[SURBL-Discuss] More spams with Zdnet redirector

Patrik Nilsson patrik at patrik.com
Thu Apr 7 21:45:51 CEST 2005

At 00:13 2005-04-07 -0700, Jeff Chan wrote:
>On Wednesday, April 6, 2005, 11:58:31 PM, Nick Askew wrote:
> > Jeff,
> > So it seems that there is an obvious loophole in SURBL. As long as the
> > spammer uses a legitimate business running a redirector you will never 
> black
> > list them (perhaps the spammer could even set up their own legitimate
> > redirector). This open redirector discussion for ZDNET has been open for
> > several weeks now, they have had more than ample warning.
> > Nick
>No, it's not a loophole.  Programs like SpamAssassin and
>SpamCopURI correctly parse some redirection sites like
>g.msn.com and check the redirected-to site.

That workaround is part of the problem, not part of the solution.

If we encourage client implementations to work around the problem in that 
way, we will always have:

1. Clients that need to be updated with the latest redirectors, unless we 
provide and encourage implementations to use a constantly updated online 
source of redirectors.

2. Major redirectors getting included in the special work-arounds, like 
Google, and smaller ones not getting included.

If we believe that open redirectors are bad, we should not solve the 
problem by working around a few major ones that we are currently aware of.


More information about the Discuss mailing list