l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2003 Sep 26 22:19

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] OT: one of the most pernicious spams i've ever seen.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] OT: one of the most pernicious spams i've ever seen.

On Thursday, Sep 25, 2003, at 11:23 US/Pacific, Rob Rogers wrote:
I see a couple other problems with this idea too. First, this is the
first phishing scheme I've seen that loaded the actual homepage. Most
just steal their logos.
Yes.. that was actually what got me thinking.. when image files
are loaded with a referrer that isn't "local" maybe they should be
replaced with fraud warnings. It's not 100% effective, and if it became
widespread then it would relatively easy to circumvent, but it would
probably prevent a few ID thefts.  While referrer is optional, it's
controlled by the browser, and the people most likely to fall for these
schemes are going to be running stock browsers without things like
privacy screening proxies that strip them out.

Secondly, I'm almost potitive that your browser
wouldn't send encoded characters in the referer. Your browser would have
already decoded them, and it would send them unencoded.
Why would your browser decode them?  The browser usually does nothing
with a URL except pass it unmodified to the server.  When I write log
processing scripts.. I have to decode them if I want to get consistent

As for usernames, I don't think your browser would EVER send that as
part of the referer.
Yet they are..  Along with the CGI arguments,  This was used a while
back to steal hotmail/webmail accounts.  Send somebody HTML email with
an <img> tag which gets fetched from a server you have access to, and
the referrer (used to) give you a fully functional URL into their
mailbox.  This has been fixed with almost all web-based email clients

 That would be a MAJOR security flaw.
And it has been exploited...

  -- Mitch

vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.