Discuss

discuss@lists.surbl.org

1 participants
1867 discussions

Start a nNew thread

Re: [SURBL-Discuss] Zdnet redirector *still* open
by List Mail User 25 Mar '05

25 Mar '05

Sorry - followup to the last - meant xml-soft.info-munged. Paul Shupak track(a)plectere.com

2 1

Re: [SURBL-Discuss] Zdnet redirector *still* open
by List Mail User 24 Mar '05

24 Mar '05

>... >From: "Matthew Wilson" <matthew(a)boomer.com> >To: "SURBL Discussion list" <discuss(a)lists.surbl.org> >... >Subject: [SURBL-Discuss] Zdnet redirector *still* open > >C'mon, why can't they get it right? > >Just got a spam with this URL. > >http://chkpt.zdnetMUNGED.com/chkpt/lovealready/bhe%2eIB%72soF%74.C%6fm > > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > ibrsoft.com-munged - not listed yet (as far as I can tell), but part of the xml-soft.com-munged group of software pirates (check for them and their name servers and the domain for the contacts - qdice.com-munged). Unfortunately, their address and telephone appear valid, though incomplete. Forward to piracy(a)microsoft.com. (and to all the cnet people also). Paul Shupak track(a)plectere.com

1 0

Zdnet redirector *still* open
by Matthew Wilson 24 Mar '05

24 Mar '05

C'mon, why can't they get it right? Just got a spam with this URL. http://chkpt.zdnetMUNGED.com/chkpt/lovealready/bhe%2eIB%72soF%74.C%6fm

1 0

google is open redirector
by Matthew Wilson 24 Mar '05

24 Mar '05

See the following link. By using "I'm Feeling Lucky", a spammer just has to rank at the top of google's searches for *any* search, meaningful or not. http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLC,GGLC:1 969-53,GGLC:en&q=blank+check+paper%2C+magnetic+ink+for+inkjets&btnI=I'm% 20Feeling%20Lucky Matthew Wilson, MCSE (2003), MCSA-Messaging Network Administrator matthew(a)boomer.com Boomer Consulting, Inc. 610 Humboldt Manhattan, KS 66502 http://www.boomer.com <http://www.boomer.com/> 1-888-266-6375 x 17

2 1

RE: [SURBL-Discuss] google is open redirector
by Matthew.van.Eerde＠hbinc.com 24 Mar '05

24 Mar '05

John Wilcock wrote: > Matthew Wilson wrote: > uri local_GOOGLE_LUCKY /(?:\bgoogle\b)*&btnI=/i Can this be right? To me it looks like it matches things like &btnI= google&btnI= googlegoogle&btnI= googlegooglegoogle&btnI= Just a missing . maybe? /(?:\bgoogle\b).*&btnI=/i ^ here Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"

2 1

RE: [SURBL-Discuss] google is open redirector
by Matthew.van.Eerde＠hbinc.com 23 Mar '05

23 Mar '05

Matthew.van.Eerde wrote: >> uri local_GOOGLE_LUCKY /(?:\bgoogle\b)*&btnI=/i > Can this be right? To me it looks like it matches things like > > &btnI= > google&btnI= > googlegoogle&btnI= > googlegooglegoogle&btnI= Only the first two - I forgot that googlegoogle has no internal \b Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"

1 0

RE: [SURBL-Discuss] google is open redirector
by Chris Santerre 23 Mar '05

23 Mar '05

John can I get your permission to add this to the SARE URI rules? --Chris >-----Original Message----- >From: John Wilcock [mailto:john@tradoc.fr] >Sent: Wednesday, March 23, 2005 11:02 AM >To: SURBL Discussion list >Subject: Re: [SURBL-Discuss] google is open redirector > > >Matthew Wilson wrote: >> By the way, my only suggestion to combat this is to have the surbl >> client send an http request to google, to see what redirect site is >> returned, and then check *that* site in SURBL or in the >other redirects. >> If the use of this technique picks up, google is going to have that >> additional burden. > >I've added a spamassassin rule for this (see below). >I don't expect to see many false positives, though time will tell... >As you say, > >> Who really uses the "I'm Feeling Lucky" button anyway? > > ># 2005-03-23 new rule >uri local_GOOGLE_LUCKY /(?:\bgoogle\b)*&btnI=/i >describe local_GOOGLE_LUCKY Redirect through Google Feeling Lucky >score local_GOOGLE_LUCKY 2.0 > > >John. > >-- >-- Over 2500 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

