On Tuesday, April 20, 2004, 10:51:55 PM, Eric Kolve wrote:
I have just released SpamCopURI version 0.11. This fixes a few bugs that had been reported and adds open redirect resolution.
This basically takes a URL from say rd.yahoo.com and attempts to resolve the Location header without ever fetching from the potential spammy site.
Only the URLs that have hosts that match an address list get redirect resolution. As well, redirect resolution is off by default, but can be enabled in the conf file. I have placed several open redirect sites in the conf file. The basic requirement is that the redirect return a 300 level HTTP response when fetching. I placed google.com in there even though they don't have their own redirect domain, but this should be fairly safe since most if not all google URLs are either redirects or searches. Give it a try and tell me what you think. This is all dependent upon LWP, but if you don't have LWP everything else will function as it did before.
Eric, you may want to share your redirection resolution strategies with the 3.0 developers. I haven't heard Justin getting beyond patterns yet. ;-)
Jeff C.
On Fri, Apr 23, 2004 at 12:55:52AM -0700, Jeff Chan wrote:
On Tuesday, April 20, 2004, 10:51:55 PM, Eric Kolve wrote:
I have just released SpamCopURI version 0.11. This fixes a few bugs that had been reported and adds open redirect resolution.
This basically takes a URL from say rd.yahoo.com and attempts to resolve the Location header without ever fetching from the potential spammy site.
Only the URLs that have hosts that match an address list get redirect resolution. As well, redirect resolution is off by default, but can be enabled in the conf file. I have placed several open redirect sites in the conf file. The basic requirement is that the redirect return a 300 level HTTP response when fetching. I placed google.com in there even though they don't have their own redirect domain, but this should be fairly safe since most if not all google URLs are either redirects or searches. Give it a try and tell me what you think. This is all dependent upon LWP, but if you don't have LWP everything else will function as it did before.
Eric, you may want to share your redirection resolution strategies with the 3.0 developers. I haven't heard Justin getting beyond patterns yet. ;-)
I will mention it to SA-dev once I and a few others have run it for a little while.
I am not sure they will incorporate since I have seen discussion on their list of handling redirects and generally they are not interested in doing any kind of network lookup for fear of timeouts, slowdowns, etc. We will see...
--eric
Jeff C.
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Friday, April 23, 2004, 6:43:53 AM, Eric Kolve wrote:
On Fri, Apr 23, 2004 at 12:55:52AM -0700, Jeff Chan wrote:
On Tuesday, April 20, 2004, 10:51:55 PM, Eric Kolve wrote:
This basically takes a URL from say rd.yahoo.com and attempts to resolve the Location header without ever fetching from the potential spammy site.
Only the URLs that have hosts that match an address list get redirect resolution. As well, redirect resolution is off by default, but can be enabled in the conf file. I have placed several open redirect sites in the conf file. The basic requirement is that the redirect return a 300 level HTTP response when fetching. I placed google.com in there even though they don't have their own redirect domain, but this should be fairly safe since most if not all google URLs are either redirects or searches. Give it a try and tell me what you think. This is all dependent upon LWP, but if you don't have LWP everything else will function as it did before.
Eric, you may want to share your redirection resolution strategies with the 3.0 developers. I haven't heard Justin getting beyond patterns yet. ;-)
I will mention it to SA-dev once I and a few others have run it for a little while.
I am not sure they will incorporate since I have seen discussion on their list of handling redirects and generally they are not interested in doing any kind of network lookup for fear of timeouts, slowdowns, etc. We will see...
To be honest, I can see both arguments. A simple pattern match is certainly quicker. Network access to get Location is more thorough.
Probably I would recommend using simple patterns on high volume mail servers, and Location on lower-volume personal servers.
Jeff C.
Eric, you may want to share your redirection resolution strategies with the 3.0 developers. I haven't heard Justin getting beyond patterns yet. ;-)
I will mention it to SA-dev once I and a few others have run it for a little while.
I am not sure they will incorporate since I have seen discussion on their list of handling redirects and generally they are not interested in doing any kind of network lookup for fear of timeouts, slowdowns, etc. We will see...
I wonder what the reaction of the likes of yahoo would be too, if millions of mailservers around the world suddenly started sending them HTTP GET requests for spammy looking domain names all the time for no reason ? :)
Regards, Simon
On Friday, April 23, 2004, 3:06:49 PM, Simon Byrnand wrote:
Eric, you may want to share your redirection resolution strategies with the 3.0 developers. I haven't heard Justin getting beyond patterns yet. ;-)
I will mention it to SA-dev once I and a few others have run it for a little while.
I am not sure they will incorporate since I have seen discussion on their list of handling redirects and generally they are not interested in doing any kind of network lookup for fear of timeouts, slowdowns, etc. We will see...
I wonder what the reaction of the likes of yahoo would be too, if millions of mailservers around the world suddenly started sending them HTTP GET requests for spammy looking domain names all the time for no reason ? :)
We can *hope* their reaction would be to start denying redirection access to spammers.... :-)
Jeff C.
On Sat, Apr 24, 2004 at 10:06:49AM +1200, Simon Byrnand wrote:
Eric, you may want to share your redirection resolution strategies with the 3.0 developers. I haven't heard Justin getting beyond patterns yet. ;-)
I will mention it to SA-dev once I and a few others have run it for a little while.
I am not sure they will incorporate since I have seen discussion on their list of handling redirects and generally they are not interested in doing any kind of network lookup for fear of timeouts, slowdowns, etc. We will see...
I wonder what the reaction of the likes of yahoo would be too, if millions of mailservers around the world suddenly started sending them HTTP GET requests for spammy looking domain names all the time for no reason ? :)
Maybe they would make their redirector more restrictive so it couldn't be abused by spammers.
--eric
Regards, Simon
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
-
Eric Kolve -
Jeff Chan -
Simon Byrnand