You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "John D. Hardin" <jh...@impsec.org> on 2006/07/24 16:19:20 UTC
Re: [SPAM] Re: Google ad services redirector abuse
On Mon, 24 Jul 2006, Daryl C. W. O'Shea wrote:
> > <a target="_parent"
> > href="http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php">Click
> > here to cancel your new email
> > address</a>
>
> Being a simple visible redirector, SA actually does detect it:
>
> [7375] dbg: uri: cleaned html uri,
> http://1092229727:9999/https-www.paypal.com/webscrr/index.php
> [7375] dbg: uri: html domain, google.com
Ah, good.
I assume that means the redirector_pattern I suggested is not
necessary?
> The problem is that SA doesn't then go on to do checks on the IP
> 1092229727 (CPE-65-26-26-95.kc.res.rr.com [65.26.26.95]) like it
> would if it was in dotted-quad notation. Thus the hit on Sorbs'
> DUHL is avoided.
>
> This is definitely a bug. Please open a bug report and attach a
> complete sample to the bug.
roger wilco.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
To prevent conflict and violence from undermining development,
effective disarmament programmes are vital...
-- the UN, who "doesn't want to confiscate guns"
-----------------------------------------------------------------------
Today: The 37th anniversary of Apollo 11 landing on the Moon
Re: [SPAM] Re: Google ad services redirector abuse
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
John D. Hardin wrote:
> On Mon, 24 Jul 2006, Daryl C. W. O'Shea wrote:
> I assume that means the redirector_pattern I suggested is not
> necessary?
Right. Anything that would match (https?:\/\/.*) is already taken care
of by SA internally.
>> The problem is that SA doesn't then go on to do checks on the IP
>> 1092229727 (CPE-65-26-26-95.kc.res.rr.com [65.26.26.95]) like it
>> would if it was in dotted-quad notation. Thus the hit on Sorbs'
>> DUHL is avoided.
>>
>> This is definitely a bug. Please open a bug report and attach a
>> complete sample to the bug.
>
> roger wilco.
Thanks.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5006
Daryl