Not sure if this is a new type of spam or not:
http://www.surbl.org/fitch7826drug.us.4jun04.txt
This example I just received had many real or joe job URIs with no text in the anchor like:
<a href=3D"http://www.elysian-MUNGED.com%22%3E</a>
Perhaps it's trying to run out some counters, but the real target domain is visible as the last "removal" URI:
<a href=3D"http://= www.ozone.fitch7826drug-MUNGED.us/d.ddd">here.</a>
Name: fitch7826drug.us Address: 61.250.93.214
Where this IP is in sbl.spamhaus.org of course.
The "ordering" link just before it was broken (no dot, at least in my MUA, The Bat!):
<a href=3D"http://fitch7826drug= us/b94">Click
Interestingly SpamCop did parse the message correctly in terms of ignoring the blank anchors and finding only the clickable ones.
That said, if urirhsbl or SpamCopURI limit the number of URIs checked, these could sneak through. A useful behavior might be to ignore any non-clickable anchors, if we're not already doing that.
Jeff C.
On Fri, 4 Jun 2004, Jeff Chan wrote:
Not sure if this is a new type of spam or not:
http://www.surbl.org/fitch7826drug.us.4jun04.txt
This example I just received had many real or joe job URIs with no text in the anchor like:
<a href=3D"http://www.elysian-MUNGED.com%22%3E</a>
This has been going on for some time now and is designed to (a) confuse URIRBLs and (b) possibly poison URIRBLs if they're using highly-automated techniques for URI injection. They also break up, with legitimate (but useless) HTML syntax normal words in an attempt to confuse filters.
Trying to confuse URIRBLs is understandable behaviour for spammers. Actively trying to poison them is reprehensible.
Here's a custom rule I use to catch them:
rawbody CRF_NULL_URL /<a .{0,16}href=.{0,32}></a>/i describe CRF_NULL_URL Useless (invisible) HTML link score CRF_NULL_URL 1.0
Someone's going to have to look into the URIRBL plug-in for SA to see if it ignores URIs nested in such constructs (It should, I believe).
Perhaps it's trying to run out some counters, but the real target domain is visible as the last "removal" URI:
Since the anchor has no length, it's both invisible and unselectable; it never gets referenced from the message.
The "ordering" link just before it was broken (no dot, at least in my MUA, The Bat!):
<a href=3D"http://fitch7826drug= us/b94">Click
The spammer didn't know how to use his ratware.
Interestingly SpamCop did parse the message correctly in terms of ignoring the blank anchors and finding only the clickable ones.
That needs verification.
That said, if urirhsbl or SpamCopURI limit the number of URIs checked, these could sneak through. A useful behavior might be to ignore any non-clickable anchors, if we're not already doing that.
What I said.
+------------------------------------------------+---------------------+ | Carl Richard Friend (UNIX Sysadmin) | West Boylston | | Minicomputer Collector / Enthusiast | Massachusetts, USA | | mailto:crfriend@rcn.com +---------------------+ | http://users.rcn.com/crfriend/museum | ICBM: 42:22N 71:47W | +------------------------------------------------+---------------------+
From: "Jeff Chan"
Not sure if this is a new type of spam or not:
Did this get flagged by SpamCopURI?
If not, the reason is likely to be that the URI
http://= www.ozone.fitch7826drug-MUNGED.us/d.ddd
contains a quoted-printable character (=).
That said, if urirhsbl or SpamCopURI limit the number of URIs checked, these could sneak through. A useful behavior might be to ignore any non-clickable anchors, if we're not already doing that.
I don't think there is *currently* any limit in SpamCopURI on number of URIs. It should parse all of the URIs.
Limiting to URIs which are clickable could be a useful improvement though to counter spammers that add lots of legitimate but non clickable URIs to email. This would reduce resource usage during processing and also reduce load on surbl servers.
John
At 08:37 2004-06-04 -0700, Jeff Chan wrote:
Interestingly SpamCop did parse the message correctly in terms of ignoring the blank anchors and finding only the clickable ones.
Yes, I have noted during the last few weeks that Spamcop has gone from reporting "Too many links" in those spams to ignoring the fake ones and catching the actual spam link, so they have obviously picked up on this.
That said, if urirhsbl or SpamCopURI limit the number of URIs checked, these could sneak through. A useful behavior might be to ignore any non-clickable anchors, if we're not already doing that.
Sometimes those spams don't have non-clickable anchors, instead using anchors around single unusual characters, like "~" "|", etc. If there is interest, I can forward any of these spams that I get to whoever wants to look into them, or to the list, if it's of general interest.
Patrik
Jeff Chan wrote:
Interestingly SpamCop did parse the message correctly in terms of ignoring the blank anchors and finding only the clickable ones.
That's a rather new feature (less than 1 week (?)), and it's not yet complete (some "almost empty" links are still handled as "spamvertized", see Patrik's comment, but the problem is known). Bye, Frank
On Friday, June 4, 2004, 11:03:51 PM, Frank Ellermann wrote:
Jeff Chan wrote:
Interestingly SpamCop did parse the message correctly in terms of ignoring the blank anchors and finding only the clickable ones.
That's a rather new feature (less than 1 week (?)), and it's not yet complete (some "almost empty" links are still handled as "spamvertized", see Patrik's comment, but the problem is known). Bye, Frank
Yes indeed, SpamCop's handling of URIs seems to be a work in progress, as I expect it always will be in order to meet whatever spammers happen to be doing.
Jeff C.