You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2004/04/28 00:46:32 UTC
Simon's complex redirection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Simon Byrnand writes:
> Just spotted the following redirected URL in a spam. Doesn't look like it
> will be getting caught yet with the current redirector rules:
>
> http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%70%61%67%65%2E%63%6F%6D%2F%6D%61%6E%67%65%72%33%32
>
> Using images.google.ca as a redirector ? Thats a new one.... I'm not game
> to click on the link to see where it goes though... its from the same
> spammer that was blatently abusing the yahoo redirectors and msn ones...
it might work. I won't check where it goes, just in case it confirms
your addr or similar ;)
it's a 3-level redirect:
http://images.google.ca/imgres , redirecting to
http://www.google.com/url , redirecting to
http://www.google.com/url , encoded, redirecting to
the real URL, encoded.
kind of pointless, since it's caught. (or should be at least.)
spamassassin -D -t gives:
debug: uri found: http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%70%61%67%65%2E%63%6F%6D%2F%6D%61%6E%67%65%72%33%32
debug: uri found: http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
debug: uri found: http://www.google.com/url?q=http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
debug: uri found: http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
It's double-encoded. We can catch that easily. But first, my question --
does this *work* in an MUA, ie. should we? Simon, could you try it?
> Is this a sign that the current system used in SpamCopURI (checking HTTP
> responses of specifically mentioned redirectors) is just going to play
> catchup all the time ?
not this one, no ;) it's handy though, they've tipped their hand
on this trick.
- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFAjuLIQTcbUG5Y7woRAjKhAJ9n8U6QBCxzqkVNu9Huh2KY0FpFLwCfaaY5
BKiRX9NSPmBsX6V73ZRZll0=
=UNhw
-----END PGP SIGNATURE-----
New class of indirection? (Was: Fwd: Re: [SURBL-Discuss] Simon's complex redirection)
Posted by Jeff Chan <je...@surbl.org>.
This is a forwarded message
From: Patrik Nilsson
To: SURBL Discussion list
Date: Tuesday, April 27, 2004, 4:26:48 PM
Subject: [SURBL-Discuss] Simon's complex redirection
At 10:55 2004-04-28 +1200, Simon Byrnand wrote:
> > It's double-encoded. We can catch that easily. But first, my question --
> > does this *work* in an MUA, ie. should we? Simon, could you try it?
>
>What you get is the image preview in google which consists of an image in
>the top frame, and the page that it came from in the bottom frame, and in
>the bottom frame was a link "click here for ......." so yes it definately
>does work...
I guess this is a 'framer' rather than a redirector.
A url that points to a frameset that loads an external page specified in
the query url in one of the frames.
For all practical purposes it's similar to a redirector, but with
complications.
The http response code from a GET request using the url will not indidate
that it's a redirector.
For a user loading the page in a browser, the adress of the spamvertized
website will not be visible in the location bar.
For some spammers, this would probably be prefered over traditional
redirectors.
Patrik
Re: Simon's complex redirection
Posted by David Ky <da...@unixtoys.com>.
It certaintly doesn't work in SquirrelMail: It just throws me back to:
http://images.google.com/images
Of course, plugging in the URL to my browser (Mozilla Firebird) certaintly
did the trick..
> On Tue, Apr 27, 2004 at 03:46:32PM -0700, Justin Mason wrote:
>> > http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%70%61%67%65%2E%63%6F%6D%2F%6D%61%6E%67%65%72%33%32
>
> eek!
>
>> It's double-encoded. We can catch that easily. But first, my question
>> --
>> does this *work* in an MUA, ie. should we? Simon, could you try it?
