OT [Mimedefang] Big spam

Chris Myers chris at by-design.net
Wed Nov 19 10:04:58 EST 2003

----- Original Message ----- 
From: "Andrew J Caird" <andrew.caird at fccc.edu>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Wednesday, November 19, 2003 8:11 AM
Subject: Re: [Mimedefang] Big spam

> > While I'm writing, here's an interesting new URL obfuscation in
> > another spam seen today.  We've all seen the gimmick with @.  I've
> > never seen * before.  The effective URL is what's after the *.
> >
> > <a href="http://srd.yahoo.com/drst/bleeker/*http://www.8u7hb.com/in/">
>   I wonder how long Yahoo will let people use their redirect service for
>   such purposes, and how they will prevent it's abuse (perhaps requiring a
>   certain referrer tag?).

Oh, and just to make it even better, the portion of the URL between /dsrt/
the '*' is ignored.  Can you say "this redirector supports hashbusting?"

<a href="http://srd.yahoo.com/drst/polarimeter/*http://www.larg4we.com/in">

<a href="http://srd.yahoo.com/drst/teat/*http://www.8u7hb.com/in/">

[gee, a broken spam tool that didn't perform a substitution]

And my personal favorite from this month's spam:

<a href=3Dhttp://srd.yahoo.com/drst/39/*http:/=
324/  >

A SpamAssassin rule matching http://srd.yahoo.com/drst in message bodies
seems appropriate:

uri LOCAL_YAHOO_REDIR /https?:\/\/srd.yahoo.com\/drst/i
describe LOCAL_YAHOO_REDIR Message uses Yahoo to obfuscate real URL in link

More information about the MIMEDefang mailing list