Just spotted the following redirected URL in a spam. Doesn't look like it will be getting caught yet with the current redirector rules:
http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=...
Using images.google.ca as a redirector ? Thats a new one.... I'm not game to click on the link to see where it goes though... its from the same spammer that was blatently abusing the yahoo redirectors and msn ones...
Is this a sign that the current system used in SpamCopURI (checking HTTP responses of specifically mentioned redirectors) is just going to play catchup all the time ?
Regards, Simon
That didn't seem to work. I got redirected to http://images.google.com/images.
The hex encoded url is supposed to go to:
http://www.REMOVEexpage.com/manger
with REMOVE taken out.
I don't know if this means we would always be playing catch up, since I believe the number of redirectors that they can exploit will steadily decline as we plug holes.
As well, just because one new redirector is found, doesn't mean the spamming community at large knows about it or knows they need to switch. Most will continue to use rd.yahoo.com, g.msn.com, etc. not knowing they need to switch.
If the problem of open redirectors becomes endemic, we could have another RHSRBL that we could look up URLs against to determine whether they are an open redirector. This would tell us whether we should try to resolve the redirect and could change dynamically as we discovered new ones much the same way URLs are added to the standard blacklist.
--eric
On Wed, Apr 28, 2004 at 10:13:48AM +1200, Simon Byrnand wrote:
Just spotted the following redirected URL in a spam. Doesn't look like it will be getting caught yet with the current redirector rules:
http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=...
Using images.google.ca as a redirector ? Thats a new one.... I'm not game to click on the link to see where it goes though... its from the same spammer that was blatently abusing the yahoo redirectors and msn ones...
Is this a sign that the current system used in SpamCopURI (checking HTTP responses of specifically mentioned redirectors) is just going to play catchup all the time ?
Regards, Simon
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Tue, 27 Apr 2004 15:37:17 -0700, Eric Kolve wrote:
As well, just because one new redirector is found, doesn't mean the spamming community at large knows about it or knows they need to switch. Most will continue to use rd.yahoo.com, g.msn.com, etc. not knowing they need to switch.
Except that spammers are known to read antispam mailing lists, so you can be fairly sure that they will soon catch on.
If the problem of open redirectors becomes endemic, we could have another RHSRBL that we could look up URLs against to determine whether they are an open redirector. This would tell us whether we should try to resolve the redirect and could change dynamically as we discovered new ones much the same way URLs are added to the standard blacklist.
That sounds like the way to go - any hardcoded list is bound to come to the attention of the spammers sooner or later.
John.
What I do is to check all the URLs present.
On the other side, you can ALLWAYS add some points to the score if you find a URL with redirection.
John Wilcock wrote:
On Tue, 27 Apr 2004 15:37:17 -0700, Eric Kolve wrote:
As well, just because one new redirector is found, doesn't mean the spamming community at large knows about it or knows they need to switch. Most will continue to use rd.yahoo.com, g.msn.com, etc. not knowing they need to switch.
Except that spammers are known to read antispam mailing lists, so you can be fairly sure that they will soon catch on.
If the problem of open redirectors becomes endemic, we could have another RHSRBL that we could look up URLs against to determine whether they are an open redirector. This would tell us whether we should try to resolve the redirect and could change dynamically as we discovered new ones much the same way URLs are added to the standard blacklist.
That sounds like the way to go - any hardcoded list is bound to come to the attention of the spammers sooner or later.
John.
On Tuesday, April 27, 2004, 3:13:48 PM, Simon Byrnand wrote:
Just spotted the following redirected URL in a spam. Doesn't look like it will be getting caught yet with the current redirector rules:
http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=...
Using images.google.ca as a redirector ? Thats a new one.... I'm not game to click on the link to see where it goes though... its from the same spammer that was blatently abusing the yahoo redirectors and msn ones...
Is this a sign that the current system used in SpamCopURI (checking HTTP responses of specifically mentioned redirectors) is just going to play catchup all the time ?
I think this would be caught by the urirhsbl approach of splitting all the visible URIs in a redirection URI then checking them all.
Perhaps SpamCopURI would need a conf change to add images.google.ca?
Jeff C.
On Tue, Apr 27, 2004 at 03:43:19PM -0700, Jeff Chan wrote:
On Tuesday, April 27, 2004, 3:13:48 PM, Simon Byrnand wrote:
Just spotted the following redirected URL in a spam. Doesn't look like it will be getting caught yet with the current redirector rules:
http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=...
Using images.google.ca as a redirector ? Thats a new one.... I'm not game to click on the link to see where it goes though... its from the same spammer that was blatently abusing the yahoo redirectors and msn ones...
Is this a sign that the current system used in SpamCopURI (checking HTTP responses of specifically mentioned redirectors) is just going to play catchup all the time ?
I think this would be caught by the urirhsbl approach of splitting all the visible URIs in a redirection URI then checking them all.
Perhaps SpamCopURI would need a conf change to add images.google.ca?
Hmm. I would add it, but it doesn't actually seem to work as a redirector.
--eric
Jeff C.
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Simon Byrnand writes:
Just spotted the following redirected URL in a spam. Doesn't look like it will be getting caught yet with the current redirector rules:
http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=...
Using images.google.ca as a redirector ? Thats a new one.... I'm not game to click on the link to see where it goes though... its from the same spammer that was blatently abusing the yahoo redirectors and msn ones...
it might work. I won't check where it goes, just in case it confirms your addr or similar ;)
it's a 3-level redirect:
http://images.google.ca/imgres , redirecting to http://www.google.com/url , redirecting to http://www.google.com/url , encoded, redirecting to the real URL, encoded.
kind of pointless, since it's caught. (or should be at least.) spamassassin -D -t gives:
debug: uri found: http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=... debug: uri found: http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=... debug: uri found: http://www.google.com/url?q=http://www.google.com/url?q=http%3A%2F%2Fwww.exp... debug: uri found: http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
It's double-encoded. We can catch that easily. But first, my question -- does this *work* in an MUA, ie. should we? Simon, could you try it?
Is this a sign that the current system used in SpamCopURI (checking HTTP responses of specifically mentioned redirectors) is just going to play catchup all the time ?
not this one, no ;) it's handy though, they've tipped their hand on this trick.
- --j.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Simon Byrnand writes:
Just spotted the following redirected URL in a spam. Doesn't look like it will be getting caught yet with the current redirector rules:
http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=...
Using images.google.ca as a redirector ? Thats a new one.... I'm not game to click on the link to see where it goes though... its from the same spammer that was blatently abusing the yahoo redirectors and msn ones...
it might work. I won't check where it goes, just in case it confirms your addr or similar ;)
Well I've already clicked on it now to see what happens, so feel free to click on it ;)
it's a 3-level redirect:
http://images.google.ca/imgres , redirecting to http://www.google.com/url , redirecting to http://www.google.com/url , encoded, redirecting to the real URL, encoded.kind of pointless, since it's caught. (or should be at least.) spamassassin -D -t gives:
debug: uri found: http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=... debug: uri found: http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=... debug: uri found: http://www.google.com/url?q=http://www.google.com/url?q=http%3A%2F%2Fwww.exp... debug: uri found: http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
It's double-encoded. We can catch that easily. But first, my question -- does this *work* in an MUA, ie. should we? Simon, could you try it?
What you get is the image preview in google which consists of an image in the top frame, and the page that it came from in the bottom frame, and in the bottom frame was a link "click here for ......." so yes it definately does work...
Regards, Simon
-
Eric Kolve -
Jeff Chan -
jm@jmason.org -
John Wilcock -
Jose Marcio Martins da Cruz -
Simon Byrnand