From johnml@michaweb.net Sun May 16 10:47:08 2004
From: John Fawcett <johnml@michaweb.net>
To: discuss@lists.surbl.org
Subject:
 [SURBL-Discuss]	Heads up: new open redirecters and new spammer trick for urls
Date: Sun, 16 May 2004 10:46:37 +0200
Message-ID: <02ad01c43b22$52af6610$2001a8c0@michaweb.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6110447676443259936=="

--===============6110447676443259936==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

NEW OPEN REDIRECTER
I just noticed a new (for me) yahoo redirecter in spam received
    eur.rd.yahoo.com

On a hunch, I also tried things like:

uk.rd.yahoo.com
it.rd.yahoo.com
de.rd.yahoo.com

which are all open redirecters. There are sure to be more of
these using other country code prefixes.

So for those using SpamCopURI you probably need this
in your spamcop_uri.cf:

open_redirect_list_spamcop_uri   rd.yahoo.com *.rd.yahoo.com

I'd recommend Eric to add this to the default SpamCopURI
configuration on the next release, along with others like

open_redirect_list_spamcop_uri   drs.yahoo.com
open_redirect_list_spamcop_uri   ads.msn.com g.msn.com

which aren't currently in the defaults.

NEW SPAMMER TRICK FOR URLS
Having added the new redirection service, I found that
SpamCopURI 0.16 didn't pick up the url shown at the end
of this message. The reason  is that resolving the URL
through the SpamCopURI gives a HTTP/1.1 403 Forbidden.
As the response code does not begin with a 3 (= redirection),
the URL is assumed to be the final one.  The domain which
is subjected to lookup in sc.surbl.org is (after normalizing
to the register level) is yahoo.com. So this one gets
past SpamCopURI.

Howver, in a commonly used browser, the url
redirects to the spamvertized site without difficulty.

I cannot help thinking that this url has been carefully
crafted to avoid processing by SpamCopURI but
still be acceptable to a browser. (That's a terrifying
thought).

In order to obtain the 302 code the browser sees
2 things are necessary:
1. Add a / before the * (That is the correct format for
yahoo redirection)
2. Change the hTtP:\\ to hTtP:// (The mixed case is not a problem)

While the second one is a general case (other redirection services
could be abused in the same way by browser loopholes) the first
one is a very specific browser loophole that applies only to
yahoo redirection.

Here's the URL. I didn't even munge it, since it should get
past the filters.

<a
href="http://eur.rd.yahoo.com/electric\croydon\laity\otherworldly\phonetic\e
xplicit\mountaineer\integrable\isadore\wangle\zounds\contumacy\embedded\sang
uine\arrangeable\duane\malarial\bremsstrahlung\freshmen\windup\spoon\accompa
ny\soldier\throb\boil\harrisburg\quartz\throne\giddap\waistcoat\guzzle\whoop
\abreast\corral\latrobe\ct\castor\gallup\click\cretinous\alcoa\lysine\wheelc
hair\levy\embedded\faint\floodlight\elmer\fiesta\pistachio\pulp\suppress\fle
awort\flick\topcoat\brain\prom\bill\knife\serene\*hTtP:\\7Wv2eg82o19X.zbxra1
.com/gp/iNdeX.ASP?id=BW"
target="_blank"><b>hit this</b></a>

John

--===============6110447676443259936==--


From david@davidcoulson.net Sun May 16 16:15:05 2004
From: David Coulson <david@davidcoulson.net>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] 	Heads up: new open redirecters and new spammer
	trick for urls
Date: Sun, 16 May 2004 10:13:41 -0400
Message-ID: <40A77715.1070705@davidcoulson.net>
In-Reply-To: <02ad01c43b22$52af6610$2001a8c0@michaweb.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5834275796777344901=="

--===============5834275796777344901==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

John Fawcett wrote:
> Here's the URL. I didn't even munge it, since it should get
> past the filters.

I get a forbidden error from Yahoo when I go to that URL - Certainly 
doesn't seem to work too well as a redirector.

David

-- 
David Coulson                                    email: d(a)vidcoulson.com
Linux Developer /                          web: http://davidcoulson.net/
Network Engineer                                   phone: (216) 533-6967

--===============5834275796777344901==--


From johnml@michaweb.net Sun May 16 16:51:56 2004
From: John Fawcett <johnml@michaweb.net>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] Heads up: new open redirecters and new
	spammertrick for urls
Date: Sun, 16 May 2004 16:51:47 +0200
Message-ID: <002c01c43b55$50d6a640$2001a8c0@michaweb.net>
In-Reply-To: <40A77715.1070705@davidcoulson.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7701158522498020265=="

--===============7701158522498020265==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

From: "David Coulson" 
> John Fawcett wrote:
> > Here's the URL. I didn't even munge it, since it should get
> > past the filters.
> 
> I get a forbidden error from Yahoo when I go to that URL - Certainly 
> doesn't seem to work too well as a redirector.
> 
> David
> 
Still works for me (in MSI Explorer 6). 

