OT Re: [Mimedefang] Big spam
Chris Myers
chris at by-design.net
Wed Nov 19 09:50:25 EST 2003
----- Original Message -----
From: "Joseph Brennan" <brennan at columbia.edu>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Wednesday, November 19, 2003 8:00 AM
Subject: [Mimedefang] Big spam
> While I'm writing, here's an interesting new URL obfuscation in
> another spam seen today. We've all seen the gimmick with @. I've
> never seen * before. The effective URL is what's after the *.
>
> <a href="http://srd.yahoo.com/drst/bleeker/*http://www.8u7hb.com/in/">
[cc: to the Yahoo! security/abuse aliases, be careful when replying to this
message]
It looks like srd.yahoo.com/drst/bleeker is just a open-access HTTP
redirector:
server# telnet srd.yahoo.com 80
Trying 216.109.127.16...
Connected to srd.yahoo.akadns.net.
Escape character is '^]'.
GET http://srd.yahoo.com/drst/bleeker/*http://www.8u7hb.com/in/ HTTP/1.0
HTTP/1.0 302 RD
Location: http://www.8u7hb.com/in/
Trying again with a garbage URL:
server# telnet srd.yahoo.com 80
Trying 216.109.127.16...
Connected to srd.yahoo.akadns.net.
Escape character is '^]'.
GET http://srd.yahoo.com/drst/bleeker/*http://www.foo.com/ HTTP/1.0
HTTP/1.0 302 RD
Location: http://www.foo.com/
So, anything after the * is where you get redirected.
Yahoo apparently doesn't make an effort to validate how someone got to that
redirector.
Chris Myers
Networks By Design
More information about the MIMEDefang
mailing list