[SURBL-Discuss] More spams with Zdnet redirector

List Mail User track at Plectere.com
Fri Apr 8 18:09:51 CEST 2005

>From discuss-bounces at lists.surbl.org Fri Apr  8 06:48:07 2005
>From: Chris Santerre <csanterre at MerchantsOverseas.com>
>To: "'Jeff Chan'" <jeffc at surbl.org>,
>        "'SURBL Discussion list'" <discuss at lists.surbl.org>
>Subject: RE: [SURBL-Discuss] More spams with Zdnet redirector
>Date: Fri, 8 Apr 2005 09:47:20 -0400 
>>-----Original Message-----
>>From: Jeff Chan [mailto:jeffc at surbl.org]
>>Sent: Thursday, April 07, 2005 10:55 PM
>>To: SURBL Discussion list
>>Subject: Re: [SURBL-Discuss] More spams with Zdnet redirector
>>On Thursday, April 7, 2005, 12:45:51 PM, Patrik Nilsson wrote:
>>> At 00:13 2005-04-07 -0700, Jeff Chan wrote:
>>>>On Wednesday, April 6, 2005, 11:58:31 PM, Nick Askew wrote:
>>>> > Jeff,
>>>> > So it seems that there is an obvious loophole in SURBL. 
>>As long as the
>>>> > spammer uses a legitimate business running a redirector 
>>you will never 
>>>> black
>>>> > list them (perhaps the spammer could even set up their 
>>own legitimate
>>>> > redirector). This open redirector discussion for ZDNET 
>>has been open for
>>>> > several weeks now, they have had more than ample warning.
>>>> > Nick
>>>>No, it's not a loophole.  Programs like SpamAssassin and
>>>>SpamCopURI correctly parse some redirection sites like
>>>>g.msn.com and check the redirected-to site.
>>> That workaround is part of the problem, not part of the solution.
>>> If we encourage client implementations to work around the 
>>problem in that 
>>> way, we will always have:
>>> 1. Clients that need to be updated with the latest 
>>redirectors, unless we 
>>> provide and encourage implementations to use a constantly 
>>updated online 
>>> source of redirectors.
>>> 2. Major redirectors getting included in the special 
>>work-arounds, like 
>>> Google, and smaller ones not getting included.
>>> If we believe that open redirectors are bad, we should not solve the 
>>> problem by working around a few major ones that we are 
>>currently aware of.
>>> Patrik 
>>Our solution is to detect and check the big ones, and try
>>to get all of them to not be open to spammers.
>>What's your solution?  Blacklisting all open redirectors?
>>So no one should be able to mention them?
>Thats EXACTLY what the new gray list will do. 
>'If it appears in spam, list it'
>(I can't take credit for the above tagline. Another nut came up with it
>before me!)
>Discuss mailing list
>Discuss at lists.surbl.org

	Jeff and Chris,

	Here I agree completely with Chris.  An open HTTP redirector is
just the same as an open SMTP relay.  Fifteen years ago SMTP relays were
not only common, they were part of being a "helpful" citizen;  Today, we
all consider them invitations to abuse and organizations like SORBS exist
to seek them out and blacklist them.  Six years ago, a HTTP redirector was
a similar concept - a friendly way to provide a service to others;  In today's
Internet environment, and open redirector is every bit as "evil" as an open
SMTP relay - there is no way to prevent its abuse and it is a "screaming"
invitation to all spammers - "use me, I'll help you!".  Just as people seek
out and blacklist SMTP relays, someone should for HTTP redirectors,  If Chris
makes such a list available, I will quickly adopt and use it (and recommend
that everyone else does to).

	Unfortunately, the world has changed - what was being friendly is
now being abusive;  It is not a change for the better, it just *is*.

	Paul Shupak
	track at plectere.com

More information about the Discuss mailing list