Re: [vox-tech] OT: one of the most pernicious spams i've ever seen.

To: vox-tech@lists.lugMAPSod.org
Subject: Re: [vox-tech] OT: one of the most pernicious spams i've ever seen.
From: Mitch Patenaude <mrp@sonic.MAPSnet>
Date: Fri, 26 Sep 2003 00:31:11 -0700
Delivered-to: lugod@livepenguin.com
Delivered-to: vox-tech@livepenguin.com
In-reply-to: <20030926045304.GA5541@WizardsTower.net>
List-archive: <http://lists.lugod.org/pipermail/vox-tech/>
List-help: <mailto:vox-tech-request@lists.lugod.org?subject=help>
List-id: lugod's technical discussion forum <vox-tech.lists.lugod.org>
List-post: <mailto:vox-tech@lists.lugod.org>
List-subscribe: <http://lists.lugod.org/mailman/listinfo/vox-tech>,<mailto:vox-tech-request@lists.lugod.org?subject=subscribe>
List-unsubscribe: <http://lists.lugod.org/mailman/listinfo/vox-tech>,<mailto:vox-tech-request@lists.lugod.org?subject=unsubscribe>
Reply-to: vox-tech@lisMAPSts.lugod.org
Sender: vox-tech-admin@lists.lugod.MAPSorg

On Thursday, Sep 25, 2003, at 21:53 US/Pacific, Rob Rogers wrote:

Which is quite easy to do, is done frequently via .htaccess, and doesn't
work in 99.9% of these cases because they're being served off of the
fake webserver, not linked directly from the real one.

I have seen several where the images are fetched from the "official" server,
though it'd be trivial to serve up copies from a fake server, and it's
probably not worth the overhead of pattern matching given the larger number
of images typically served, and the relatively low effectiveness.

I always used to track these down and forward them to the appropriate
fraud/abuse mailboxes, but it never seemed to do any good, and I got
zero feedback, so I don't bother any more. I just tell everybody I know
that they should never believe this stuff (no matter how authentic looking),
and hope that increased savvy/skeptsicm will help mitigate the damage.

This much your browser would have to decode to do a DNS lookup, and I've
never seen a browser show it encoded. Whether or not it sends it encoded
in the referer, I can't speak with any authority, but I highly doubt it
does. As for anything after the servername and/or port #, I realize it
does send that encoded. I appologize for not making myself clear at
first.

Accoring to my tests (Apache server, I.E 5.0.x on Win2K, and Safari 1.0
on MacOSX 10.2.8), it does strip out username:password@, but leaves the
%xx excapes in place in the server name for the referrer.  They must
decode it to do the DNS lookup, but neither appears to rewrite the URL.

The only Hotmail exploits I've seen have had to do with a username as
an argument at the end of a URL. for instance
http://www.hotmail.com/cgi-bin/login?lang=EN&country=US&login=user1

True, those are fundamentally different exploits, and I stand
semi-corrected.  I could have sworn I had seen this, but I was
probably thinking of form arguments.

  -- Mitch

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech

References:
- Re: [vox-tech] OT: one of the most pernicious spams i've ever seen.
  - From: Rob Rogers

Prev by Date: Re: [vox-tech] Mplayer
Next by Date: Re: [vox-tech] .ixi and .ai files
Previous by thread: Re: [vox-tech] OT: one of the most pernicious spams i've ever seen.
Next by thread: RE: [vox-tech] one of the most pernicious spams i've ever seen.
Index(es):
- Date
- Thread

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.