funsec mailing list archives
Re: New spammer tricks
From: "Larry Seltzer" <Larry () larryseltzer com>
Date: Thu, 13 Mar 2008 19:39:13 -0400
Yeah, Nick's right. Redirects through Yahoo have been a big deal for many many years. Google redirects are newer, but so is Google. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Nick FitzGerald Sent: Thursday, March 13, 2008 6:41 PM To: funsec () linuxbox org Subject: Re: [funsec] New spammer tricks rms () computerbytesman com wrote:
I haven't seen this trick used before. ...
You must not get, or at least look at much of your, spam...
... Some spammer is using Google to redirect to their own Web site. ...
Ancient. Been around for a long time, plus several variations including adwords, DoubleClick (now owned by Google) and such. Perhaps my favourite such trick is the "Google search URL with 'I'm feeling lucky' option" -- after ensuring that a search for some reasonably unique phrase on the target page, or just the domain name itself, has the target page as the first search result, spam out the search URL with Google's "I'm feeling lucky" option (the "btnI" URL parameter) which tells Google to redirect to the top search hit rather than display the search results list. I reported this to John Graham-Cumming in July last year as a potential TSC entry, but he didn't add it to TSC until September: http://www.jgc.org/tsc.html (look for the "Are you feeling lucky, Sergey?" entry). Although I was fairly sure I'd heard of this being used earlier, a quick search at the time did not turn up earlier examples of spammers using it. The fun thing about this one is that a high-profile site can easily subvert it, resulting in an effective, remote and fully hands-off "take- down", as Bojan Zdrnja noted in an update to his ISC Diary blog entry about the phenomenon: http://isc.sans.org/diary.html?date=2007-09-21
... Lots of Web sites offer redirector URLs which can be used by the spammers. Tinyurl and similar services would be another obvious choice.
In my experience, tinyurl.com is pretty responsive to abuse reports, whereas Google, DoubleClick, etc are not. Google did fix the then well- known and heavily-used "url?q=<target_url>" redirector, but most of their other open redirectors are directlty tied to their revenue generation business and re-writing their whole infrastructure to fix that is either taking longer or has been deemed not worth the effort, so the spammers have moved to using all those other open redirectors.
I'm also starting to get spam messages that place HTML Web pages in attached Zip files to avoid spam filters. So far, none of the Web pages appear to be malicious.
Yeah -- this seemed to start about a week to ten days ago and aside from avoiding message content spam filters, I'm not sure it buys the spammers a lot. Is there a common MUA out there that makes viewing the HTML content of these attachments really, really easy? I have seen password-protected ZIP attachment spam with directions in the message body that the attachment contains links to porn and that you should unly "unlock" the attachment with the provided password and read its contents if you are of a legal age to view porn where you live and only if viewing porn is not otherwise illegal. The difference was that the message made it fairly clear what you would, ahem, "gain" from opening the attachment. This latest batch of non-encrypted ZIP attachment spam doesn't seem, to me, to have quite such a clear message, with very minimalist spams typically, in the ones I've seen, like: Subject: Don't get left behind, get it Feel and smell more sexy to women Details attached Subject: Master in bed games Take her to seven heaven Details attached So I'm not sure that there is that much of a hook to the spammers' potential customers... Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- New spammer tricks rms (Mar 13)
- Re: New spammer tricks Nick FitzGerald (Mar 13)
- Re: New spammer tricks Larry Seltzer (Mar 13)
- Re: New spammer tricks Nick FitzGerald (Mar 13)