-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Simon Byrnand writes:
Just spotted the following redirected URL in a spam. Doesn't look like it will be getting caught yet with the current redirector rules:
http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=...
Using images.google.ca as a redirector ? Thats a new one.... I'm not game to click on the link to see where it goes though... its from the same spammer that was blatently abusing the yahoo redirectors and msn ones...
it might work. I won't check where it goes, just in case it confirms your addr or similar ;)
it's a 3-level redirect:
http://images.google.ca/imgres , redirecting to http://www.google.com/url , redirecting to http://www.google.com/url , encoded, redirecting to the real URL, encoded.
kind of pointless, since it's caught. (or should be at least.) spamassassin -D -t gives:
debug: uri found: http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=... debug: uri found: http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=... debug: uri found: http://www.google.com/url?q=http://www.google.com/url?q=http%3A%2F%2Fwww.exp... debug: uri found: http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
It's double-encoded. We can catch that easily. But first, my question -- does this *work* in an MUA, ie. should we? Simon, could you try it?
Is this a sign that the current system used in SpamCopURI (checking HTTP responses of specifically mentioned redirectors) is just going to play catchup all the time ?
not this one, no ;) it's handy though, they've tipped their hand on this trick.
- --j.