Because the mailing list software has folded the 
url onto mutliple lines, I had to painstakingly copy 
and paste the separate parts into the browser to 
recompose the whole url before clicking enter
(or use a text editor to do the same job)

In the original spam message it was all much more 
straightforward. I just clicked the link.

Out of curiosity, I just tried it out with Opera and 
that has the same issues as MSIE and redirects
to the spam site without difficulty.

Instead, Firefox was not fooled: like spamcopuri
it gets a forbidden error and does not redirect.

John

--===============7701158522498020265==--


From johnh@aproposretail.com Mon May 17 19:51:33 2004
From: John Hardin <johnh@aproposretail.com>
To: discuss@lists.surbl.org
Subject: [SURBL-Discuss]	Re: Heads up: new open redirecters and new spammer
 trick for urls
Date: Mon, 17 May 2004 10:50:26 -0700
Message-ID: <1084816226.9243.91.camel@johnh.ar-corp.com>
In-Reply-To: <02ad01c43b22$52af6610$2001a8c0@michaweb.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7147572382384034778=="

--===============7147572382384034778==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Sun, 2004-05-16 at 01:46, John Fawcett wrote:


> In order to obtain the 302 code the browser sees
> 2 things are necessary:
> 1. Add a / before the * (That is the correct format for
> yahoo redirection)
> 2. Change the hTtP:\\ to hTtP:// (The mixed case is not a problem)

I think fixing all backslashes to forward slashes in the URL before
processing by SURBL would deal with both cases.

Are (unescaped or unencoded) backslashes even *valid* in URLs?

> Here's the URL. I didn't even munge it, since it should get
> past the filters.
> 
> <a
> href="http://eur.rd.yahoo.com/electric\croydon\laity\otherworldly\phonetic\e
> xplicit\mountaineer\integrable\isadore\wangle\zounds\contumacy\embedded\sang
> uine\arrangeable\duane\malarial\bremsstrahlung\freshmen\windup\spoon\accompa
> ny\soldier\throb\boil\harrisburg\quartz\throne\giddap\waistcoat\guzzle\whoop
> \abreast\corral\latrobe\ct\castor\gallup\click\cretinous\alcoa\lysine\wheelc
> hair\levy\embedded\faint\floodlight\elmer\fiesta\pistachio\pulp\suppress\fle
> awort\flick\topcoat\brain\prom\bill\knife\serene\*hTtP:\\7Wv2eg82o19X.zbxra1
> .com/gp/iNdeX.ASP?id=BW"
> target="_blank"><b>hit this</b></a>

--
John Hardin  KA7OHZ                           
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
  ...the Fates notice those who buy chainsaws...
                                             -- www.darwinawards.com
-----------------------------------------------------------------------
 58 days until Apropos Forum 2004

--===============7147572382384034778==--


From johnml@michaweb.net Mon May 17 23:40:38 2004
From: John Fawcett <johnml@michaweb.net>
To: discuss@lists.surbl.org
Subject: [SURBL-Discuss]	Re: Heads up: new open redirecters and new spammer
 trick for urls
Date: Mon, 17 May 2004 23:40:16 +0200
Message-ID: <002501c43c57$936270e0$2001a8c0@michaweb.net>
In-Reply-To: <1084816226.9243.91.camel@johnh.ar-corp.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6335199304415529618=="

--===============6335199304415529618==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

From: "John Hardin" <johnh(a)aproposretail.com>
To: "SURBL Discuss" <discuss(a)lists.surbl.org>; "SpamAssassin Users"
<spamassassin-users(a)incubator.apache.org>
Sent: Monday, May 17, 2004 7:50 PM
Subject: Re: Heads up: new open redirecters and new spammer trick for urls


> On Sun, 2004-05-16 at 01:46, John Fawcett wrote:
>
>
> > In order to obtain the 302 code the browser sees
> > 2 things are necessary:
> > 1. Add a / before the * (That is the correct format for
> > yahoo redirection)
> > 2. Change the hTtP:\\ to hTtP:// (The mixed case is not a problem)
>
> I think fixing all backslashes to forward slashes in the URL before
> processing by SURBL would deal with both cases.
>

So a small workaround in get_uril_list in PerMsgStatus.pm will convert \ to
/. Could be useful to feed this into the 3.x SA development tree.

      $uri =~ s/\\/\//g;

John

> Are (unescaped or unencoded) backslashes even *valid* in URLs?
>


--===============6335199304415529618==--