[SURBL-Discuss] Re: large number of empty URIs preceeding actual one

Carl R. Friend crfriend at rcn.com
Fri Jun 4 14:24:06 CEST 2004


   On Fri, 4 Jun 2004, Jeff Chan wrote:

> Not sure if this is a new type of spam or not:
> 
>   http://www.surbl.org/fitch7826drug.us.4jun04.txt
> 
> This example I just received had many real or joe job URIs
> with no text in the anchor like:
> 
>   <a href=3D"http://www.elysian-MUNGED.com"></a>

   This has been going on for some time now and is designed
to (a) confuse URIRBLs and (b) possibly poison URIRBLs if
they're using highly-automated techniques for URI injection.
They also break up, with legitimate (but useless) HTML syntax
normal words in an attempt to confuse filters.

   Trying to confuse URIRBLs is understandable behaviour for
spammers.  Actively trying to poison them is reprehensible.

   Here's a custom rule I use to catch them:

rawbody CRF_NULL_URL    /<a .{0,16}href=.{0,32}><\/a>/i
describe CRF_NULL_URL   Useless (invisible) HTML link
score CRF_NULL_URL      1.0

   Someone's going to have to look into the URIRBL plug-in
for SA to see if it ignores URIs nested in such constructs
(It should, I believe).

> Perhaps it's trying to run out some counters, but the real
> target domain is visible as the last "removal" URI:

   Since the anchor has no length, it's both invisible and
unselectable; it never gets referenced from the message.

> The "ordering" link just before it was broken (no dot, at
> least in my MUA, The Bat!):
> 
>   <a href=3D"http://fitch7826drug=
>   us/b94">Click

   The spammer didn't know how to use his ratware.

> Interestingly SpamCop did parse the message correctly in terms
> of ignoring the blank anchors and finding only the clickable
> ones.

   That needs verification.

> That said, if urirhsbl or SpamCopURI limit the number of
> URIs checked, these could sneak through.  A useful behavior
> might be to ignore any non-clickable anchors, if we're not
> already doing that.

   What I said.

+------------------------------------------------+---------------------+
| Carl Richard Friend (UNIX Sysadmin)            | West Boylston       |
| Minicomputer Collector / Enthusiast            | Massachusetts, USA  |
| mailto:crfriend at rcn.com                        +---------------------+
| http://users.rcn.com/crfriend/museum           | ICBM: 42:22N 71:47W |
+------------------------------------------------+---------------------+



More information about the Discuss mailing list