New open http redirector?

[David B Funk <db...@engineering.uiowa.edu>]

Got a spam that contains what appears to be an open http
redirector that is new to me:
http://adserver.adtech.de/?adlink|2.0|340|436977|1|16|AdId=323398;BnId=1;link=target.com
(where 'target.com' is the spammer site).
Anybody know anything about this?


-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: New open http redirector?

["Daryl C. W. O'Shea" <sp...@dostech.ca>]

Raymond Dijkxhoorn wrote:
> Hi!
> 
>> http://adserver.adtech.de/?adlink|2.0|340|436977|1|16|AdId=323398;BnId=1;link=target.com 
>>
>> (where 'target.com' is the spammer site).
>> Anybody know anything about this?
> 
> 
> I mailed their abuse dept but it seems they dont care. They are abuse by 
> spammers by running a open redirector.
> 
> This is going on a short week now and sinc then we have spotted a 
> gazillion of them.
> 
> Its the same guys that also abused the zdnet.com, internet.com and 
> nate.com redirs (remember those?)
> 
> I throw them out:
> 
> uri PROLO_REDIR_ADTECH_CHECK1 /^http:\/\/adserver\.adtech\.de\//
> score PROLO_REDIR_ADTECH_CHECK1  8.0
> describe PROLO_REDIR_ADTECH_CHECK1 PROLO_REDIR-ADTECH CHECK, Body

Note that the adforce.adtech.de also works (it's the A record for the 
adserver CNAME).

SA 3.1 users can use the following redirector pattern (all on one line) 
to determine the target domain:

redirector_pattern 
/^http:\/\/(?:.*\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i


Daryl

RE: New open http redirector?

[Herb Martin <He...@learnquick.com>]

> From: Raymond Dijkxhoorn [mailto:raymond@prolocation.net] 
> > 
> http://adserver.adtech.de/?adlink|2.0|340|436977|1|16|AdId=323398;BnId
> > =1;link=target.com (where 'target.com' is the spammer site).
> > Anybody know anything about this?
> 
> I mailed their abuse dept but it seems they dont care. They 
> are abuse by spammers by running a open redirector.
> 
> This is going on a short week now and sinc then we have 
> spotted a gazillion of them.

Is there a list somewhere?  Better a file of them for 
SpamAssassin?

Grep'ing my rules shows that 72_sare_redirect_post3.0.0.cf
has a few for MSN, Yahoo, Google (and double Google) but 
there aren't that many and yours was (I believe) one without
a rule.  THANKS!


> Its the same guys that also abused the zdnet.com, 
> internet.com and nate.com redirs (remember those?)
> 
> I throw them out:
> 
> uri PROLO_REDIR_ADTECH_CHECK1 /^http:\/\/adserver\.adtech\.de\//
> score PROLO_REDIR_ADTECH_CHECK1  8.0
> describe PROLO_REDIR_ADTECH_CHECK1 PROLO_REDIR-ADTECH CHECK, Body

I suggest a case-insensitive /i switch on the regex.

Checking https:// , this site does not seem to support
ssl (but that might not be true for all such relays.)

--
Herb Martin

Re: New open http redirector?

[Raymond Dijkxhoorn <ra...@prolocation.net>]

Hi!

> http://adserver.adtech.de/?adlink|2.0|340|436977|1|16|AdId=323398;BnId=1;link=target.com
> (where 'target.com' is the spammer site).
> Anybody know anything about this?

I mailed their abuse dept but it seems they dont care. They are abuse by 
spammers by running a open redirector.

This is going on a short week now and sinc then we have spotted a 
gazillion of them.

Its the same guys that also abused the zdnet.com, internet.com and 
nate.com redirs (remember those?)

I throw them out:

uri PROLO_REDIR_ADTECH_CHECK1 /^http:\/\/adserver\.adtech\.de\//
score PROLO_REDIR_ADTECH_CHECK1  8.0
describe PROLO_REDIR_ADTECH_CHECK1 PROLO_REDIR-ADTECH CHECK, Body

Bye,
Raymond.

Re: New open http redirector?

[Kai Schaetzl <ma...@conactive.com>]

Kai Schaetzl wrote on Tue, 26 Jul 2005 23:31:23 +0200:

> It does. I sent a mail to them in German now. Let's see.

Got a reply that they know about the problem and are working on a 
solution. Just their words ;-)

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: New open http redirector?

[jdow <jd...@earthlink.net>]

From: "Kai Schaetzl" <ma...@conactive.com>

> Duncan Hill wrote on Tue, 26 Jul 2005 21:00:53 +0100:
>
> > I know I've reported ~20 into Spamcop, and Spamcop has indicated 'sent
mail to
> > contact@adtech.de'.  Haven't actually tested it recently to see if it
still
> > works.
>
> It does. I sent a mail to them in German now. Let's see.
>
> Kai

<snicker> Remind them of what Russians do about egregious spammers.

{^_-}

Re: New open http redirector?

[Kai Schaetzl <ma...@conactive.com>]

Duncan Hill wrote on Tue, 26 Jul 2005 21:00:53 +0100:

> I know I've reported ~20 into Spamcop, and Spamcop has indicated 'sent mail to 
> contact@adtech.de'.  Haven't actually tested it recently to see if it still 
> works.

It does. I sent a mail to them in German now. Let's see.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: New open http redirector?

[Duncan Hill <sa...@nacnud.force9.co.uk>]

On Tuesday 26 July 2005 18:13, David B Funk wrote:
> Got a spam that contains what appears to be an open http
> redirector that is new to me:
> http://adserver.adtech.de/?adlink|2.0|340|436977|1|16|AdId=323398;BnId=1;li
>nk=target.com (where 'target.com' is the spammer site).
> Anybody know anything about this?

I know I've reported ~20 into Spamcop, and Spamcop has indicated 'sent mail to 
contact@adtech.de'.  Haven't actually tested it recently to see if it still 
works.