NEW OPEN REDIRECTER I just noticed a new (for me) yahoo redirecter in spam received eur.rd.yahoo.com
On a hunch, I also tried things like:
uk.rd.yahoo.com it.rd.yahoo.com de.rd.yahoo.com
which are all open redirecters. There are sure to be more of these using other country code prefixes.
So for those using SpamCopURI you probably need this in your spamcop_uri.cf:
open_redirect_list_spamcop_uri rd.yahoo.com *.rd.yahoo.com
I'd recommend Eric to add this to the default SpamCopURI configuration on the next release, along with others like
open_redirect_list_spamcop_uri drs.yahoo.com open_redirect_list_spamcop_uri ads.msn.com g.msn.com
which aren't currently in the defaults.
NEW SPAMMER TRICK FOR URLS Having added the new redirection service, I found that SpamCopURI 0.16 didn't pick up the url shown at the end of this message. The reason is that resolving the URL through the SpamCopURI gives a HTTP/1.1 403 Forbidden. As the response code does not begin with a 3 (= redirection), the URL is assumed to be the final one. The domain which is subjected to lookup in sc.surbl.org is (after normalizing to the register level) is yahoo.com. So this one gets past SpamCopURI.
Howver, in a commonly used browser, the url redirects to the spamvertized site without difficulty.
I cannot help thinking that this url has been carefully crafted to avoid processing by SpamCopURI but still be acceptable to a browser. (That's a terrifying thought).
In order to obtain the 302 code the browser sees 2 things are necessary: 1. Add a / before the * (That is the correct format for yahoo redirection) 2. Change the hTtP:\ to hTtP:// (The mixed case is not a problem)
While the second one is a general case (other redirection services could be abused in the same way by browser loopholes) the first one is a very specific browser loophole that applies only to yahoo redirection.
Here's the URL. I didn't even munge it, since it should get past the filters.
<a href="http://eur.rd.yahoo.com/electric\croydon\laity\otherworldly\phonetic\e xplicit\mountaineer\integrable\isadore\wangle\zounds\contumacy\embedded\sang uine\arrangeable\duane\malarial\bremsstrahlung\freshmen\windup\spoon\accompa ny\soldier\throb\boil\harrisburg\quartz\throne\giddap\waistcoat\guzzle\whoop \abreast\corral\latrobe\ct\castor\gallup\click\cretinous\alcoa\lysine\wheelc hair\levy\embedded\faint\floodlight\elmer\fiesta\pistachio\pulp\suppress\fle awort\flick\topcoat\brain\prom\bill\knife\serene\*hTtP:\\7Wv2eg82o19X.zbxra1 .com/gp/iNdeX.ASP?id=BW" target="_blank"><b>hit this</b></a>
John
John Fawcett wrote:
Here's the URL. I didn't even munge it, since it should get past the filters.
I get a forbidden error from Yahoo when I go to that URL - Certainly doesn't seem to work too well as a redirector.
David
From: "David Coulson"
John Fawcett wrote:
Here's the URL. I didn't even munge it, since it should get past the filters.
I get a forbidden error from Yahoo when I go to that URL - Certainly doesn't seem to work too well as a redirector.
David
Still works for me (in MSI Explorer 6).
Because the mailing list software has folded the url onto mutliple lines, I had to painstakingly copy and paste the separate parts into the browser to recompose the whole url before clicking enter (or use a text editor to do the same job)
In the original spam message it was all much more straightforward. I just clicked the link.
Out of curiosity, I just tried it out with Opera and that has the same issues as MSIE and redirects to the spam site without difficulty.
Instead, Firefox was not fooled: like spamcopuri it gets a forbidden error and does not redirect.
John
On Sun, 2004-05-16 at 01:46, John Fawcett wrote:
In order to obtain the 302 code the browser sees 2 things are necessary:
- Add a / before the * (That is the correct format for
yahoo redirection) 2. Change the hTtP:\ to hTtP:// (The mixed case is not a problem)
I think fixing all backslashes to forward slashes in the URL before processing by SURBL would deal with both cases.
Are (unescaped or unencoded) backslashes even *valid* in URLs?
Here's the URL. I didn't even munge it, since it should get past the filters.
<a href="http://eur.rd.yahoo.com/electric\croydon\laity\otherworldly\phonetic\e xplicit\mountaineer\integrable\isadore\wangle\zounds\contumacy\embedded\sang uine\arrangeable\duane\malarial\bremsstrahlung\freshmen\windup\spoon\accompa ny\soldier\throb\boil\harrisburg\quartz\throne\giddap\waistcoat\guzzle\whoop \abreast\corral\latrobe\ct\castor\gallup\click\cretinous\alcoa\lysine\wheelc hair\levy\embedded\faint\floodlight\elmer\fiesta\pistachio\pulp\suppress\fle awort\flick\topcoat\brain\prom\bill\knife\serene\*hTtP:\\7Wv2eg82o19X.zbxra1 .com/gp/iNdeX.ASP?id=BW" target="_blank"><b>hit this</b></a>
-- John Hardin KA7OHZ Internal Systems Administrator voice: (425) 672-1304 Apropos Retail Management Systems, Inc. fax: (425) 672-0192 ----------------------------------------------------------------------- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com ----------------------------------------------------------------------- 58 days until Apropos Forum 2004
From: "John Hardin" johnh@aproposretail.com To: "SURBL Discuss" discuss@lists.surbl.org; "SpamAssassin Users" spamassassin-users@incubator.apache.org Sent: Monday, May 17, 2004 7:50 PM Subject: Re: Heads up: new open redirecters and new spammer trick for urls
On Sun, 2004-05-16 at 01:46, John Fawcett wrote:
In order to obtain the 302 code the browser sees 2 things are necessary:
- Add a / before the * (That is the correct format for
yahoo redirection) 2. Change the hTtP:\ to hTtP:// (The mixed case is not a problem)
I think fixing all backslashes to forward slashes in the URL before processing by SURBL would deal with both cases.
So a small workaround in get_uril_list in PerMsgStatus.pm will convert \ to /. Could be useful to feed this into the 3.x SA development tree.
$uri =~ s/\///g;
John
Are (unescaped or unencoded) backslashes even *valid* in URLs?
-
David Coulson -
John Fawcett -
John Hardin