>
> I don't know about an MUA, but it doesn't work in any browser I've tried
> so far. You end up at http://images.google.com/images:
>
> Information returned from request (not including data):
> <Connection> = <Keep-Alive>
> <Content-Type> = <text/html>
> <Content-length> = <161>
> <Date> = <Tue, 27 Apr 2004 22:59:47 GMT>
> <Location> = <http://images.google.com/images>
> <Server></server> = <GWS/2.1>
> <Set-Cookie> =
> <PREF=ID=2342b69354b6a6f5:LD=en:TM=1083106787:LM=1083106787:S=4Q5Kb3zcm_6V0Tjm;
> expires=Sun,
> 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.ca>
> <code> = <301>
>
> --
> Randomly Generated Tagline:
> "...and scantily clad females, of course. Who cares if it's below zero
> outside"
> (By Linus Torvalds)
>
Re: Simon's complex redirection
Posted by Theo Van Dinter <fe...@kluge.net>.
On Tue, Apr 27, 2004 at 03:46:32PM -0700, Justin Mason wrote:
> > http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%70%61%67%65%2E%63%6F%6D%2F%6D%61%6E%67%65%72%33%32
eek!
> It's double-encoded. We can catch that easily. But first, my question --
> does this *work* in an MUA, ie. should we? Simon, could you try it?
I don't know about an MUA, but it doesn't work in any browser I've tried
so far. You end up at http://images.google.com/images:
Information returned from request (not including data):
<Connection> = <Keep-Alive>
<Content-Type> = <text/html>
<Content-length> = <161>
<Date> = <Tue, 27 Apr 2004 22:59:47 GMT>
<Location> = <http://images.google.com/images>
<Server> = <GWS/2.1>
<Set-Cookie> = <PREF=ID=2342b69354b6a6f5:LD=en:TM=1083106787:LM=1083106787:S=4Q5Kb3zcm_6V0Tjm; expires=Sun,
17-Jan-2038 19:14:07 GMT; path=/; domain=.google.ca>
<code> = <301>
--
Randomly Generated Tagline:
"...and scantily clad females, of course. Who cares if it's below zero
outside"
(By Linus Torvalds)
Fwd: Re: [SURBL-Discuss] Simon's complex redirection
Posted by Jeff Chan <je...@surbl.org>.
This is a forwarded message
From: Simon Byrnand
To: "SURBL Discussion list"
Date: Tuesday, April 27, 2004, 3:55:18 PM
Subject: [SURBL-Discuss] Simon's complex redirection
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Simon Byrnand writes:
>> Just spotted the following redirected URL in a spam. Doesn't look like
>> it
>> will be getting caught yet with the current redirector rules:
>>
>> http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%70%61%67%65%2E%63%6F%6D%2F%6D%61%6E%67%65%72%33%32
>>
>> Using images.google.ca as a redirector ? Thats a new one.... I'm not
>> game
>> to click on the link to see where it goes though... its from the same
>> spammer that was blatently abusing the yahoo redirectors and msn ones...
>
> it might work. I won't check where it goes, just in case it confirms
> your addr or similar ;)
Well I've already clicked on it now to see what happens, so feel free to
click on it ;)
> it's a 3-level redirect:
>
> http://images.google.ca/imgres , redirecting to
> http://www.google.com/url , redirecting to
> http://www.google.com/url , encoded, redirecting to
> the real URL, encoded.
>
> kind of pointless, since it's caught. (or should be at least.)
> spamassassin -D -t gives:
>
> debug: uri found:
> http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%70%61%67%65%2E%63%6F%6D%2F%6D%61%6E%67%65%72%33%32
> debug: uri found:
> http://images.google.ca/imgres?imgurl=gmib.free.fr/viagra.jpg&imgrefurl=http://www.google.com/url?q=http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
> debug: uri found:
> http://www.google.com/url?q=http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
> debug: uri found:
> http://www.google.com/url?q=http%3A%2F%2Fwww.expage.com%2Fmanger32
>
> It's double-encoded. We can catch that easily. But first, my question --
> does this *work* in an MUA, ie. should we? Simon, could you try it?
What you get is the image preview in google which consists of an image in
the top frame, and the page that it came from in the bottom frame, and in
the bottom frame was a link "click here for ......." so yes it definately
does work...
Regards,
Simon