just got this in a spam
<A href="h t tp:/ /r.lycos.com/r/vn_swditarrx_csmqempf/http://cympgebdnrMUNGED.org&aeglnl0 oepml18w32zd6%2Ezin ciccg cag%2Ecom/"> <FONT></FONT><STRONG></STRONG><STRONG></STRONG><IMG SRC="cid:qlysaynv_milhjoua_qtobefxh" border="0" ALT=""></A>
just got this in a spam
<A href="h t tp:/ /r.lycos.com/r/vn_swditarrx_csmqempf/http://cympgebdnrMUNGED.o rg&aeglnl0 oepml18w32zd6%2Ezin ciccg cag%2Ecom/"> <FONT></FONT><STRONG></STRONG><STRONG></STRONG><IMG SRC="cid:qlysaynv_milhjoua_qtobefxh" border="0" ALT=""></A>
Actually, I've been getting tons of spam with this lycos redirector over the last week. Sure wish they'd close it down or we'd find a way to parse redirector URIs for the real URI.
Bret
On Thursday, April 21, 2005, 8:24:30 AM, Matthew Wilson wrote:
just got this in a spam
<A href="h t tp:/ /r.lycos.com/r/vn_swditarrx_csmqempf/http://cympgebdnrMUNGED.org&aeglnl0 oepml18w32zd6%2Ezin ciccg
cag%2Ecom/">>
<FONT></FONT><STRONG></STRONG><STRONG></STRONG><IMG SRC="cid:qlysaynv_milhjoua_qtobefxh" border="0" ALT=""></A>
I believe SpamCop and SpamAssassin are working on code or have code to catch obfuscated redirector usage like this example.
Jeff C. -- "If it appears in hams, then don't list it."
Jeff Chan wrote:
On Thursday, April 21, 2005, 8:24:30 AM, Matthew Wilson wrote:
just got this in a spam
<A href="h t tp:/ /r.lycos.com/r/vn_swditarrx_csmqempf/http://cympgebdnrMUNGED.org&aeglnl0 oepml18w32zd6%2Ezin ciccg
cag%2Ecom/">>
<FONT></FONT><STRONG></STRONG><STRONG></STRONG><IMG SRC="cid:qlysaynv_milhjoua_qtobefxh" border="0" ALT=""></A>
I believe SpamCop and SpamAssassin are working on code or have code to catch obfuscated redirector usage like this example.
I have a SARE rule that Loren wrote that handles the multiple linefeeds for the http: part.
rawbody __LW_URI_CR1 /href="[^"]*\r[^\n]/is full __LW_URI_CR2 /href="[^"]*\r[^\n]/is meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2 score LW_URI_CR 2 describe LW_URI_CR unescaped cr in uri
full LW_URI_CR2 /href="[^"]*\r[^\n]\w+\r[^\n]/is score LW_URI_CR2 2 describe LW_URI_CR2 unescapred crs in uri
I did bump these rules to a score of 4 each instead of 2.
-Doc
-
Bret Miller -
Doc Schneider -
Jeff Chan -
Matthew Wilson