-----Original Message-----
From: Jeff Chan [mailto:jeffc@surbl.org]
Sent: Thursday, April 07, 2005 10:55 PM
To: SURBL Discussion list
Subject: Re: [SURBL-Discuss] More spams with Zdnet redirector
On Thursday, April 7, 2005, 12:45:51 PM, Patrik Nilsson wrote:
At 00:13 2005-04-07 -0700, Jeff Chan wrote:
On Wednesday, April 6, 2005, 11:58:31 PM, Nick Askew wrote:
Jeff,
So it seems that there is an obvious loophole in SURBL.
As long as the
spammer uses a legitimate business running a redirector
you will never
black
list them (perhaps the spammer could even set up their
own legitimate
redirector). This open redirector discussion for ZDNET
has been open for
several weeks now, they have had more than ample warning.
Nick
No, it's not a loophole. Programs like SpamAssassin and
SpamCopURI correctly parse some redirection sites like
g.msn.com and check the redirected-to site.
That workaround is part of the problem, not part of the solution.
If we encourage client implementations to work around the
problem in that
way, we will always have:
- Clients that need to be updated with the latest
redirectors, unless we
provide and encourage implementations to use a constantly
updated online
source of redirectors.
- Major redirectors getting included in the special
work-arounds, like
Google, and smaller ones not getting included.
If we believe that open redirectors are bad, we should not solve the
problem by working around a few major ones that we are
currently aware of.
Patrik
Our solution is to detect and check the big ones, and try
to get all of them to not be open to spammers.
What's your solution? Blacklisting all open redirectors?
So no one should be able to mention them?
Thats EXACTLY what the new gray list will do.
(I can't take credit for the above tagline. Another nut came up with it
before me!)