[SURBL-Discuss] large number of empty URIs preceeding actual one

Jeff Chan jeffc at surbl.org
Fri Jun 4 09:37:23 CEST 2004


Not sure if this is a new type of spam or not:

  http://www.surbl.org/fitch7826drug.us.4jun04.txt

This example I just received had many real or joe job URIs
with no text in the anchor like:

  <a href=3D"http://www.elysian-MUNGED.com"></a>

Perhaps it's trying to run out some counters, but the real
target domain is visible as the last "removal" URI:

  <a href=3D"http://=
  www.ozone.fitch7826drug-MUNGED.us/d.ddd">here.</a>

> Name:    fitch7826drug.us
> Address:  61.250.93.214

Where this IP is in sbl.spamhaus.org of course.

The "ordering" link just before it was broken (no dot, at
least in my MUA, The Bat!):

  <a href=3D"http://fitch7826drug=
  us/b94">Click

Interestingly SpamCop did parse the message correctly in terms
of ignoring the blank anchors and finding only the clickable
ones.

That said, if urirhsbl or SpamCopURI limit the number of
URIs checked, these could sneak through.  A useful behavior
might be to ignore any non-clickable anchors, if we're not
already doing that.

Jeff C.
-- 
Jeff Chan
mailto:jeffc at surbl.org
http://www.surbl.org/



More information about the Discuss mailing list