[SURBL-Discuss] Re: Heads up: new open redirecters and new spammer trick for urls

Jeff Chan jeffc at surbl.org
Mon May 17 17:20:19 CEST 2004


On Monday, May 17, 2004, 4:10:51 PM, John Fawcett wrote:
> From: "jdow" 
>> From: "John Hardin" <johnh at aproposretail.com>
>> 
>> > On Sun, 2004-05-16 at 01:46, John Fawcett wrote:
>> > 
>> > 
>> > > In order to obtain the 302 code the browser sees
>> > > 2 things are necessary:
>> > > 1. Add a / before the * (That is the correct format for
>> > > yahoo redirection)
>> > > 2. Change the hTtP:\\ to hTtP:// (The mixed case is not a problem)
>> > 
>> > I think fixing all backslashes to forward slashes in the URL before
>> > processing by SURBL would deal with both cases.
>> > 
>> > Are (unescaped or unencoded) backslashes even *valid* in URLs?
>> 
>> Um, who cares? If the email programs parse them the way the spammers
>> want then we need to catch them parsed the way the spammers want. Of
>> course we COULD simply dump emails containing illegitimate back slashes
>> if nothing Microsoftish produces legitimate emails with backslashes.
>> I do not want to bet on that.
>> 
>> {^_^}
>>

> In this case there is an additional consideration: SpamCopURI has logic to
> get the spammer domain out of a redirection url, by actually doing an http 
> retrieval and reading the 302 response header. 
> This retrieval fails if done on the url as written by the spammer.
> So the options are:
> - use unescaped \ as a spam indicator
> - mimic the broken browsers/email clients which are apparently rewriting
>  malformed urls by mapping \ to /, thus allowing SpamCopURI to 
> successfully retrieve the spammer domain for testing against surbl.

I would vote for the latter: map \ to /

(Although treating \ used as a separator as a --clue
 indicator could also be useful, likewise using / for command
 line flags. ;-)

Jeff C.
-- 
Jeff Chan
mailto:jeffc at surbl.org
http://www.surbl.org/



More information about the Discuss mailing list