You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "John D. Hardin" <jh...@impsec.org> on 2006/07/23 19:18:47 UTC

Google ad services redirector abuse

This wasn't detected as a redirector attack by 3.1.3, running
sa-update weekly:

---------- Forwarded message ----------
Return-Path: <we...@loudmusik.com>
X-Spam-DCC: _DCCB_: _DCCR_
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on ga.impsec.org
X-Spam-Level: ************
X-Spam-Status: Yes, score=12.5 required=5.0 tests=BAYES_50,FROM_SUBDOMAIN,
	HTML_MESSAGE,HTML_TITLE_EMPTY,MIME_HEADER_CTYPE_ONLY,MIME_HTML_ONLY,
	NUMERIC_HTTP_ADDR,PHISH_02,RAZOR2_CF_RANGE_51_100,
	RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK,SARE_FORGED_PAYPAL,
	SARE_FORGED_PAYPAL_C,SARE_HEXOCTDWORD autolearn=disabled version=3.1.3
X-Spam-Report: 
	*  0.2 FROM_SUBDOMAIN From address is a third-level domain
	*  0.5 PHISH_02 BODY: PayPal Phishing
	*  0.5 NUMERIC_HTTP_ADDR URI: Uses a numeric IP address in URL
	*  2.0 SARE_HEXOCTDWORD URI: Uses an encoded IP address
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
	*      [score: 0.5070]
	*  1.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
	*  0.2 HTML_TITLE_EMPTY BODY: HTML title contains no text
	*  0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
	*  1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
	*      above 50%
	*      [cf: 100]
	*  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
	*      [cf: 100]
	*  0.2 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME
	*      headers
	*  4.0 SARE_FORGED_PAYPAL Message appears to be forged, (paypal.com)
	*  1.3 SARE_FORGED_PAYPAL_C Has Paypal from, no Paypal received header.
Received: from mail.loudmusik.com ([202.75.40.94])
	by ga.impsec.org (8.13.7/8.13.6) with ESMTP id k6NCAb0t005144
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <jh...@impsec.org>; Sun, 23 Jul 2006 05:10:54 -0700
Date: Sun, 23 Jul 2006 19:38:08 +0800
Message-Id: <20...@mail.loudmusik.com>
X-Authentication-Warning: mail.loudmusik.com: eugene set sender to
    webmaster@loudmusik.com using -f
To: jhardin@impsec.org
Subject: [SPAM] Verify your new email address
From: PayPal <su...@email.paypal.com>
Content-Type: text/html
Received-SPF: none (ga.impsec.org: domain of webmaster@loudmusik.com does not
    designate permitted sender hosts)
X-Spam-Prev-Subject: Verify your new email address

{snippage}

<a target="_parent"
href="http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php">Click
here to cancel your new email 
address</a>

---------- End Forwarded message ----------

I'm not familiar with testing redirector_pattern rules, but here's a starting point:

describe REDIR_URL_06 Uses Google redirector
uri      REDIR_URL_06 /https?:\/\/www\.google\.com\/pagead\/iclk\?\S{1,300}\&adurl=https?:\/\//i
score    REDIR_URL_06 1.0

redirector_pattern      /^https?:\/\/www\.google\.com\/pagead\/iclk\?\S{1,300}\&adurl=(https?:\/\/.*)$/i

Comments solicited.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 So Microsoft's invented the ASCII equivalent to ugly ink spots that
 appear on your letter when your pen is malfunctioning.
         -- Greg Andrews, about Microsoft's way to encode apostrophes
----------------------------------------------------------------------
 Tomorrow: The 37th anniversary of Apollo 11 landing on the Moon

Re: Google ad services redirector abuse

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Jeff Chan wrote:
> On Monday, July 24, 2006, 1:34:35 AM, Daryl O'Shea wrote:
>> Being a simple visible redirector, SA actually does detect it:
> 
>> [7375] dbg: uri: cleaned html uri, 
>> http://1092229727:9999/https-www.paypal.com/webscrr/index.php
>> [7375] dbg: uri: html domain, google.com
> 
> 
>> The problem is that SA doesn't then go on to do checks on the IP 
>> 1092229727 (CPE-65-26-26-95.kc.res.rr.com [65.26.26.95]) like it would 
>> if it was in dotted-quad notation.  Thus the hit on Sorbs' DUHL is avoided.
> 
>> This is definitely a bug.  Please open a bug report and attach a
>> complete sample to the bug.
>>
>> http://issues.apache.org/SpamAssassin/
> 
> Note that we also blacklist phish site IPs on SURBLs, when they
> appear as IPs.  In this case I blacklisted 1092229727 as
> 65.26.26.95, so hopefully any SA patch checks these in terms of
> dotted quad and not 1092229727.  Arguments could probably be
> made for checking either, but for SURBLs, IPs are expected to be
> dotted quads only.

