OT [Mimedefang] Big spam
Chris Myers
chris at by-design.net
Wed Nov 19 10:04:58 EST 2003
----- Original Message -----
From: "Andrew J Caird" <andrew.caird at fccc.edu>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Wednesday, November 19, 2003 8:11 AM
Subject: Re: [Mimedefang] Big spam
> > While I'm writing, here's an interesting new URL obfuscation in
> > another spam seen today. We've all seen the gimmick with @. I've
> > never seen * before. The effective URL is what's after the *.
> >
> > <a href="http://srd.yahoo.com/drst/bleeker/*http://www.8u7hb.com/in/">
>
> I wonder how long Yahoo will let people use their redirect service for
> such purposes, and how they will prevent it's abuse (perhaps requiring a
> certain referrer tag?).
Oh, and just to make it even better, the portion of the URL between /dsrt/
and
the '*' is ignored. Can you say "this redirector supports hashbusting?"
<a href="http://srd.yahoo.com/drst/polarimeter/*http://www.larg4we.com/in">
<a href="http://srd.yahoo.com/drst/teat/*http://www.8u7hb.com/in/">
<a
href=http://srd.yahoo.com/drst/$RANDOMIZE/*http://www.amazedhere1.com/topaz/
>
[gee, a broken spam tool that didn't perform a substitution]
And my personal favorite from this month's spam:
<a href=3Dhttp://srd.yahoo.com/drst/39/*http:/=
/www.gosausch=
mied.biz/vpr6=
324/ >
A SpamAssassin rule matching http://srd.yahoo.com/drst in message bodies
seems appropriate:
uri LOCAL_YAHOO_REDIR /https?:\/\/srd.yahoo.com\/drst/i
describe LOCAL_YAHOO_REDIR Message uses Yahoo to obfuscate real URL in link
score LOCAL_YAHOO_REDIR 2.0
More information about the MIMEDefang
mailing list