[SURBL-Discuss] Simon's complex redirection

Justin Mason jm at jmason.org
Tue Apr 27 16:46:32 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Simon Byrnand writes:
> Just spotted the following redirected URL in a spam. Doesn't look like it
> will be getting caught yet with the current redirector rules:
> 
> http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%70%61%67%65%2E%63%6F%6D%2F%6D%61%6E%67%65%72%33%32
> 
> Using images.google.ca as a redirector ? Thats a new one.... I'm not game
> to click on the link to see where it goes though... its from the same
> spammer that was blatently abusing the yahoo redirectors and msn ones...

it might work.  I won't check where it goes, just in case it confirms
your addr or similar ;)

it's a 3-level redirect:

    http://images.google.ca/imgres , redirecting to
    http://www.google.com/url , redirecting to
    http://www.google.com/url , encoded, redirecting to
    the real URL, encoded.

kind of pointless, since it's caught. (or should be at least.)
spamassassin -D -t gives:

debug: uri found: http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%70%61%67%65%2E%63%6F%6D%2F%6D%61%6E%67%65%72%33%32
debug: uri found: http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
debug: uri found: http://www.google.com/url?q=http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
debug: uri found: http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32

It's double-encoded.  We can catch that easily.  But first, my question --
does this *work* in an MUA, ie. should we?  Simon, could you try it?

> Is this a sign that the current system used in SpamCopURI (checking HTTP
> responses of specifically mentioned redirectors) is just going to play
> catchup all the time ?

not this one, no ;)   it's handy though, they've tipped their hand
on this trick.

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFAjuLIQTcbUG5Y7woRAjKhAJ9n8U6QBCxzqkVNu9Huh2KY0FpFLwCfaaY5
BKiRX9NSPmBsX6V73ZRZll0=
=UNhw
-----END PGP SIGNATURE-----

More information about the Discuss mailing list