Another URL obfuscation

["Rosenbaum, Larry M." <ro...@ornl.gov>]

I found this obfuscated URL in a drug spam:

<A href=3D"http://gozifo> .upze5otbbutzanbb655k685ys5nn%2Eridgykh=
com"><FONT SIZE=3D2></FONT>


Larry R.

Re: Another URL obfuscation

[Chris Lear <ch...@laculine.com>]

* Jeff Chan wrote (10/01/2006 15:42):
> On Tuesday, January 10, 2006, 6:17:38 AM, Larry Rosenbaum wrote:
>> I found this obfuscated URL in a drug spam:
> 
>> <A href=3D"http://gozifo> .upze5otbbutzanbb655k685ys5nn%2Eridgykh=
> com">><FONT SIZE=3D2></FONT>
> 
> Good grief, does any mail client actually parse that as a
> functional URI?

Yes. In your e-mail, my Thunderbird created a clickable link to
http://gozifo
My IE gives a DNS error when it tries that address.
My FireFox redirects to
http://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=gozifo
which in turn redirects to http://www.vojir.com/other/basic-myebol.html
which gives a 404 error. It's probably possible to turn this
(mis)feature off in FireFox, but there it is by default.

I have no idea whether this is the original intention of the
obfuscation. I would guess not - and if it's viewed as html to start
with that might make a difference.

Chris

Re: Another URL obfuscation

[Jeff Chan <je...@surbl.org>]

On Tuesday, January 10, 2006, 6:17:38 AM, Larry Rosenbaum wrote:
> I found this obfuscated URL in a drug spam:

> <A href=3D"http://gozifo> .upze5otbbutzanbb655k685ys5nn%2Eridgykh=
com">><FONT SIZE=3D2></FONT>

Good grief, does any mail client actually parse that as a
functional URI?

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Another URL obfuscation

[Loren Wilton <lw...@earthlink.net>]

<A href=3D"http://gozifo> .upze5otbbutzanbb655k685ys5nn%2Eridgykh=
com"><FONT SIZE=3D2></FONT>

Ooooh, cute!  Breaks a lot of regex scanners that are looking for the end of
the href record!
First time I've seen those in html; I've been seeing them in plain text for
a week or two.

        Loren