[SURBL-Discuss] Simon's complex redirection
Justin Mason
jm at jmason.org
Tue Apr 27 16:46:32 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Simon Byrnand writes:
> Just spotted the following redirected URL in a spam. Doesn't look like it
> will be getting caught yet with the current redirector rules:
>
> http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%70%61%67%65%2E%63%6F%6D%2F%6D%61%6E%67%65%72%33%32
>
> Using images.google.ca as a redirector ? Thats a new one.... I'm not game
> to click on the link to see where it goes though... its from the same
> spammer that was blatently abusing the yahoo redirectors and msn ones...
it might work. I won't check where it goes, just in case it confirms
your addr or similar ;)
it's a 3-level redirect:
http://images.google.ca/imgres , redirecting to
http://www.google.com/url , redirecting to
http://www.google.com/url , encoded, redirecting to
the real URL, encoded.
kind of pointless, since it's caught. (or should be at least.)
spamassassin -D -t gives:
debug: uri found: http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%70%61%67%65%2E%63%6F%6D%2F%6D%61%6E%67%65%72%33%32
debug: uri found: http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
debug: uri found: http://www.google.com/url?q=http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
debug: uri found: http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
It's double-encoded. We can catch that easily. But first, my question --
does this *work* in an MUA, ie. should we? Simon, could you try it?
> Is this a sign that the current system used in SpamCopURI (checking HTTP
> responses of specifically mentioned redirectors) is just going to play
> catchup all the time ?
not this one, no ;) it's handy though, they've tipped their hand
on this trick.
- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFAjuLIQTcbUG5Y7woRAjKhAJ9n8U6QBCxzqkVNu9Huh2KY0FpFLwCfaaY5
BKiRX9NSPmBsX6V73ZRZll0=
=UNhw
-----END PGP SIGNATURE-----
More information about the Discuss
mailing list