[Mimedefang] Browser Bug: Very bad in IE and varies on Netscape and Mozilla
scuba at centroin.com.br
scuba at centroin.com.br
Fri Dec 26 14:26:29 EST 2003
Hi,
Looking at my logs I realized that this URI is matched with the SA
rule in 20_uri_tests.cf:
uri HTTP_ESCAPED_HOST /^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/
describe HTTP_ESCAPED_HOST Uses %-escapes inside a URL's hostname
Isn't it just the case of increase the score?
- Marcelo
On Fri, 19 Dec 2003, Kevin A. McGrail wrote:
|WARNING: There is documentation of a scam in this document. Read the
|document, don't feel the need to click on things!
|
|Not to alarm everyone, but I feel that there is a bug/scam that more people
|need to know about that I found out about last week. This bug causes some
|browsers, notably Internet Explorer but ALSO AFFECTING NETSCAPE AND MOZILLA
|TO SOME EXTENT, to parse web links incorrectly and allow a person to nearly
|perfectly cover up the fact that they are redirecting you to a different
|link.
|
|I believe this bug should be identifiable in SpamAssassin but I have seen a
|few different techniques and I am not 100% sure what the bug is! Something
|akin to this (tested but I don't make a lot of rules):
|
|# This rule is to mark emails using the exploit of the URI parsing
|uri KAM_URIPARSE /\%01\@/i
|describe KAM_URIPARSE Attempted use of URI bug. Very high probability of
|fraud.
|score KAM_URIPARSE 7.00
|
|This trick is so good, it even tricks popup blockers such as google's
|toolbar.
|
|As an example, using a link such as the one below will LOOK like you are
|going to paypal.com but in fact you are going to netcbc.net/paypal (this is
|a REAL fraud website so don't go using it).
|
|http://www.paypal.com%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01@netcbc.net/paypal/
|
|I found out about this problem late last week and was hoping Microsoft would
|have it patched before I had to write this note.
|
|Unfortunately, it is still not patched to the best of my knowledge on
|December 19th over a week later. Additionally, on December 17th, I was
|forwarded a copy of one of the emails using this technique to fraudulently
|gather information. This technique called "Phishing" has been around for a
|while but this bug will make even expert users fall prey to this trick.
|
|I would recommend forwarding this information to people you feel can
|properly handle the information but I think this is going to very quickly
|become the largest scam tool on the internet.
|
|Regards,
|KAM
|
|_______________________________________________
|Visit http://www.mimedefang.org and http://www.canit.ca
|MIMEDefang mailing list
|MIMEDefang at lists.roaringpenguin.com
|http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
|
- Marcelo
More information about the MIMEDefang
mailing list