anomy-list

Re: html links to executables

From: Bjarni R. Einarsson (123670@xyz.molar.is)
Date: Sun 25 Apr 2004 - 15:51:16 GMT

  • Next message: Alexey Lobanov: "Re: Re: html links to executables"

    On 2004-04-23, 17:40:00 (-0300), Claudemir Todo Bom wrote:
    > there is an enormous quantity of scam-mail, coming with html links to
    > .exe files, the great majority of then are bank account's passwords
    > stealer, and I know some cases where bank accounts has been wiped
    > because of this. Some of these emails came under a mask of web virtual
    > postcards, and a lot of users are being caught by this trick.
    >
    > is there a way to sanityze links that match these criteria: <a
    > href="http://some.site/stealer.exe"> in a way that the link became
    > invalid?

    I haven't looked at the code recently, but if I recall it would only require
    a very minor change to the tables in HTMLCleaner.pm to implement this, and
    it may infact already be implemented in the cleaner's "paranoid" mode. The
    obvious strategy is to simply tell the cleaner to defang URLS ending in
    ".exe".

    Unfortunately, there's no way to tell from the URL alone whether fetching it
    will actually cause the browser to download an executable or whether it will
    simply invoke a CGI which will send html, text or an image.

    Also, this sort of sanitization WILL cause problems with legitimate web
    sites. Some sites, including some pretty big and respectable companies, use
    the .exe ending on their server-side CGI scripts. Also, there's no reason
    the scam mails have to use .exe in their URLs - the could simply point to a
    generic URL - even one ending in .html or .gif - which would then redirect
    the browser to a .exe download.

    For this reason defanging like this isn't enabled by default, it's not
    likely to work well and will break legitimate URLs. However, if the scam
    mails are using simple, easy to block URLS, then it may be worth the effort
    to try anyway... I haven't much experience with these messages, so I'd be
    interested in hearing peoples' opinions on this.

    Anyone?

    -- 
    Bjarni Rúnar Einarsson
     123670@xyz.molar.is
     http://bre.klaki.net/
    

    PGP: 02764305, B7A3AB89



    hosted by molar.is