[SURBL-Discuss]
Heads up: new open redirecters and new spammer trick for urls
John Fawcett
johnml at michaweb.net
Sun May 16 11:46:37 CEST 2004
NEW OPEN REDIRECTER
I just noticed a new (for me) yahoo redirecter in spam received
eur.rd.yahoo.com
On a hunch, I also tried things like:
uk.rd.yahoo.com
it.rd.yahoo.com
de.rd.yahoo.com
which are all open redirecters. There are sure to be more of
these using other country code prefixes.
So for those using SpamCopURI you probably need this
in your spamcop_uri.cf:
open_redirect_list_spamcop_uri rd.yahoo.com *.rd.yahoo.com
I'd recommend Eric to add this to the default SpamCopURI
configuration on the next release, along with others like
open_redirect_list_spamcop_uri drs.yahoo.com
open_redirect_list_spamcop_uri ads.msn.com g.msn.com
which aren't currently in the defaults.
NEW SPAMMER TRICK FOR URLS
Having added the new redirection service, I found that
SpamCopURI 0.16 didn't pick up the url shown at the end
of this message. The reason is that resolving the URL
through the SpamCopURI gives a HTTP/1.1 403 Forbidden.
As the response code does not begin with a 3 (= redirection),
the URL is assumed to be the final one. The domain which
is subjected to lookup in sc.surbl.org is (after normalizing
to the register level) is yahoo.com. So this one gets
past SpamCopURI.
Howver, in a commonly used browser, the url
redirects to the spamvertized site without difficulty.
I cannot help thinking that this url has been carefully
crafted to avoid processing by SpamCopURI but
still be acceptable to a browser. (That's a terrifying
thought).
In order to obtain the 302 code the browser sees
2 things are necessary:
1. Add a / before the * (That is the correct format for
yahoo redirection)
2. Change the hTtP:\\ to hTtP:// (The mixed case is not a problem)
While the second one is a general case (other redirection services
could be abused in the same way by browser loopholes) the first
one is a very specific browser loophole that applies only to
yahoo redirection.
Here's the URL. I didn't even munge it, since it should get
past the filters.
<a
href="http://eur.rd.yahoo.com/electric\croydon\laity\otherworldly\phonetic\e
xplicit\mountaineer\integrable\isadore\wangle\zounds\contumacy\embedded\sang
uine\arrangeable\duane\malarial\bremsstrahlung\freshmen\windup\spoon\accompa
ny\soldier\throb\boil\harrisburg\quartz\throne\giddap\waistcoat\guzzle\whoop
\abreast\corral\latrobe\ct\castor\gallup\click\cretinous\alcoa\lysine\wheelc
hair\levy\embedded\faint\floodlight\elmer\fiesta\pistachio\pulp\suppress\fle
awort\flick\topcoat\brain\prom\bill\knife\serene\*hTtP:\\7Wv2eg82o19X.zbxra1
.com/gp/iNdeX.ASP?id=BW"
target="_blank"><b>hit this</b></a>
John
More information about the Discuss
mailing list