[SURBL-Discuss] Simon's complex redirection

Simon Byrnand simon at igrin.co.nz
Wed Apr 28 11:55:18 CEST 2004

> Hash: SHA1
> Simon Byrnand writes:
>> Just spotted the following redirected URL in a spam. Doesn't look like
>> it
>> will be getting caught yet with the current redirector rules:
>> http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%70%61%67%65%2E%63%6F%6D%2F%6D%61%6E%67%65%72%33%32
>> Using images.google.ca as a redirector ? Thats a new one.... I'm not
>> game
>> to click on the link to see where it goes though... its from the same
>> spammer that was blatently abusing the yahoo redirectors and msn ones...
> it might work.  I won't check where it goes, just in case it confirms
> your addr or similar ;)

Well I've already clicked on it now to see what happens, so feel free to
click on it ;)

> it's a 3-level redirect:
>     http://images.google.ca/imgres , redirecting to
>     http://www.google.com/url , redirecting to
>     http://www.google.com/url , encoded, redirecting to
>     the real URL, encoded.
> kind of pointless, since it's caught. (or should be at least.)
> spamassassin -D -t gives:
> debug: uri found:
> http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%70%61%67%65%2E%63%6F%6D%2F%6D%61%6E%67%65%72%33%32
> debug: uri found:
> http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
> debug: uri found:
> http://www.google.com/url?q=http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
> debug: uri found:
> http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
> It's double-encoded.  We can catch that easily.  But first, my question --
> does this *work* in an MUA, ie. should we?  Simon, could you try it?

What you get is the image preview in google which consists of an image in
the top frame, and the page that it came from in the bottom frame, and in
the bottom frame was a link "click here for ......." so yes it definately
does work...


More information about the Discuss mailing list