On Fri, 4 Jun 2004, Jeff Chan wrote:
Not sure if this is a new type of spam or not:
http://www.surbl.org/fitch7826drug.us.4jun04.txt
This example I just received had many real or joe job URIs with no text in the anchor like:
<a href=3D"http://www.elysian-MUNGED.com%22%3E</a>
This has been going on for some time now and is designed to (a) confuse URIRBLs and (b) possibly poison URIRBLs if they're using highly-automated techniques for URI injection. They also break up, with legitimate (but useless) HTML syntax normal words in an attempt to confuse filters.
Trying to confuse URIRBLs is understandable behaviour for spammers. Actively trying to poison them is reprehensible.
Here's a custom rule I use to catch them:
rawbody CRF_NULL_URL /<a .{0,16}href=.{0,32}></a>/i describe CRF_NULL_URL Useless (invisible) HTML link score CRF_NULL_URL 1.0
Someone's going to have to look into the URIRBL plug-in for SA to see if it ignores URIs nested in such constructs (It should, I believe).
Perhaps it's trying to run out some counters, but the real target domain is visible as the last "removal" URI:
Since the anchor has no length, it's both invisible and unselectable; it never gets referenced from the message.
The "ordering" link just before it was broken (no dot, at least in my MUA, The Bat!):
<a href=3D"http://fitch7826drug= us/b94">Click
The spammer didn't know how to use his ratware.
Interestingly SpamCop did parse the message correctly in terms of ignoring the blank anchors and finding only the clickable ones.
That needs verification.
That said, if urirhsbl or SpamCopURI limit the number of URIs checked, these could sneak through. A useful behavior might be to ignore any non-clickable anchors, if we're not already doing that.
What I said.
+------------------------------------------------+---------------------+ | Carl Richard Friend (UNIX Sysadmin) | West Boylston | | Minicomputer Collector / Enthusiast | Massachusetts, USA | | mailto:crfriend@rcn.com +---------------------+ | http://users.rcn.com/crfriend/museum | ICBM: 42:22N 71:47W | +------------------------------------------------+---------------------+