically, that is..

Added: oh look, somebody did it already.

Facebook "Error message [404] 404 Not Found" email messages

This one has me scratching my head.. a series of emails this morning with subjects similar to the following:

Error message [404] 404 Not Found for m.facebook.com/media/set/?set=a.[redacted].8100.100000762125833
Error message [404] 404 Not Found for m.facebook.com/pokes/?refid=7
Error message [404] 404 Not Found for m.facebook.com/home.php?sk=photodash

The emails appear to originate from a Yahoo! IP address, the sender's email address matches a registered Facebook account and in one case the URL in the subject links to a gallery from the same user. But I don't know who these people are, and the email address sent to is a rarely used one that has NEVER been used for Facebook.

In most cases the email is blank, in one case there is a photograph of a BlackBerry, apparently taken yesterday from a Samsung GT-C6625 (an oldish Windows Mobile device). The IP headers indicate that this is maybe coming through a mobile version of Yahoo! mail. An infected mobile phone perhaps?

It's all kind of odd, perhaps it is the precursor to something else?

Facebook spam / chicleart.net

These fake Facebook messages lead to malware on chicleart.net:

Date:      Thu, 3 May 2012 11:57:48 -0300
From:      "Facebook" [noreply@facebookmail.com]
Subject:      Most recent events on Facebook

facebook   
Hi xxxxxxxxxx,
You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site as before.
Thanks and regards,
The Facebook Team
   
Sign in to Facebook and start connecting
Sign in

follow the link below :
http://www.facebook.com/home.php
This message was sent to xxxxxxxxx@xxx.xxx. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

==================

Date:      Thu, 3 May 2012 15:53:38 +0100
From:      "Facebook" [noreply@facebookmail.com]
Subject:      New comment on your status update

facebook   
Hi xxxxxxxxxx,
You have blocked your Facebook account. You can resume your account at any time by logging into Facebook with your old login email address and password. You will then be able to use the site as before.
Thanks and regards,
The Facebook Team
   
Sign in to Facebook and start connecting
Sign in

follow the link below :
http://www.facebook.com/home.php
This message was sent to xxxxxxxxx@xxx.xxx. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

==================

Date:      Thu, 3 May 2012 14:09:11 +0000
From:      "Facebook" [alert@facebookmail.com]
Subject:      New comment on your status update

facebook   
Hi xxxxxxxxxx,
You have deactivated your Facebook account. You can reactivate your account whenever you wish by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site in the same way as before.
Best regards,
The Facebook Team
   
Sign in to Facebook and start connecting
Sign in

follow the link below :
http://www.facebook.com/home.php
This message was sent to xxxxxxxxx@xxx.xxx. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The malicious payload is on chicleart.net/main.php?page=8decfe38488713cc on 37.59.68.23 hosted by OVH in the UK.

"Invitation FACEBOOK" hoax

There are a lot of genuine malware-laden fake Facebook emails about, but this one is a hoax.. and a very old one at that, going all the way back to the 1990s in one form or another.

Subject: Fwd: FW: PLEASE CIRCULATE

PLEASE CIRCULATE THIS NOTICE TO FRIENDS AND FAMILY ON YOUR CONTACT LIST

In the coming days, you should be aware…

Do not open any message with an attachment called:

"Invitation FACEBOOK"

Regardless of who sent it

It is a virus that opens an Olympic torch and burns the whole hard
disc C of your computer

This virus will be received from someone you have in your address book


That's why you should send this message to all your contacts.  It is
better to receive this email 25 times than to receive the virus and
open it

If you receive email called: "Invitation FACEBOOK", though sent by a friend,

do not open but delete it immediately

CNN said it is a new virus discovered recently and that has been
classified by Microsoft as the most destructive virus ever

It is a Trojan Horse that asks you to install an adobe flash plug-in.
Once you install it, it's all over. And there is no repair yet for
this kind of virus. This virus simply destroys the Zero Sector of the
Hard Disc, where the vital information of their function is saved



THE INFORMATION HAS BEEN CHECKED WITH SNOPES
http://www.snopes.com/computer/virus/youtube.asp

DO exercise caution with emails that appear to be from Facebook, PayPal, LinkedIn or any one of a variety of services.. you can usually check the true destination of a link in an email by floating the pointer over it. DON'T circulate silly hoaxes like this because it simply wastes everybody's time.