1 0

RE: [SURBL-Discuss] google is open redirector
by Matthew Wilson 23 Mar '05

23 Mar '05

By the way, my only suggestion to combat this is to have the surbl client send an http request to google, to see what redirect site is returned, and then check *that* site in SURBL or in the other redirects. If the use of this technique picks up, google is going to have that additional burden. Who really uses the "I'm Feeling Lucky" button anyway? > -----Original Message----- > From: discuss-bounces(a)lists.surbl.org > [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Matthew Wilson > Sent: Wednesday, March 23, 2005 7:39 AM > To: SURBL Discussion list > Subject: [SURBL-Discuss] google is open redirector > > See the following link. By using "I'm Feeling Lucky", a > spammer just has to rank at the top of google's searches for > *any* search, meaningful or not. > > http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=G GLC,GGLC:1 > 969-53,GGLC:en&q=blank+check+paper%2C+magnetic+ink+for+inkjets &btnI=I'm% > 20Feeling%20Lucky > > > Matthew Wilson, MCSE (2003), MCSA-Messaging Network > Administrator matthew(a)boomer.com Boomer Consulting, Inc. > 610 Humboldt > Manhattan, KS 66502 > http://www.boomer.com <http://www.boomer.com/> > 1-888-266-6375 x 17 > > > _______________________________________________ > Discuss mailing list > Discuss(a)lists.surbl.org > http://lists.surbl.org/mailman/listinfo/discuss > > >

3 2

Re: New redirector: www.nate.com
by Frank Ellermann 23 Mar '05

23 Mar '05

List Mail User wrote: > The rfci whois listing for gambia.com-munged is one of my > favorites, because it is the only time I have seem that > particular violation. What are you talking about ? `rxwhois -a gambia.com` says: | gambia.com not found at .rfc-ignorant.org or .multi.surbl.org | whois -h whois.abuse.net gambia.com | postmaster(a)gambia.com (default, no info) And there's no old RFCI entry for gambia.com (except from the bad day when TLD .com had no working whois server). Bye, Frank

1 0

Re: New redirector: www.nate.com
by List Mail User 23 Mar '05

23 Mar '05

>... >From: David B Funk <dbfunk(a)engineering.uiowa.edu> >To: discuss(a)lists.surbl.org, users(a)spamassassin.apache.org >Subject: New redirector: www.nate.com >... > >Ugg, just ran across another open redirector abused in spam > > www.nate.com/r/XY12/target.domain > >where XY12 seems to be any combination of 4 letters and digits. >Looks like some Korean ISP thingie. > >-- >Dave Funk University of Iowa ><dbfunk (at) engineering.uiowa.edu> College of Engineering >319/335-5751 FAX: 319/384-0549 1256 Seamans Center >Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 >#include <std_disclaimer.h> >Better is not better, 'standard' is better. B{ > The domains: nate.com-munged gambia.com-munged (and actual ICANN listed registrar) sktelecom.com-munged KPPN.COM-munged and KPPINC.COM-munged all seem to be part of a group of spam support services run from Korea. The true owner is hidden behind a set of legal shells. There do not appear to be an legitimate customers (but for Jeff C.), but I have not done a thorough enough investigation to say they for sure. I can say they have been "seen" before and have listings against them. Paul Shupak track(a)plectere.com P.S. The rfci whois listing for gambia.com-munged is one of my favorites, because it is the only time I have seem that particular violation.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss