Hi,
We've been seeing some spam that uses Google as a redirection URL. The URL that makes this possible is: http://www.google.com/url?q=URL For example: http://www.google.com/url?q=http://www.bluesecurity.com
This is letting spammers hide quite nicely from SURBLs. The redirector has actually been around for a few months (e.g. in the strange spam described in http://isc.sans.org/diary.php?storyid=847). Back then we notified security@google.com, and we sent them another email again today.
Guy Rosen Lead Analyst, Operations Team Blue Security http://www.bluesecurity.com/
On Sunday, February 26, 2006, 8:15:12 AM, Guy Rosen wrote:
Hi,
We've been seeing some spam that uses Google as a redirection URL. The URL that makes this possible is: http://www.google.com/url?q=URL For example: http://www.google.com/url?q=http://www.bluesecurity.com
This is letting spammers hide quite nicely from SURBLs. The redirector has actually been around for a few months (e.g. in the strange spam described in http://isc.sans.org/diary.php?storyid=847). Back then we notified security@google.com, and we sent them another email again today.
Hi Guy, Yes, this known, and the topic has come up before:
http://lists.surbl.org/pipermail/discuss/2004-April/000413.html http://lists.surbl.org/pipermail/discuss/2005-April/004493.html
For cases where the redirected-to URI is visible in the original URI, SpamAssassin and some other applications will check the target URI. So for your example above, bluesecurity.com would get checked by SpamAssassin and others.
But the right answer is to get the redirectors shut down or controlled better. Please see also:
http://www.surbl.org/redirect.html
Cheers,
Jeff C. -- Don't harm innocent bystanders.
-
Guy Rosen -
Jeff Chan