Facebook spam / bioldrugstore.com

This fake Facebook spam leads to a fake pharma site, but it could easily be adapted for malware.

Date:      Thu, 26 Apr 2012 09:33:46 -0700
From:      "Facebook" [notification+xxxxxxxxxxx@facebookemail.com]
Subject:      Welcome back to Facebook

Hello,

The Facebook account associated with xxxxxxxxxxx was recently reactivated.

If you were not the one who reactivated this account, please visit our Help Center to cancel the request.

http://www.facebook.com/help/?topic=security

Thanks,
The Facebook Team

The payload is a pharma site at bioldrugstore.com hosted on 61.132.200.24 and 111.123.180.9 in China (two IPs that are full of fake pharma stores) and 213.162.209.177 in Spain.

This type of spam run can easily be adapted for malware, so keep an eye out for unexpected Facebook notifications.

Facebook spam / 216.119.142.235

Some fake Facebook spam leading to malware, this time on 216.119.142.235.

Date:      Wed, 25 Apr 2012 05:48:16 +0200
From:      Facebook [notification+n6vn0x357cp5@facebookmail.com]
Subject:      CARMELLA OSBORN wants to be friends on Facebook.

facebook
CARMELLA OSBORN wants to be friends with you on Facebook.
   
CARMELLA OSBORN

Confirm Friend Request
   
See All Requests
This message was sent to xxxxxxxxxxxx. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303  

The malicious payload can be found on 216.119.142.235/showthread.php?t=34c79594e8b8ac0f (report here) hosted by A2 Hosting in the US.

Fake Facebook spam / caredret.ru

More toxic spam.

Date:      Thu, 15 Dec 2011 11:52:56 +0700
From:      Facebook [notification+VGNDUO7NQM4R@facebookmail.com]
Subject:      LUCY Snow wants to be friends on Facebook.

facebook
LUCY Snow wants to be friends with you on Facebook.
   
LUCY Snow

Confirm Friend Request
   
See All Requests
This message was sent to victim@victimdomain.com. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303 

In this case, the link goes via a hacked legitimate site and gets redirected to a malicious page on caredret.ru/main.php hosted on 79.137.237.67 (Digital Network JSC, Russia aka DINETHOSTING). Block access to 79.137.224.0/20 if you can, there is nothing legitimate hosted here.

FarmTown, impressionclub.com and justimpression.com

Sandi at Spyware Sucks reports that the popular(ish) Facebook game of FarmTown (not FarmVille) has be compromised, possibly through a malicious banner.

The domain justimpression.com has been fingered as part of the malware chain, registered to the infamous "Private person" of:

Registrant:
Private person
Armand Gregori (armandgregory3@gmail.com)
Federicsshopen via 3
Katowice
Katowice,S589FG
PL
Tel. +34.41528965

Creation Date: 17-Dec-2009
Expiration Date: 17-Dec-2010

Domain servers in listed order:
ns2.reg.ru
ns1.reg.ru

That email address is pretty well known for malware distribution.

The site is hosted on 64.120.176.42 along with a site called impressionclub.com. "Impression Club" claims to be a Pennsylvania based company that has been in business for four year, except the domain was only registered in January 2010 with anonymous contact details, and Russian nameservers.


You can probably count impressionclub.com as a rogue ad network and one to avoid.

The FarmTown developers have a forum thread about the problem (one poster identifies an ad for greetingcards.com as the culprit) and there are several threads on Facebook about this [1] [2] [3] [4] [5] which also point at the following domains as being part of the chain

• scan-and-protect3.com
• scan-and-protect5.com
• scan-and-protect7.com
• scan-and-protect8.com
• scan-and-remove10.com
• scan-and-remove55.com
• scan-and-remove99.com
• 1server-antivirus.com
• 2server-antivirus.com
• 4server-antivirus.com
• 6server-antivirus.com
• 1web-antivirus.com
• 2web-antivirus.com
• try6-your-scanner.com
• 111-your-scanner.com
• 222-your-scanner.com
• basketballtickets2.com
• batman2010.com
• spread2010.com
• terminator-2010.com

All these domains are registered with apparently false details, there are probably a bunch more but I'm having difficult resolving the IPs at the moment.

This could be a fairly big deal, Quantcast reports that justimpression.com has a traffic rank of 6,227 and pulled in 329,000 US visitors during February.


This is another good reason to block Facebook in corporate enviroments, and also a useful warning that you need to be very, very careful when selling ad space!