Yeah, the dotted quad would be checked against SURBLs too.  I just 
mentioned Sorbs' DUHL since it was the only one I got a hit on 
65.26.26.95 from.

Daryl

Re: Google ad services redirector abuse

Posted by Jeff Chan <je...@surbl.org>.
On Monday, July 24, 2006, 1:34:35 AM, Daryl O'Shea wrote:
> Being a simple visible redirector, SA actually does detect it:

> [7375] dbg: uri: cleaned html uri, 
> http://1092229727:9999/https-www.paypal.com/webscrr/index.php
> [7375] dbg: uri: html domain, google.com


> The problem is that SA doesn't then go on to do checks on the IP 
> 1092229727 (CPE-65-26-26-95.kc.res.rr.com [65.26.26.95]) like it would 
> if it was in dotted-quad notation.  Thus the hit on Sorbs' DUHL is avoided.

> This is definitely a bug.  Please open a bug report and attach a
> complete sample to the bug.
> 
> http://issues.apache.org/SpamAssassin/

Note that we also blacklist phish site IPs on SURBLs, when they
appear as IPs.  In this case I blacklisted 1092229727 as
65.26.26.95, so hopefully any SA patch checks these in terms of
dotted quad and not 1092229727.  Arguments could probably be
made for checking either, but for SURBLs, IPs are expected to be
dotted quads only.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: [SPAM] Re: Google ad services redirector abuse

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
John D. Hardin wrote:
> On Mon, 24 Jul 2006, Daryl C. W. O'Shea wrote:

> I assume that means the redirector_pattern I suggested is not
> necessary?

Right.  Anything that would match (https?:\/\/.*) is already taken care 
of by SA internally.


>> The problem is that SA doesn't then go on to do checks on the IP
>> 1092229727 (CPE-65-26-26-95.kc.res.rr.com [65.26.26.95]) like it
>> would if it was in dotted-quad notation.  Thus the hit on Sorbs'
>> DUHL is avoided.
>>
>> This is definitely a bug.  Please open a bug report and attach a
>> complete sample to the bug.
> 
> roger wilco.

Thanks.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5006


Daryl

Re: [SPAM] Re: Google ad services redirector abuse

Posted by "John D. Hardin" <jh...@impsec.org>.
On Mon, 24 Jul 2006, Daryl C. W. O'Shea wrote:

> > <a target="_parent"
> > href="http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php">Click
> > here to cancel your new email 
> > address</a>
> 
> Being a simple visible redirector, SA actually does detect it:
> 
> [7375] dbg: uri: cleaned html uri, 
> http://1092229727:9999/https-www.paypal.com/webscrr/index.php
> [7375] dbg: uri: html domain, google.com

Ah, good.

I assume that means the redirector_pattern I suggested is not
necessary?

> The problem is that SA doesn't then go on to do checks on the IP
> 1092229727 (CPE-65-26-26-95.kc.res.rr.com [65.26.26.95]) like it
> would if it was in dotted-quad notation.  Thus the hit on Sorbs'
> DUHL is avoided.
> 
> This is definitely a bug.  Please open a bug report and attach a
> complete sample to the bug.

roger wilco.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 To prevent conflict and violence from undermining development,
 effective disarmament programmes are vital...
                      -- the UN, who "doesn't want to confiscate guns"
-----------------------------------------------------------------------
 Today: The 37th anniversary of Apollo 11 landing on the Moon

Re: Google ad services redirector abuse

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
John D. Hardin wrote:
> This wasn't detected as a redirector attack by 3.1.3, running
> sa-update weekly:

> {snippage}
> 
> <a target="_parent"
> href="http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php">Click
> here to cancel your new email 
> address</a>


Being a simple visible redirector, SA actually does detect it:

[7375] dbg: uri: cleaned html uri, 
http://1092229727:9999/https-www.paypal.com/webscrr/index.php
[7375] dbg: uri: html domain, google.com


The problem is that SA doesn't then go on to do checks on the IP 
1092229727 (CPE-65-26-26-95.kc.res.rr.com [65.26.26.95]) like it would 
if it was in dotted-quad notation.  Thus the hit on Sorbs' DUHL is avoided.

This is definitely a bug.  Please open a bug report and attach a 
complete sample to the bug.

http://issues.apache.org/SpamAssassin/


Daryl